search
MathematicsCryptography

ASLR Bypass with Given Leak

hashtag
The Source

file-archive
3KB
aslr.zip
archive
arrow-up-right-from-squareOpen
ASLR - 32-bit
#include <stdio.h>
#include <stdlib.h>

void vuln() {
    char buffer[20];

    printf("System is at: %lp\n", system);

    gets(buffer);
}

int main() {
    vuln();

    return 0;
}

void win() {
    puts("PIE bypassed! Great job :D");
}

Just as we did for PIE, except this time we print the address of system.

hashtag
Analysis

Yup, does what we expected.

circle-info

Your address of system might end in different characters - you just have a different libc version

hashtag
Exploitation

Much of this is as we did with PIE.

Note that we include the libc here - this is just another ELF object that makes our lives easier.

Parse the address of system and calculate libc base from that (as we did with PIE):

Now we can finally ret2libc, using the libc ELF object to really simplify it for us:

hashtag
Final Exploit

hashtag
64-bit

Try it yourself :)

file-archive
3KB
aslr-64.zip
archive
arrow-up-right-from-squareOpen
ASLR - 64-bit

hashtag
Using pwntools

If you prefer, you could have changed the following payload to be more pwntoolsy:

Instead, you could do:

The benefit of this is it's (arguably) more readable, but also makes it much easier to reuse in 64-bit exploits as all the parameters are automatically resolved for you.

Last updated

Was this helpful?