On Wed, Jan 14, 2015 at 5:52 PM, Theo de Raadt
wrote:
>> > By the time an attacker has the control to search down, he surely
>> > already is capable of doing something other things. "Searching"
>> > almost certainly implies he is executing or ROP'ing.
>>
>> This is perhaps just me coming from the
himself. It would on average only require him
16384 connetions to guess correctly. I would consider more than "some"
scenarios, but perhaps I'm biased. :)
On Wed, Jan 14, 2015 at 5:07 PM, Theo de Raadt
wrote:
>> On Wed, Jan 14, 2015 at 3:44 PM, Mathias Svensson wrote:
&g
On Wed, Jan 14, 2015 at 3:44 PM, Mathias Svensson wrote:
> Calls to malloc or mmap seems to be chosen randomly among 2 ** 20
> pages placed at a constant offset above the base of the binary.
> While none of these numbers are great (25 bits to base address with
> no knowledge, 20 bit
base of the binary. While
none of these numbers are great (25 bits to base address with no
knowledge, 20 bits if knowing another pointer), they are not
particularly bad either.
--
Mathias Svensson
bypass.c:
#include
#include
#ifdef __amd64__
#define USRSTACK 0x7f7fc000
#else
#ifdef __i386__
