|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: 'Return to libc' exploit
From: Marco Peereboom (slash
peereboom.us)
Date: Sun Aug 15 2004 - 00:37:54 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
OpenBSD randomizes addresses for dynamic libraries therefore it is a
whole lot harder to guess for example the address of system() in libc.
Theo wrote an awesome presentation where he explains this. See
http://www.openbsd.org/papers/bsdcan04/
Return to libc is trivial on a lot of arches, not so much with OpenBSD.
Read the presentation and it'll make sense.
Create a program with a system("/bin/sh") call and follow it with gdb.
You'll see that the actual call ends up elsewhere every time. Do the
same thing on a Linux box and compare the results.
On Aug 14, 2004, at 9:22 PM, Dave Feustel wrote:
> I am pretty sure that my user account on my 3.4 system
> has been hacked, most likely as a result of a KDE or X11
> vulnerability. _The Shellcoder's Handbook_ mentions
> a 'return to libc' method of overcoming non-executeable
> stacks implemented in Openbsd, etc. Is there a defense
> needed against use of 'return to libc'?
>
> Thanks,
> Dave Feustel 260-422-5330
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]