Bypass ASLR+NX Part 1






Hi guys today i will explain how to bypass ASLR and NX mitigation technique if you dont have any knowledge about ASLR and NX you can read it in Above link i will explain it but not in depth

ASLR:Address Space Layout randomization : it's mitigation to technique to prevent exploitation of memory by make Address randomize not fixed as we saw in basic buffer overflow exploit it need to but start of buffer in EIP and Redirect execution to execute your shellcode but when it's random it will make it hard to guess that start of buffer random it's only in shared library address we found ASLR in stack address ,Heap Address.

NX: Non-Executable it;s another mitigation use to prevent memory from execute any machine code(shellcode) as we saw in basic buffer overflow  you  put shellcode in stack and redirect EIP to begin of buffer to execute it but this will not work here this mitigation could be bypass by Ret2libc exploit technique use function inside binary pass it to stack and aslo they are another way   depend on gadgets inside binary or shared library this technique is ROP Return Oriented Programming i will  make separate article .


After we get little info about ASLR and NX now it's time to see how we can bypass it, to bypass ASLR there are many ways like Ret2PLT use Procedural Linkage Table contains a stub code for each global function. A call instruction in text segment doesnt call the function (‘function’) directly instead it calls the stub code(func@PLT) why we use Return in PLT because it'not randomized  it's address know before execution itself  another technique is overwrite GOT and  brute-forcing this technique use when the address partial randomized like 2 or 3 bytes just randomized .


in this article i will explain technique combine Ret2plt and some ROP gadgets and Ret2libc see let divided it
first find Ret2PLT


vulnerable code




we compile it with following Flags



now let check ASLR it's enable it






as you see in above image libc it's randomized but it could be brute-force it


now let open file in gdb



now it's clear NX was enable it now let fuzzing binary .

we create pattern and we going to pass to  binary  to detect where overflow occur









now we can see they are pattern in EIP we use another tool to find where overflow occurred.




1028 to overwrite EBP if we add 4bytes we going control EIP and we can redirect our execution.






now we have control EIP .

ok after we do basic overflow steps now we need way let us to bypass ASLR+NX .

first find functions PLT in binary file.



we find strcpy and system PLT now how we going to build our exploit depend on two methods just.
second we must find writable section in binary file to fill it and use system like to we did in traditional Ret2libc.





first think in .bss section is use by compilers and linkers for the  part  of the data segment containing static allocated variables that are not initialized .

 after that we will use strcpy to write string in .bss address but what address ?
ok let back to function we find it in PLT strcpy as we know we will be use to write string and system to execute command but will can;t find /bin/sh in binary file we have another way is to look at binary.





now we have string address  it's time to combine all pieces we found it.

1-use strcpy to copy from SRC to DEST SRC in this case it's our string "sh" and DEST   it's our writable area ".bss" but we need to chain two method strcpy and system we look for gadgets depend on our parameters in this case just we need pop pop ret.



we chose 0x080484ba does't matter  register name  we need just two pop .
2-after we write string  we use system like we use it in Ret2libc but in this case "/bin/sh" will be .bss address.

final payload

strcpy+ppr+.bss+s
strcpy+ppr+.bss+1+h
system+dump+.bss

Final Exploit











BOOm we got Shell somtime you need to chain many technique to get final exploit to bypass more than one mitigation.

Thanks for Reading  see you  in another article




Comments

Post a Comment

Popular posts from this blog

python input vulnerability

PHP Serialization