LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Closed Thread
 
Search this Thread
Old 09-14-2009, 11:49 AM   #1
nullprocess
LQ Newbie
 
Registered: Sep 2009
Posts: 3

Rep: Reputation: 0
Address Space Randomization on 2.6.28-15-generic ubuntu 9.04. Finding base address


Hi Guys,

This is my first post and Im a relative newbie to Linux so please go gentle on me. Sorry for the length but I feel it necessary to explain the background. If your not interested please skip the next paragraphs and hop to the question toward the bottom, which ulimately is pretty simple, altough the answer seems impossible to find!

Ok, Im an academic (university networks and security lecturer) studying/teaching network and operating system security, and inspired by the work of Hovav Shacham set about testing ASLR on linux. Principley I did this by performing a brute force buffer overflow attack on Fedora 10 and Ubuntu 9. I did this by writting a little concurrent server daemon which accidently on purpose didnt do bounds checking. I then wrote a client to send it a malicious string brute forcing guessed addresses which caused a return-to-libc to the function usleep with a parameter of 16m causing a delay of 16 seconds as laid out in http://www.stanford.edu/~blp/papers/asrandom.pdf. Once I hit the delay I new I had found the function and could calculate delta_mmap allowing me to create a standard chained ret-to-libc attack. All of that works fine. However ....

To complete my understanding I am trying establish where I can find the standard base address for ubuntu 9 (and other distros) for the following, taken from Shacham:-
Quote:
address = baseaddress + ofset + delta_mmap
:
where address= the address of some libc function, such as usleep
baseaddress = the standard base address for mapped memmory
ofset = the position of the library function from the randomized start of libc
delta_mmap = in the paper this refers to the random offset generated by PaX however I dont think ubuntu uses PaX so suspect this will be whatever ethropy the standard kernel uses

/proc/uid/maps gives me some information but not the base address
ldd also gives me the randomised starting address for sections in the user address space but neither gives me the base address.

Intrestingly ... when a run ldd with aslr on for over (about) 100 times and checked the start point of libc I determined that the last 3 (least significant) hex digits were always 0's and the fist 4 (most significant) where between 0xB7D7 and 0xB7F9. To me this indicated that bits 22-31 were fixed and bits 12-21 were randomized with bits 11-0 fixed. Although even that doesnt define the boundaries observed correctly.

Either way, I am confused. QUESTION How can I find the exact starting address from which libc is randomized?

Note: I am replicating the attack to provide signatures to detect it using IDS, and for teaching purposes. I am NOT a hacker and if needed to could reply from my .ac.uk email address as verification.

Thank guys, I have read from this forum a lot but never posted here before.

Take care

Nullprocess

Last edited by nullprocess; 09-14-2009 at 11:57 AM.
 
Old 09-15-2009, 01:56 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
nullprocess, even if we could verify that you're doing this for academic and/or IDS signature development purposes, we'd still be unable to let this thread continue. What you're asking for is essentially assistance writing your attack code, and LQ members would be in violation of the LQ Rules if they'd give you a hand with this. Thread closed.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Base Address of Dynamic Library Damaged Soul Programming 11 12-13-2010 02:28 PM
Address Space Randomization on 2.6.28-15-generic ubuntu 9.04. Finding base address nullprocess Linux - Kernel 1 09-14-2009 09:31 PM
Address Space Randomization on 2.6.28-15-generic ubuntu 9.04. Finding base address nullprocess Linux - Kernel 0 09-14-2009 11:45 AM
Finding Ip address with Mac address rupeshdwivedi Linux - Networking 6 09-01-2005 08:44 AM
base address and port address Nodren Linux - Hardware 0 08-30-2004 03:54 PM


All times are GMT -5. The time now is 05:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration