Graphics Programs Reference
In-Depth Information
Bouncing off linux-gate
refers to a shared object, exposed by the kernel,
which looks like a shared library. The program ldd shows a program's
shared library dependencies. Do you notice anything interesting about
the linux-gate library in the output below?
matrix@loki /hacking $ $ uname -a
Linux hacking 2.6.17 #2 SMP Sun Apr 11 03:42:05 UTC 2007 i686 GNU/Linux
matrix@loki /hacking $ cat /proc/sys/kernel/randomize_va_space
1
matrix@loki /hacking $ ldd ./aslr_demo
linux-gate.so.1 => (0xffffe000)
libc.so.6 => /lib/libc.so.6 (0xb7eb2000)
/lib/ld-linux.so.2 (0xb7fe5000)
matrix@loki /hacking $ ldd /bin/ls
linux-gate.so.1 => (0xffffe000)
librt.so.1 => /lib/librt.so.1 (0xb7f95000)
libc.so.6 => /lib/libc.so.6 (0xb7e75000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7e62000)
/lib/ld-linux.so.2 (0xb7fb1000)
matrix@loki /hacking $ ldd /bin/ls
linux-gate.so.1 => (0xffffe000)
librt.so.1 => /lib/librt.so.1 (0xb7f50000)
libc.so.6 => /lib/libc.so.6 (0xb7e30000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7e1d000)
/lib/ld-linux.so.2 (0xb7f6c000)
matrix@loki /hacking $
Even in different programs and with ASLR enabled, linux-gate.so.1 is
always present at the same address. This is a virtual dynamically shared object
used by the kernel to speed up system calls, which means it's needed in
every process. It is loaded straight from the kernel and doesn't exist anywhere
on disk.
The important thing is that every process has a block of memory contain-
ing linux-gate's instructions, which are always at the same location, even
with ASLR. We are going to search this memory space for a certain assembly
instruction,
jmp esp
. This instruction will jump EIP to where ESP is pointing.
First, we assemble the instruction to see what it looks like in machine code.
matrix@loki /hacking $ cat > jmpesp.s
BITS 32
jmp esp
matrix@loki /hacking $ nasm jmpesp.s
matrix@loki /hacking $ hexdump -C jmpesp
00000000 ff e4 |..|
00000002
matrix@loki /hacking $
Using this information, a simple program can be written to find this
pattern in the program's own memory.
