Return oriented programming is a technique used to evade DEP or NX stack protection. I am playing around with ROP shellcoding in x86_64 Linux.
The problem is that the memory space of my program and shared libraries seems to be consistently placed in lower memory addresses.
cat /proc/26327/maps
7fdc62ff9000-7fdc63196000 r-xp 00000000 08:03 5317651 /lib64/libc-2.19.so
The 12 byte memory address is screwing up my ability to load ROP shellcode because 0's in the memory address terminate the strcpy function that I am overflowing.
I have full control over the system and executable. Is there a way to force shared libraries to be loaded at higher memory addresses so that I can avoid 0's in the address space?
It's more fundamental than that:
When AMD invented x86-64, they made canonical addresses mandatory. While you theoretically have 64 bits of address-space, current x86-64 processors don't expose all of it. My cpu, for example, tells me it has cat /proc/cpuinfo: address sizes : 39 bits physical, 48 bits virtual. As the upper half of virtual addresses is reserved for the kernel, you can't get rid of the top null-byte in userspace.