Binary Exploitation
HackTheBoxCTF WriteupsCryptography
Search…
Binary Exploitation Notes
Types
Stack
Introduction
ret2win
De Bruijn Sequences
Shellcode
NOPs
32- vs 64-bit
No eXecute
Return-Oriented Programming
Format String Bug
Stack Canaries
PIE
ASLR
ASLR Bypass with Given Leak
PLT and GOT
ret2plt ASLR bypass
GOT Overwrite
RELRO
Reliable Shellcode
One Gadgets and Malloc Hook
Syscalls
ret2dlresolve
ret2csu
Exploiting over Sockets
Forking Processes
Stack Pivoting
Heap
Kernel
Other
pwntools
Powered By GitBook
ASLR
Address Space Layout Randomisation

Overview

ASLR stands for Address Space Layout Randomisation and can, in most cases, be thought of as libc's equivalent of PIE - every time you run a binary, libc (and other libraries) get loaded into a different memory address.
While it's tempting to think of ASLR as libc PIE, there is a key difference.
ASLR is a kernel protection while PIE is a binary protection. The main difference is that PIE can be compiled into the binary while the presence of ASLR is completely dependant on the environment running the binary. If I sent you a binary compiled with ASLR disabled while I did it, it wouldn't make any different at all if you had ASLR enabled.
Of course, as with PIE, this means you cannot hardcode values such as function address (e.g. system for a ret2libc).

The Format String Trap

It's tempting to think that, as with PIE, we can simply format string for a libc address and subtract a static offset from it. Sadly, we can't quite do that.
When functions finish execution, they do not get removed from memory; instead, they just get ignored and overwritten. Chances are very high that you will grab one of these remnants with the format string. Different libc versions can act very differently during execution, so a value you just grabbed may not even exist remotely, and if it does the offset will most likely be different (different libcs have different sizes and therefore different offsets between functions). It's possible to get lucky, but you shouldn't really hope that the offsets remain the same.
Instead, a more reliable way is reading the GOT entry of a specific function.

Double-Checking

For the same reason as PIE, libc base addresses always end in the hexadecimal characters 000.
Previous
PIE Bypass
Next
ASLR Bypass with Given Leak
Last modified 1yr ago
Export as PDF
Copy link
On this page
Overview
The Format String Trap
Double-Checking