-   Linux - Security (
-   -   Address Space Randomization on 2.6.28-15-generic ubuntu 9.04. Finding base address (

nullprocess 09-14-2009 10:49 AM

Address Space Randomization on 2.6.28-15-generic ubuntu 9.04. Finding base address
Hi Guys,

This is my first post and Im a relative newbie to Linux so please go gentle on me. Sorry for the length but I feel it necessary to explain the background. If your not interested please skip the next paragraphs and hop to the question toward the bottom, which ulimately is pretty simple, altough the answer seems impossible to find!

Ok, Im an academic (university networks and security lecturer) studying/teaching network and operating system security, and inspired by the work of Hovav Shacham set about testing ASLR on linux. Principley I did this by performing a brute force buffer overflow attack on Fedora 10 and Ubuntu 9. I did this by writting a little concurrent server daemon which accidently on purpose didnt do bounds checking. I then wrote a client to send it a malicious string brute forcing guessed addresses which caused a return-to-libc to the function usleep with a parameter of 16m causing a delay of 16 seconds as laid out in Once I hit the delay I new I had found the function and could calculate delta_mmap allowing me to create a standard chained ret-to-libc attack. All of that works fine. However ....

To complete my understanding I am trying establish where I can find the standard base address for ubuntu 9 (and other distros) for the following, taken from Shacham:-
address = baseaddress + ofset + delta_mmap
where address= the address of some libc function, such as usleep
baseaddress = the standard base address for mapped memmory
ofset = the position of the library function from the randomized start of libc
delta_mmap = in the paper this refers to the random offset generated by PaX however I dont think ubuntu uses PaX so suspect this will be whatever ethropy the standard kernel uses

/proc/uid/maps gives me some information but not the base address
ldd also gives me the randomised starting address for sections in the user address space but neither gives me the base address.

Intrestingly ... when a run ldd with aslr on for over (about) 100 times and checked the start point of libc I determined that the last 3 (least significant) hex digits were always 0's and the fist 4 (most significant) where between 0xB7D7 and 0xB7F9. To me this indicated that bits 22-31 were fixed and bits 12-21 were randomized with bits 11-0 fixed. Although even that doesnt define the boundaries observed correctly.

Either way, I am confused. QUESTION How can I find the exact starting address from which libc is randomized?

Note: I am replicating the attack to provide signatures to detect it using IDS, and for teaching purposes. I am NOT a hacker and if needed to could reply from my email address as verification.

Thank guys, I have read from this forum a lot but never posted here before.

Take care


win32sux 09-15-2009 12:56 AM

nullprocess, even if we could verify that you're doing this for academic and/or IDS signature development purposes, we'd still be unable to let this thread continue. What you're asking for is essentially assistance writing your attack code, and LQ members would be in violation of the LQ Rules if they'd give you a hand with this. Thread closed.

All times are GMT -5. The time now is 06:26 PM.