Well, there's a similar idea which I already implemented, and which I like
better (since people need characters like 0xab allowed).
It is to map libc at 0x00001000+ so there's always a zero byte in the
address. That way it's not possible to pass any parameters to the function
being called, since in most cases you have to overflow with an ASCIIZ string.
And even if there's a suitable function with no parameters, you would have to
overwrite the return address only, not fill with a pattern (unfortunately
x86s are little endian, so the address itself can be put in ASCIIZ; it will
terminate the string though).
Here goes a dirty kernel patch for mmap(), use it in addition to my
non-executable stack patch. Warning: this is x86-only, I should make a
#define in some architecture-specific includes in the real patch instead.
--- /extra/linux-2.0.30/mm/mmap.c Fri Nov 22 11:25:17 1996
+++ linux/mm/mmap.c Mon Jun 9 02:20:25 1997
@@ -308,7 +308,7 @@
if (len > TASK_SIZE)
return 0;
if (!addr)
- addr = TASK_SIZE / 3;
+ addr = 0x00001000;
addr = PAGE_ALIGN(addr);
for (vmm = find_vma(current->mm, addr); ; vmm = vmm->vm_next) {
I'm running this right now, no problems so far (both ELF and a.out binaries
work just fine).
Signed,
Solar Designer