Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
13 Cards in this Set
- Front
- Back
|
What is ASLR?
|
ASLR - Adress Space Layout Randomization
ASLR ensures that the program's libraries and memory regions including the stack are mapped at random locations in virtual memory. This means that the program's buffers and variables will be placed at random addresses as the stack is randomized. |
|
|
How do you enable / disable ASLR on linux?
|
How to disable it:
# echo "0" > /proc/sys/kernel/randomize_va_space How to enable it: # echo "1" > /proc/sys/kernel/randomize_va_space |
|
|
What are the consequences of having ASLR enabled?
|
You can't hardcode an address into an exploit pointing to a memory address unless the destination doesn't have ASLR enabled.
|
|
|
How can you tell if ASLR is enabled on the program in linux?
|
Many ways:
1. You can view the memory layout for each run, if it's enabled the stack address and others should change: cat /proc/<pid>/maps |
|
|
What isn't randomized and therefore still vulnerable with ASLR enabled on most linux kernels?
|
1. Heap
2. text section 3. data section 4. bss section |
|
|
What are some of the methods to bypass ASLR?
|
1. Bruteforce
2. Return into non-randomized memory: 2.1. ret2text 2.2. ret2bss 2.3. ret2data 2.4. ret2heap 3. Pointer Redirecting: 3.1. String pointers 3.2. Function pointers 4. View the aslr.pdf for the rest of the list |
|
|
Explain ret2text
|
ret2text is readonly, so you can't place shellcode here, but if you can overwrite a return address with a pointer to the .text area allows you to jump inside the code. This allows you to change the program flow and call functions that shouldn't be called.
This also allows you to chain up chunks of code into useful shellcode(See no-nx.pdf). Also called ROP gadgets. |
|
|
This leads to the borrowed code technique or ROP gadgets, what are those?
|
Explained by Khramer in the no-nx.pdf, this is where you overwrite the return address with pointer to a code chunk in the .text segment that ends in retn.
The idea is you chain these together and overwrite each code chunk's return with the pointer to the next code chunk. mov eax, ebx <---- Overwrite the vuln function with this address retn <---- This points to the next code chunk in the line mov ebx, ecx <---- This starts to execute from the last retn retn <--- This points to the next code chunk call haxed retn See corelan's document and mona.py for details and creation. |
|
|
What tools are used to find these ROPs to create gadgets?
|
For Windows, I use mona.py in immunity as this tool can create them for you.
In linux, I use msfrop. |
|
|
Explain ret2bss
|
.bss is writable and it's not randomized with ASLR, however you need to overflow a buffer and write your shellcode to bss.
This could be from two different inputs, or the same input if it saves the variable on the stack and into global space(bss). |
|
|
Explain ret2data
|
Same concept as bss except data contains initialized global and initialized static local variables.
|
|
|
Explain ret2heap
|
The heap contains all dynamically created data structures, all variables which get their memory assigned by malloc.
These are not the same as heap overflows. We're only returing to the heap for it's static addressing after ASLR. Otherwise it's the same as ret2bss. |
|
|
Explain ret2GOT and ret2PLT
|
finish later
|
