ASLR

Address Space Layout Randomisation

ASLR works by randomizing the locations of key components in a system's memory, such as the location of libraries. This makes it harder for attackers to predict where these components will be located, as it will be different each time the system is restarted or a new process is launched.

ASLR is like PIE for external libraries and kernel components.

ASLR depends on the environment in which a binary is run, while PIE can be included in the binary itself and is therefore independent of the environment.

If a binary compiled with ASLR disabled is run on another system with ASLR enable, it will had ASLR protection.

Such as PIE, it's then impossible to hardcode values such as function address (e.g. system for a ret2libc).

Use the followed command in order to disable ASLR to your system :

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Don't forget to enable it again using :

echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

Double-Checking

For the same reason as PIE, libc base addresses always end in the hexadecimal characters 000.

Bypassing ASLR

It may be tempting to think that, similar to PIE, leaking a libc address using format string and subtracting a static offset from it will work. However, this is not the case.

When functions finish execution, they do not get removed from memory; instead, they are ignored and overwritten. Chances are very high that one of these remnants will be grabbed with the format string. Different libc versions can behave differently during execution, so a value grabbed this way may not even exist in the target libc, and if it does, the offset is likely to be different due to the varying sizes of different libc versions. It is possible to be successful with this method with a high dose of luck, but it should not be relied upon.

As explain here, the GOT section is a table within the binary that points to external libraries functions ( such as puts, function of libc) .

As the GOT is part of the binary, it will always be a constant offset away from the base. Therefore, if PIE (Position Independent Executable) is disabled or the binary base is somehow leaked, the exact address containing the address of a libc function can be determined.

ret2plt is generaly used to bypass ASLR.

There is also methods to leaks the libc base address.

PreviousPIENextRELRO

Last updated