🏳️
The CTF Recipes
  • Introduction
  • Cryptography
    • Introduction
    • General knowledge
      • Encoding
        • Character encoding
          • ASCII
          • Unicode
          • UTF-8
        • Data encoding
          • Base16
          • Base32
          • Base64
      • Maths
        • Modular arithmetic
          • Greatest Common Divisor
          • Fermat's little theorem
          • Quadratic residues
          • Tonelli-Shanks
          • Chinese Remainder Theorem
          • Modular binomial
      • Padding
        • PKCS#7
    • Misc
      • XOR
    • Mono-alphabetic substitution
      • Index of coincidence
      • frequency analysis
      • Well known algorithms
        • 🔴Scytale
        • 🔴ROT
        • 🔴Polybe
        • 🔴Vigenere
        • 🔴Pigpen cipher
        • 🔴Affine cipher
    • Symmetric Cryptography
      • AES
        • Block Encryption procedure
          • Byte Substitution
          • Shift Row
          • Mix Column
          • Add Key
          • Key Expansion / Key Schedule
        • Mode of Operation
          • ECB
            • Block shuffling
              • Challenge example
            • ECB Oracle
              • Challenge example
          • CBC
            • Bit flipping
              • Challenge example
            • Padding oracle
              • Challenge example
          • OFB
            • Key stream reconstruction
            • Encrypt to Uncrypt
  • 🛠️Pwn
    • General knowledge
      • STACK
        • Variables storage
        • Stack frame
      • PLT and GOT
      • HEAP
        • HEAP operations
        • Chunk
        • Bins
        • Chunk allocation and reallocation
      • Syscall
    • Architectures
      • aarch32
        • Registers
        • Instruction set
        • Calling convention
      • aarch64
        • Registers
        • Instruction set
        • Calling convention
      • mips32
        • Registers
        • Instruction set
        • Calling convention
      • mips64
        • Registers
        • Instruction set
        • Calling convention
      • x86 / x64
        • Registers
        • Instruction set
        • Calling convention
    • Stack exploitation
      • Stack Buffer Overflow
        • Dangerous functions
          • gets
          • memcpy
          • sprintf
          • strcat
          • strcpy
        • Basics
          • Challenge example
        • Instruction pointer Overwrite
          • Challenge example
        • De Bruijn Sequences
        • Stack reading
          • Challenge example
      • Format string
        • Dangerous functions
          • printf
          • fprintf
        • Placeholder
        • Data Leak
          • Challenge example
        • Data modification
          • Challenge example
      • Arbitrary code execution
        • Shellcode
        • ret2reg
        • Code reuse attack
          • Ret2plt
          • Ret2dlresolve
          • GOT Overwrite
          • Ret2LibC
          • Leaking LibC
          • Ret2csu
          • Return Oriented Programming - ROP
          • Sigreturn Oriented Programming - SROP
          • Blind Return Oriented Programming - BROP
            • Challenge example
          • 🔴Call Oriented Programming - COP
          • 🔴Jump Oriented Programming - JOP
          • One gadget
        • Stack pivoting
    • 🛠️Heap exploitation
      • Heap overflow
        • Challenge example
      • Use after free
        • Challenge example
      • 🛠️Double free
      • 🔴Unlink exploit
    • Protections
      • Stack Canaries
      • No eXecute
      • PIE
      • ASLR
      • RELRO
    • Integer overflow
Powered by GitBook
On this page
  • Double-Checking
  • Bypassing ASLR
  1. Pwn
  2. Protections

ASLR

Address Space Layout Randomisation

ASLR works by randomizing the locations of key components in a system's memory, such as the location of libraries. This makes it harder for attackers to predict where these components will be located, as it will be different each time the system is restarted or a new process is launched.

ASLR is like PIE for external libraries and kernel components.

ASLR depends on the environment in which a binary is run, while PIE can be included in the binary itself and is therefore independent of the environment.

If a binary compiled with ASLR disabled is run on another system with ASLR enable, it will had ASLR protection.

Such as PIE, it's then impossible to hardcode values such as function address (e.g. system for a ret2libc).

Use the followed command in order to disable ASLR to your system :

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Don't forget to enable it again using :

echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

Double-Checking

For the same reason as PIE, libc base addresses always end in the hexadecimal characters 000.

Bypassing ASLR

It may be tempting to think that, similar to PIE, leaking a libc address using format string and subtracting a static offset from it will work. However, this is not the case.

When functions finish execution, they do not get removed from memory; instead, they are ignored and overwritten. Chances are very high that one of these remnants will be grabbed with the format string. Different libc versions can behave differently during execution, so a value grabbed this way may not even exist in the target libc, and if it does, the offset is likely to be different due to the varying sizes of different libc versions. It is possible to be successful with this method with a high dose of luck, but it should not be relied upon.

As explain here, the GOT section is a table within the binary that points to external libraries functions ( such as puts, function of libc) .

As the GOT is part of the binary, it will always be a constant offset away from the base. Therefore, if PIE (Position Independent Executable) is disabled or the binary base is somehow leaked, the exact address containing the address of a libc function can be determined.

ret2plt is generaly used to bypass ASLR.

There is also methods to leaks the libc base address.

PreviousPIENextRELRO

Last updated 2 years ago

🛠️