Hi Guys,
This is my first post and Im a relative newbie to Linux so please go gentle on me
Sorry for the length but I feel it necessary to explain the background. If your not interested please skip the next paragraphs and hop to the question toward the bottom, which ulimately is pretty simple, altough the answer seems impossible to find!
Ok, Im an academic (university networks and security lecturer) studying/teaching network and operating system security, and inspired by the work of Hovav Shacham set about testing ASLR on linux. Principley I did this by performing a brute force buffer overflow attack on Fedora 10 and Ubuntu 9. I did this by writting a little concurrent server daemon which accidently on purpose didnt do bounds checking. I then wrote a client to send it a malicious string brute forcing guessed addresses which caused a return-to-libc to the function usleep with a parameter of 16m causing a delay of 16 seconds as laid out in
http://www.stanford.edu/~blp/papers/asrandom.pdf. Once I hit the delay I new I had found the function and could calculate delta_mmap allowing me to create a standard chained ret-to-libc attack. All of that works fine. However ....
To complete my understanding I am trying establish where I can find the standard base address for ubuntu 9 (and other distros) for the following, taken from Shacham:-
Quote:
address = baseaddress + ofset + delta_mmap
|
:
where address= the address of some libc function, such as usleep
baseaddress = the standard base address for mapped memmory
delta_mmap = in the paper this refers to the random offset generated by PaX however I dont think ubuntu uses PaX so suspect this will be whatever ethropy the standard kernel uses (which is why I am posting on this board)
/proc/uid/maps gives me some information but not the base address
ldd also gives me the randomised starting address for sections in the user address space but neither gives me the base address.
Intrestingly ... when I ran ldd on a process with aslr on for about 100 times checking the start point of libc for each, I determined that the last 3 (least significant) hex digits were always 0's and the fist 4 (most significant) where between 0xB7D7 and 0xB7F9. To me this indicated that bits 22-31 were fixed, bits 12-21 were randomized with bits 0-11 fixed. Although that doesnt define the boundaries observed correctly.
Either way, I am confused.
QUESTION How can I find the exact starting address from which libc is randomized?
Note: I am replicating the attack to provide signatures to detect it using IDS, and for teaching purposes. I am NOT a hacker and if needed to could reply from my .ac.uk email address as verification.
Thank guys, I have read from this forum a lot but never posted here before.
Take care
Nullprocess