You can't JMP to liux-gate.so on Fedora: It's ASCII Shielded.

linux-gate.so.1 =(0x00111000)

The first byte is 0x00, or a null char. It's next to impossible to get a
NULL as the first byte of the ESP.

Have fun,
-Jack Carrozzo
jack _[@]_ crepinc.com

Pravin wrote:
Hi,
I was working with bypassing randomized stack using "linux-gate.so.1"
I am using Fedora Core 5 and problem with it is that location of
linux-gate.so.1 is not fixed.
But other libraries are having fixed location ( like libc.so.6 and
ld-linux.so.2 )

I changed the value of "/" to 0 and
tested.
But still it was of no use for me.
Simillarly I changed the value of "/proc/sys/kernel/exec_shield" to 0
and tested,
but even that didn't helped :-(

I have given bellow, output of two consecutive ldd executions.

$ ldd vulerable02
linux-gate.so.1 =(0x00111000)
libc.so.6 =/lib/libc.so.6 (0x00bb0000)
/lib/ld-linux.so.2 (0x00b8f000)

$ ldd vulerable02
linux-gate.so.1 =(0x00d47000)
libc.so.6 =/lib/libc.so.6 (0x00bb0000)
/lib/ld-linux.so.2 (0x00b8f000)

I know that I can use other libraries to get fix physical addresss of
"JMP *%ESP"
or "CALL 8%ESP", but I want to know why is it happening like this?

I tried googling, bt didn't got much.
Linux-gate.so.1 is supposed to have same address space
(that is 0xffffe000 ) in all processes. (as per
)

Can someone please help me by explaining me why is it happening like
this?

I was refering links like
"http://milw0rm.org/papers/55"
""

Thank you.