ASLR

ASLR or Address Space Layout Randomization is a technique that prevents the exploiter from finding the correct address. ASLR is specific to Linux/GNU systems only.

Note: Basically ASLR is good because it helps to safe guards our system. It involves the randomization of virtual memory. If this need to work then the binaries running this need to be independent of the positions that is it should not have static memory.

In a non-ASLR process the stack's address is always the same. So we know exactly where the memory is.

How ASLR works?

When ASLR is enabled it will load the first binary into some random value and then follow up the corresponding values.

How to overcome ASLR?

Copy the payload.txt for nx and move it to aslr folder and execute it. We get a segmentation fault core dumped. Along with that we get a core file for which we are going to run to run along with binary to gdb

gdb ./vulnerable.out core  

Rename the value of core to some other value so that you can recognize it. We need to analyse the gdb values of each of them.

Run time linking : To find the address of the function which is unknown are discovered. As ASLR prevents from hard coding the address, we fix the address of call instruction, when we go to the specific target we dynamically find the correct address.

Working:

  1. Load vulnerable to gdb
  2. set b main
  3. disass main
  4. x/i first call address
  5. In the address we have an indirect jump takes the rip+some address and then takes the 64 bit value and jumps to that location, then if we do x/xg 0x601020 we get the value and then we can do x/3i address we see that the instruction next to it itself to where it jumps.
  6. Now try to set breakpoint at the location before printf and the location after printf. Then try to print the value at the at ox60.. and then print it and see the address of printf. We see that the one after the "Call printf" works correctly.

When we check the working of we can see plt and got.plt. They are two basic data structures. Where PLT table is an array of instructions". We use the those entries in the call instruction.

GOT table stores the pointers to the functions that are calculated dynamically.

pwndbg> x/3i 0x4004c0
0x4004c0 <printf@plt>:       jmp    QWORD PTR [rip+0x200b5a]        # 0x601020 <printf@got.plt>
0x4004c6 <printf@plt+6>:     push   0x1
0x4004cb <printf@plt+11>:    jmp    0x4004a0

This is the got table and it contains a indirect jump that has a got table with the address 0x601020. Location of a got entry of one function is fixed but value is not fixed, which means that we can hardcode the function address.

The change happened before and shows the change in the entry of the values in the got table.

If we call the printf twice will the value change? No it won't because the RIP for the specific function donot change. But the RIP for the main can change.

We use the below argument to manipulate the got entry

sub    QWORD PTR [rdi],rsi
 Previous