Question regarding ASLR












1















If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?



Or the address will be the same every time because the binary itself does not have ASLR enabled?






linux exploit







share|improve this question



























    1















    If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?



    Or the address will be the same every time because the binary itself does not have ASLR enabled?






    linux exploit







    share|improve this question

























      1












      1








      1








      If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?



      Or the address will be the same every time because the binary itself does not have ASLR enabled?






      linux exploit







      share|improve this question














      If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?



      Or the address will be the same every time because the binary itself does not have ASLR enabled?






      linux exploit




      linux exploit






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 6 '18 at 4:10









      Neon FlashNeon Flash

      320213




      320213






















          1 Answer
          1






          active

          oldest

          votes


















          2














          When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.



          $ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f66000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
          
    /lib/ld-linux.so.2 (0xf7f68000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7fd1000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
          
    /lib/ld-linux.so.2 (0xf7fd3000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f8f000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
          
    /lib/ld-linux.so.2 (0xf7f91000)


          However once system wide ASLR is disabled



          $ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
          
0
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)


          Offset of system with respect to libc base should remain constant in a libc.






          share|improve this answer


























          • So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?

            – Neon Flash
            Dec 6 '18 at 4:39











          • How do you disable ASLR for any binary?

            – sudhackar
            Dec 6 '18 at 4:42











          • My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?

            – Neon Flash
            Dec 6 '18 at 4:47











          • Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?

            – Neon Flash
            Dec 6 '18 at 5:06











          • I'll mark this one as resolved.

            – Neon Flash
            Dec 6 '18 at 5:06











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "489"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f20063%2fquestion-regarding-aslr%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2














          When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.



          $ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f66000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
          
    /lib/ld-linux.so.2 (0xf7f68000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7fd1000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
          
    /lib/ld-linux.so.2 (0xf7fd3000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f8f000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
          
    /lib/ld-linux.so.2 (0xf7f91000)


          However once system wide ASLR is disabled



          $ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
          
0
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)


          Offset of system with respect to libc base should remain constant in a libc.






          share|improve this answer


























          • So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?

            – Neon Flash
            Dec 6 '18 at 4:39











          • How do you disable ASLR for any binary?

            – sudhackar
            Dec 6 '18 at 4:42











          • My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?

            – Neon Flash
            Dec 6 '18 at 4:47











          • Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?

            – Neon Flash
            Dec 6 '18 at 5:06











          • I'll mark this one as resolved.

            – Neon Flash
            Dec 6 '18 at 5:06
















          2














          When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.



          $ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f66000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
          
    /lib/ld-linux.so.2 (0xf7f68000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7fd1000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
          
    /lib/ld-linux.so.2 (0xf7fd3000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f8f000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
          
    /lib/ld-linux.so.2 (0xf7f91000)


          However once system wide ASLR is disabled



          $ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
          
0
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)


          Offset of system with respect to libc base should remain constant in a libc.






          share|improve this answer


























          • So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?

            – Neon Flash
            Dec 6 '18 at 4:39











          • How do you disable ASLR for any binary?

            – sudhackar
            Dec 6 '18 at 4:42











          • My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?

            – Neon Flash
            Dec 6 '18 at 4:47











          • Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?

            – Neon Flash
            Dec 6 '18 at 5:06











          • I'll mark this one as resolved.

            – Neon Flash
            Dec 6 '18 at 5:06














          2












          2








          2







          When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.



          $ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f66000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
          
    /lib/ld-linux.so.2 (0xf7f68000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7fd1000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
          
    /lib/ld-linux.so.2 (0xf7fd3000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f8f000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
          
    /lib/ld-linux.so.2 (0xf7f91000)


          However once system wide ASLR is disabled



          $ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
          
0
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)


          Offset of system with respect to libc base should remain constant in a libc.






          share|improve this answer















          When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.



          $ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f66000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
          
    /lib/ld-linux.so.2 (0xf7f68000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7fd1000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
          
    /lib/ld-linux.so.2 (0xf7fd3000)
          
$ ldd ./untitled
          
    linux-gate.so.1 (0xf7f8f000)
          
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
          
    /lib/ld-linux.so.2 (0xf7f91000)


          However once system wide ASLR is disabled



          $ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
          
0
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
          
$ ldd `which cat`
          
    linux-vdso.so.1 (0x00007ffff7ffa000)
          
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
          
    /lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)


          Offset of system with respect to libc base should remain constant in a libc.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Dec 6 '18 at 4:54

























          answered Dec 6 '18 at 4:30









          sudhackarsudhackar

          1,2551421




          1,2551421













          • So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?

