Question regarding ASLR
If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?
Or the address will be the same every time because the binary itself does not have ASLR enabled?
linux exploit
add a comment |
If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?
Or the address will be the same every time because the binary itself does not have ASLR enabled?
linux exploit
add a comment |
If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?
Or the address will be the same every time because the binary itself does not have ASLR enabled?
linux exploit
If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?
Or the address will be the same every time because the binary itself does not have ASLR enabled?
linux exploit
linux exploit
asked Dec 6 '18 at 4:10
Neon FlashNeon Flash
320213
320213
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 '18 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 '18 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 '18 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 '18 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 '18 at 5:06
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "489"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f20063%2fquestion-regarding-aslr%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 '18 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 '18 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 '18 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 '18 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 '18 at 5:06
add a comment |
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 '18 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 '18 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 '18 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 '18 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 '18 at 5:06
add a comment |
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
edited Dec 6 '18 at 4:54
answered Dec 6 '18 at 4:30
sudhackarsudhackar
1,2551421
1,2551421
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 '18 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 '18 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 '18 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 '18 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 '18 at 5:06
add a comment |
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 '18 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 '18 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 '18 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 '18 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 '18 at 5:06
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 '18 at 4:39
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 '18 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 '18 at 4:42
How do you disable ASLR for any binary?
– sudhackar
Dec 6 '18 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 '18 at 4:47
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 '18 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 '18 at 5:06
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 '18 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 '18 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 '18 at 5:06
add a comment |
Thanks for contributing an answer to Reverse Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f20063%2fquestion-regarding-aslr%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown