'Binary Exploitation - ASLR
This is more so just a general question about how ASLR actually prevents Buffer Overflow. The statement I keep seeing is that it randomises the address space of the Stack and the excecutable. It then goes on to say that for this exploit to work the location of the excecutable and stack are needed. Thats the part I am getting confused on, all of the examples I have seen off Bufferoverflow dont trouble themselves with finding the location of these things. This is one of the examples I looked at and all the other ones are pretty much the same, It doesnt mention or do anything to do with the location of the Stack or excecutables. Here is the link to the example in case the answer is there and I am not understanding something: https://www.coengoedegebure.com/buffer-overflow-attacks-explained/#:~:text=A%20buffer%20overflow%20occurs%20when,possibly%20taking%20over%20the%20machine.
Sorry if this is a dumb question
#include <string.h>
void func(char *name)
{
char buf[100];
strcpy(buf, name);
printf("Welcome %s\n", buf);
}
int main(int argc, char *argv[])
{
func(argv[1]);
return 0;
}
Solution 1:[1]
Okay, so once we do a buffer overflow, we want to redirect control flow to something that we know.
Let's make this really simple and assume that the stack itself is executable. We could pop a reverse shell using this, for example. But, how do we run this shellcode, exactly?
So, what we want to do is overflow the buffer, change the return address on the stack to point to the stack itself (in particular, the offset of the stack where this shellcode exists, we could find these offsets using gdb
for example).
But, how do we know where the stack is exactly?
A long time ago, before ASLR, the stack was always in a particular spot, so we could just use gdb
(for example) to find where the stack was, and just change the return pointer to point to the stack (in particular, where our shellcode is).
But, with ASLR, we either need to brute force the stack position, along with NOP sleds (assuming we have enough room), or achieve address disclosure of the stack through another bug.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | alex |