            – Neon Flash
            Dec 6 '18 at 4:39











          • How do you disable ASLR for any binary?

            – sudhackar
            Dec 6 '18 at 4:42











          • My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?

            – Neon Flash
            Dec 6 '18 at 4:47











          • Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?

            – Neon Flash
            Dec 6 '18 at 5:06











          • I'll mark this one as resolved.

            – Neon Flash
            Dec 6 '18 at 5:06



















          • So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?

            – Neon Flash
            Dec 6 '18 at 4:39











          • How do you disable ASLR for any binary?

            – sudhackar
            Dec 6 '18 at 4:42











          • My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?

            – Neon Flash
            Dec 6 '18 at 4:47











          • Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?

            – Neon Flash
            Dec 6 '18 at 5:06











          • I'll mark this one as resolved.

            – Neon Flash
            Dec 6 '18 at 5:06

















          So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?

          – Neon Flash
          Dec 6 '18 at 4:39





          So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?

          – Neon Flash
          Dec 6 '18 at 4:39













          How do you disable ASLR for any binary?

          – sudhackar
          Dec 6 '18 at 4:42





          How do you disable ASLR for any binary?

          – sudhackar
          Dec 6 '18 at 4:42













          My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?

          – Neon Flash
          Dec 6 '18 at 4:47





          My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?

          – Neon Flash
          Dec 6 '18 at 4:47













          Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?

          – Neon Flash
          Dec 6 '18 at 5:06





          Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?

          – Neon Flash
          Dec 6 '18 at 5:06













          I'll mark this one as resolved.

          – Neon Flash
          Dec 6 '18 at 5:06





          I'll mark this one as resolved.

          – Neon Flash
          Dec 6 '18 at 5:06


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Reverse Engineering Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f20063%2fquestion-regarding-aslr%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Plaza Victoria

          Image
          Plaza Victoria Plaza Victoria en 2017 Otros nombres Plaza de La Victoria Localización El Almendral, Valparaíso, Chile Vías adyacentes Chacabuco, Molina, Plaza Victoria y Edwards Creación 1841 Metro Bellavista Ubicación 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 Coordenadas: 33°02′46″S 71°37′11″O  /  -33.04624167, -71.61980833 [editar datos en Wikidata] La Plaza Victoria , también llamada Plaza de la Victoria , [ 1 ] ​ es una plaza ubicada en el sector El Almendral del plan de la ciudad de Valparaíso, Chile, de importancia patrimonial, que incluye valiosas estatuas y especies vegetales. [ 2 ] ​ La plaza se creó como tal en la primera mitad del siglo XIX, tomando previamente los nombres de Plaza Nueva y Plaza de Orrego . Si bien desde sus inicios tuvo relevancia histórica, no fue sino a partir de fines de los años 1860 cuando comenzó a cobrar mayor importancia y se convirtió en uno de los principales centros sociales de l
          Read more

          In PowerPoint, is there a keyboard shortcut for bulleted / numbered list?

          Image
          .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box; } 2 OneNote has two useful keyboard shortcuts for bulleted and numbered lists, namely Ctrl + . and Ctrl + - . Is there something similar for PowerPoint where the work with lists is also very common? Haven't found anything here: Use keyboard shortcuts in PowerPoint. keyboard-shortcuts microsoft-powerpoint share | improve this question edited Aug 14 '14 at 14:49 Linger 2,826 10 28 40
          Read more

          How to put 3 figures in Latex with 2 figures side by side and 1 below these side by side images but in...

          Image
          1 0 I want to put 3 images in LateX such as 2 figures are side by side horizotally and 3rd figure below these 2 side by side figures but in middle. I have following code: begin{figure}[H] centering begin{minipage}{.5textwidth} centering includegraphics[width=.50linewidth]{Text/Images/Genelec_8010_AP.jpg} captionof{figure}{Genelec 8010 AP} label{fig:Genelec 8010} end{minipage}% begin{minipage}{.5textwidth} centering includegraphics[width=.69linewidth]{Text/Images/Genelec_8020_CPM.jpg} captionof{figure}{Genelec 8020 CPM} label{fig:Genelec 8020} end{minipage}% end{figure} %%Here is my 3rd picture code begin{figure} centering includegraphics[width=5cm]{Text/Images/Genelec_8030_BPM.jpg} caption{Genelec 8030 BPM} label{fig:Genelec 8030} end{figure} I want to ask ho
          Read more