TL;DR
Address Space Layout Randomisation (ASLR) makes it harder to exploit programs by randomising memory addresses. This guide shows how attackers can bypass ASLR using information leaks – finding ways to discover these randomised addresses.
Understanding the Problem
ASLR prevents predictable exploitation by shuffling where code, libraries and other data are loaded into memory each time a program runs. If an attacker knows even one address within the process’s memory space, they can calculate the offsets to find other important locations.
Steps to Bypass ASLR
- Identify Potential Information Leaks: The first step is finding vulnerabilities that reveal addresses. Common sources include:
- Error Messages: Look for error messages that print memory addresses (e.g., stack traces, debugging information).
- Format String Bugs: These bugs can be used to read from arbitrary memory locations.
- Heap Leaks: Exploiting heap management flaws to reveal address ranges.
- Side Channels: Timing attacks or cache-based side channels can sometimes leak information.
- Exploit the Leak: Once you’ve found a leak, exploit it to get an address.
- Example (Format String Bug): If you have control over a format string passed to
printf, you can use%pto print stack addresses.
# Example in C char buffer[64]; vulnerable_function(buffer);An attacker might provide a format string like
"%p %p %p %p %p"to leak multiple addresses. - Example (Format String Bug): If you have control over a format string passed to
- Calculate Offsets: With one address, calculate offsets to other important locations. This often involves knowing the base address of libraries or the executable itself.
- Find Module Base Addresses: Use tools like
proc/maps(Linux) or debugging tools to find the base addresses of loaded modules (e.g., libc).
# Example using /proc/maps on Linux pwd@machine:/$ cat /proc/[pid]/maps ... 7f2a45600000-7f2a45800000 r-xp 00000000 fc:00 1234567 /lib/x86_64-linux-gnu/libc.so.6 ... - Find Module Base Addresses: Use tools like
- Calculate Offset from Leaked Address: Subtract the leaked address from the base address of a module to find offsets within that module.
- Construct Exploits: Use the calculated offsets to build your exploit.
- ROP Chains: Construct Return-Oriented Programming (ROP) chains using addresses you’ve discovered.
- Direct Function Calls: If ASLR is partially bypassed, you might be able to directly call functions at known offsets.
- Bypass Mitigations: Be aware of other security mitigations that may be in place (e.g., DEP/NX, stack canaries). You may need to combine multiple techniques to achieve a successful exploit.
- Stack Canaries: If present, you’ll need to find ways to leak or bypass the canary value before overwriting the return address.
Tools
- GDB (GNU Debugger): For debugging and analysing memory layouts.
- pwntools: A Python library for exploit development, including ASLR bypass techniques.
- ROPgadget: Finds useful gadgets within libraries to build ROP chains.