Question regarding ASLR
up vote
1
down vote
favorite
If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?
Or the address will be the same every time because the binary itself does not have ASLR enabled?
linux exploit
asked Dec 6 at 4:10
Neon Flash
295213
add a comment |
up vote
1
down vote
favorite
If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?
Or the address will be the same every time because the binary itself does not have ASLR enabled?
linux exploit
asked Dec 6 at 4:10
Neon Flash
295213
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?
Or the address will be the same every time because the binary itself does not have ASLR enabled?
linux exploit
asked Dec 6 at 4:10
Neon Flash
295213
If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?
Or the address will be the same every time because the binary itself does not have ASLR enabled?
linux exploit
linux exploit
asked Dec 6 at 4:10
Neon Flash
295213
asked Dec 6 at 4:10
Neon Flash
295213
asked Dec 6 at 4:10
Neon Flash
295213
asked Dec 6 at 4:10
Neon Flash
295213
asked Dec 6 at 4:10
Neon Flash
295213
295213
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
answered Dec 6 at 4:30
sudhackar
1,1651318
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 at 5:06
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "489"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f20063%2fquestion-regarding-aslr%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
answered Dec 6 at 4:30
sudhackar
1,1651318
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 at 5:06
add a comment |
up vote
2
down vote
accepted
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
answered Dec 6 at 4:30
sudhackar
1,1651318
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 at 5:06
add a comment |
up vote
2
down vote
accepted
up vote
2
down vote
accepted
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
answered Dec 6 at 4:30
sudhackar
1,1651318
When the process is created it is the job of the loader to parse the ELF and allocate/map memory segments, resolve and load libraries. The base offset for any shared object is decided by the loader at load time. But this depends on the ASLR setting of the operating system, not the binary.
$ gcc -m32 -no-pie -fno-pic -zexecstack untitled.c -o untitled
$ ldd ./untitled
linux-gate.so.1 (0xf7f66000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d4b000)
/lib/ld-linux.so.2 (0xf7f68000)
$ ldd ./untitled
linux-gate.so.1 (0xf7fd1000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7db6000)
/lib/ld-linux.so.2 (0xf7fd3000)
$ ldd ./untitled
linux-gate.so.1 (0xf7f8f000)
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7d74000)
/lib/ld-linux.so.2 (0xf7f91000)
However once system wide ASLR is disabled
$ echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
0
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
$ ldd `which cat`
linux-vdso.so.1 (0x00007ffff7ffa000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7831000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7dd9000)
Offset of system with respect to libc base should remain constant in a libc.
answered Dec 6 at 4:30
sudhackar
1,1651318
edited Dec 6 at 4:54
answered Dec 6 at 4:30
sudhackar
1,1651318
answered Dec 6 at 4:30
sudhackar
1,1651318
answered Dec 6 at 4:30
sudhackar
1,1651318
1,1651318
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 at 5:06
add a comment |
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 at 5:06
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 at 4:39
So are you saying that ASLR for the main binary does not matter? And only OS level ASLR setting matters?
– Neon Flash
Dec 6 at 4:39
How do you disable ASLR for any binary?
– sudhackar
Dec 6 at 4:42
How do you disable ASLR for any binary?
– sudhackar
Dec 6 at 4:42
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 at 4:47
My question is specifically related to address of system() function in libc. Since, libc has PIE enabled, so I understand that if OS has ASLR enabled then it will randomize the addresses in libc? Will the address of system() function be randomized as well?
– Neon Flash
Dec 6 at 4:47
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 at 5:06
Should I create a new question for finding "system" and "/bin/sh" address from a given libc file?
– Neon Flash
Dec 6 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 at 5:06
I'll mark this one as resolved.
– Neon Flash
Dec 6 at 5:06
add a comment |
Thanks for contributing an answer to Reverse Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2freverseengineering.stackexchange.com%2fquestions%2f20063%2fquestion-regarding-aslr%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
