Graphics Programs Reference
In-Depth Information
manual page for execve() for detailed information about the
replacement of the current process.)
It seems like there could be a weakness here if the memory layout is
randomized only when the process is started. Let's test this hypothesis with a
piece of code that prints the address of a stack variable and then executes
aslr_demo using an
execl()
function.
aslr_execl.c
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int stack_var;
// Print an address from the current stack frame.
printf("stack_var is at %p\n", &stack_var);
// Start aslr_demo to see how its stack is arranged.
execl("./aslr_demo", "aslr_demo", NULL);
}
When this program is compiled and executed, it will
execl()
aslr_demo,
which also prints the address of a stack variable (buffer). This lets us compare
the memory layouts.
reader@hacking:~/booksrc $ gcc -o aslr_demo aslr_demo.c
reader@hacking:~/booksrc $ gcc -o aslr_execl aslr_execl.c
reader@hacking:~/booksrc $ ./aslr_demo test
buffer is at 0xbf9f31c0
reader@hacking:~/booksrc $ ./aslr_demo test
buffer is at 0xbffaaf70
reader@hacking:~/booksrc $ ./aslr_execl
stack_var is at 0xbf832044
buffer is at 0xbf832000
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xbf832044 - 0xbf832000"
$1 = 68
reader@hacking:~/booksrc $ ./aslr_execl
stack_var is at 0xbfa97844
buffer is at 0xbf82f800
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xbfa97844 - 0xbf82f800"
$1 = 2523204
reader@hacking:~/booksrc $ ./aslr_execl
stack_var is at 0xbfbb0bc4
buffer is at 0xbff3e710
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xbfbb0bc4 - 0xbff3e710"
$1 = 4291241140
reader@hacking:~/booksrc $ ./aslr_execl
stack_var is at 0xbf9a81b4
buffer is at 0xbf9a8180
reader@hacking:~/booksrc $ gdb -q --batch -ex "p 0xbf9a81b4 - 0xbf9a8180"
$1 = 52
r
eader@hacking:~/booksrc $
