Graphics Programs Reference
In-Depth Information
Without the
jmp esp
instruction at a predictable address, there is no
easy way to bounce off of linux-gate. Can you think of a way to bypass ASLR
to exploit aslr_demo on the LiveCD?
0x6c3
Applied Knowledge
Situations like this are what makes hacking an art. The state of computer
security is a constantly changing landscape, and specific vulnerabilities are
discovered and patched every day. However, if you understand the concepts
of the core hacking techniques explained in this topic, you can apply them in
new and inventive ways to solve the problem du jour. Like LEGO bricks,
these techniques can be used in millions of different combinations and
configurations. As with any art, the more you practice these techniques, the
better you'll understand them. With this understanding comes the wisdom to
guesstimate offsets and recognize memory segments by their address ranges.
In this case, the problem is still ASLR. Hopefully, you have a few bypass
ideas you might want to try out now. Don't be afraid to use the debugger to
examine what is actually happening. There are probably several ways to bypass
ASLR, and you may invent a new technique. If you don't find a solution, don't
worry—I'll explain a method in the next section. But it's worthwhile to think
about this problem a little on your own before reading ahead.
0x6c4
A First Attempt
In fact, I had written this chapter before linux-gate was fixed in the Linux
kernel, so I had to hack together an ASLR bypass. My first thought was to
leverage the
execl()
family of functions. We've been using the
execve()
function in our shellcode to spawn a shell, and if you pay close attention
(or just read the man page), you'll notice the
execve()
function replaces the
currently running process with the new process image.
EXEC(3) Linux Programmer's Manual
NAME
execl, execlp, execle, execv, execvp - execute a file
SYNOPSIS
#include <unistd.h>
extern char **environ;
int execl(const char *path, const char *arg, ...);
int execlp(const char *file, const char *arg, ...);
int execle(const char *path, const char *arg,
..., char * const envp[]);
int execv(const char *path, char *const argv[]);
int execvp(const char *file, char *const argv[]);
DESCRIPTION
The exec() family of functions replaces the current process
image with a new process image. The functions described in this
manual page are front-ends for the function execve(2). (See the
