LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel
User Name
Password
Linux - Kernel This forum is for all discussion relating to the Linux kernel.

Notices


Closed Thread
  Search this Thread
Old 09-14-2009, 11:36 AM   #1
nullprocess
LQ Newbie
 
Registered: Sep 2009
Posts: 3

Rep: Reputation: 0
Address Space Randomization on 2.6.28-15-generic ubuntu 9.04. Finding base address


Hi Guys,

This is my first post and Im a relative newbie to Linux so please go gentle on me Sorry for the length but I feel it necessary to explain the background. If your not interested please skip the next paragraphs and hop to the question toward the bottom, which ulimately is pretty simple, altough the answer seems impossible to find!

Ok, Im an academic (university networks and security lecturer) studying/teaching network and operating system security, and inspired by the work of Hovav Shacham set about testing ASLR on linux. Principley I did this by performing a brute force buffer overflow attack on Fedora 10 and Ubuntu 9. I did this by writting a little concurrent server daemon which accidently on purpose didnt do bounds checking. I then wrote a client to send it a malicious string brute forcing guessed addresses which caused a return-to-libc to the function usleep with a parameter of 16m causing a delay of 16 seconds as laid out in http://www.stanford.edu/~blp/papers/asrandom.pdf. Once I hit the delay I new I had found the function and could calculate delta_mmap allowing me to create a standard chained ret-to-libc attack. All of that works fine. However ....

To complete my understanding I am trying establish where I can find the standard base address for ubuntu 9 (and other distros) for the following, taken from Shacham:-
Quote:
address = baseaddress + ofset + delta_mmap
:
where address= the address of some libc function, such as usleep
baseaddress = the standard base address for mapped memmory
delta_mmap = in the paper this refers to the random offset generated by PaX however I dont think ubuntu uses PaX so suspect this will be whatever ethropy the standard kernel uses (which is why I am posting on this board)

/proc/uid/maps gives me some information but not the base address
ldd also gives me the randomised starting address for sections in the user address space but neither gives me the base address.

Intrestingly ... when I ran ldd on a process with aslr on for about 100 times checking the start point of libc for each, I determined that the last 3 (least significant) hex digits were always 0's and the fist 4 (most significant) where between 0xB7D7 and 0xB7F9. To me this indicated that bits 22-31 were fixed, bits 12-21 were randomized with bits 0-11 fixed. Although that doesnt define the boundaries observed correctly.

Either way, I am confused. QUESTION How can I find the exact starting address from which libc is randomized?

Note: I am replicating the attack to provide signatures to detect it using IDS, and for teaching purposes. I am NOT a hacker and if needed to could reply from my .ac.uk email address as verification.

Thank guys, I have read from this forum a lot but never posted here before.

Take care

Nullprocess

Last edited by nullprocess; 09-14-2009 at 11:41 AM.
 
Old 09-14-2009, 09:31 PM   #2
GrapefruiTgirl
LQ Guru
 
Registered: Dec 2006
Location: underground
Distribution: Slackware64
Posts: 7,594

Rep: Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556Reputation: 556
This duplicate will be closed. Please carry on the discussion over here: http://www.linuxquestions.org/questi...1/#post3682394

Thanks,
Sasha
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting Base Address of Dynamic Library Damaged Soul Programming 11 12-13-2010 02:28 PM
via686a base address not set error in dmesg on boot srf21c Linux - Hardware 2 02-03-2007 08:28 AM
Finding Ip address with Mac address rupeshdwivedi Linux - Networking 6 09-01-2005 08:44 AM
how to get ip address, broadcast address, mac address of a machine sumeshstar Programming 2 03-12-2005 05:33 AM
base address and port address Nodren Linux - Hardware 0 08-30-2004 03:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software > Linux - Kernel

All times are GMT -5. The time now is 01:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration