Graphics Programs Reference
In-Depth Information
Despite the randomization between runs, notice how similar the address
in ESP is to the address of the buffer (shown in bold). This makes sense, since
the stack pointer points to the stack and the buffer is on the stack. ESP's value
and the buffer's address are changed by the same random value, because
they are relative to each other.
GDB's
stepi
command steps the program forward in execution by a single
instruction. Using this, we can check ESP's value after the
ret
instruction has
executed.
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/reader/booksrc/aslr_demo
buffer is at 0xbfd1ccb0
Breakpoint 1, 0x080483fa in main (argc=134513588, argv=0x1) at aslr_demo.c:12
12 }
(gdb) i r esp
esp 0xbfd1ccfc 0xbfd1ccfc
(gdb) stepi
0xb7e4debc in __libc_start_main () from /lib/tls/i686/cmov/libc.so.6
(gdb) i r esp
esp 0xbfd1cd00 0xbfd1cd00
(gdb) x/24x 0xbfd1ccb0
0xbfd1ccb0: 0x00000000 0x080495cc 0xbfd1ccc8 0x08048291
0xbfd1ccc0: 0xb7f3d729 0xb7f74ff4 0xbfd1ccf8 0x08048429
0xbfd1ccd0: 0xb7f74ff4 0xbfd1cd8c 0xbfd1ccf8 0xb7f74ff4
0xbfd1cce0: 0xb7f937b0 0x08048410 0x00000000 0xb7f74ff4
0xbfd1ccf0: 0xb7f9fce0 0x08048410 0xbfd1cd58 0xb7e4debc
0xbfd1cd00: 0x00000001
0xbfd1cd84 0xbfd1cd8c 0xb7fa0898
(gdb) p 0xbfd1cd00 - 0xbfd1ccb0
$1 = 80
(gdb) p 80/4
$2 = 20
(gdb)
Single stepping shows that the
ret
instruction increases the value of ESP by
4. Subtracting the value of ESP from the address of the buffer, we find that ESP
is pointing 80 bytes (or 20 words) from the start of the buffer. Since the return
address's offset was 19 words, this means that after
main
's final
ret
instruction,
ESP points to stack memory found directly after the return address. This would
be useful if there was a way to control EIP to go where ESP is pointing instead.
0x6c2
Bouncing Off linux-gate
The technique described below doesn't work with Linux kernels starting
from 2.6.18. This technique gained some popularity and, of course, the
developers patched the problem. The kernel used in the included LiveCD
is 2.6.20, so the output below is from the machine loki, which is running a
2.6.17 Linux kernel. Even though this particular technique doesn't work on
the LiveCD, the concepts behind it can be applied in other useful ways.
