red hat 9 stack pointer
hello all -
i posted this in the red hat forum but didn't get any response so i thought i would try here. this question is related to some strange behavior i have seen while trying to write a stack exploit on red hat 9. in red hat 8 and other distributions, a prorgram will basically always have the same stack pointer (unless the env changes). sp is a little program that prints out the stack pointer. three runs on a red hat 8 distro yield the following results: bash-2.04$ ./sp 0xbffffaa8 bash-2.04$ ./sp 0xbffffaa8 bash-2.04$ ./sp 0xbffffaa8 bash-2.04$ a default red hat 9 instance exhibits totally different behavior - the stack pointer constantly changes. [jonb@fela bufferoverflow]$ ./sp 0xbfffe5b8 [jonb@fela ]$ ./sp 0xbfffe238 [jonb@fela ]$ ./sp 0xbfffdcb8 [jonb@fela ]$ ./sp 0xbfffde38 [jonb@fela ]$ ./sp 0xbfffdfb8 [jonb@fela ]$ any idea what causes this and if it can be turned off? is this actually a kernel configuration issue? cheers. |
It may be related to ExecShield (?) if that was in Redhat 9. Just be glad they do not use PaX ;). The class of exploit you are trying to pull off ( or at least, the class of exploit it sounds like ) may still be fairly trivial depending on what other randomisation ExecShield incorporates and how much ( it does not appear to perform that much ).
|
All times are GMT -5. The time now is 06:46 PM. |