ASLR

Address Space Layout Randomisation

ASLR works by randomizing the locations of key components in a system's memory, such as the location of libraries. This makes it harder for attackers to predict where these components will be located, as it will be different each time the system is restarted or a new process is launched.

ASLR is like PIE for external libraries and kernel components.

Double-Checking

For the same reason as PIE, libc base addresses always end in the hexadecimal characters 000.

Bypassing ASLR

As explain here, the GOT section is a table within the binary that points to external libraries functions ( such as puts, function of libc) .

As the GOT is part of the binary, it will always be a constant offset away from the base. Therefore, if PIE (Position Independent Executable) is disabled or the binary base is somehow leaked, the exact address containing the address of a libc function can be determined.

ret2plt is generaly used to bypass ASLR.

There is also methods to leaks the libc base address.

Last updated