Exploiting A Buffer Overflow Under Linux Kernel 2.6 With Aslr Through Ret2Reg
|
|
|
||||||||||
Description:
Linux kernel versions 2.6.x implement ASLR to avoid execution of arbitrary code located in the stack segment of a process. Moreover, kernel versions >= 2.6.18 also made the allocation of ld-linux.so.2 dynamic, and recent compilers also tend to avoid the generation of jmp|call *%esp instructions, so the use of a ret2esp technique to exploit a vulnerable application is becoming harder and harder. A way to turn around the problem is analyzing the registers situations just a while before the vulnerable code is executed: very probably one of them points to the address of the vulnerable buffer. All we have to do is searching inside the executable or a static library a ret2reg instruction, where reg is the register pointing to the vulnerable area, and use that as return address.
Tags: ret2reg, buffer overflow, ASLR, kernel 2.6