1 |
Hemmann, Volker Armin wrote: |
2 |
> to do this fancy jump-around stuff, you need to know exactly where which |
3 |
> snippet resides in ram - one error and all your work is lost. |
4 |
> |
5 |
> So, and because on gentoo everything is compiled by yourself with a little bit |
6 |
> different setting like the next gentoo user, it is a lot harder to guess the |
7 |
> correct adresses. Not like the binary distributions, where one is laid out |
8 |
> like the other. |
9 |
|
10 |
Well, lets find out. On my home system, i did this: |
11 |
|
12 |
strace gzip > /dev/null |
13 |
hit ctrl-c |
14 |
find the mmap that maps /lib/libc.so.6 by: |
15 |
- find the open call that opens libc, note that the open call returns |
16 |
the file descriptor |
17 |
- find the next mmap that acts on that fd (second to last argument |
18 |
to mmap) |
19 |
- mmap returns the address it mmapped to |
20 |
|
21 |
Short excerpt: |
22 |
$ strace gzip > /dev/null |
23 |
[...snip...] |
24 |
open("/lib/libc.so.6", O_RDONLY) = 3 |
25 |
[... reads, lseeks and fstats snipped ...] |
26 |
mmap(NULL, 2248680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, |
27 |
0) = 0x2aaaaabc1000 |
28 |
[...snip...] |
29 |
|
30 |
I got 0x2aaaaabc1000 on my machine, i would be interested to know what |
31 |
your machine did. But judging from the fact that the people from |
32 |
hardened added address space layout randomization, i'd guess we're going |
33 |
to get the same address or something that varies but not very randomly |
34 |
(low entropy). Make sure that you test with gzip though, other apps will |
35 |
have slighly different addresses as they seem to load libs in a |
36 |
different order -- this won't help though, as an exploit will be |
37 |
targeted at a specific app. |
38 |
|
39 |
But I'm still interested if we all get the same addresses or slightly |
40 |
different. |
41 |
|
42 |
Marco |
43 |
-- |
44 |
gentoo-amd64@g.o mailing list |