ASLR:Address Space Layout randomization : it’s mitigation to technique to prevent exploitation of memory by make Address randomize not fixed as we saw in basic buffer overflow exploit it need to but start of buffer in EIP and Redirect execution to execute your shellcode but when it’s random it will make it hard to guess that start of buffer random it’s only in shared library address we found ASLR in stack address ,Heap Address.
NX: Non-Executable it;s another mitigation use to prevent memory from execute any machine code(shellcode) as we saw in basic buffer overflow you put shellcode in stack and redirect EIP to begin of buffer to execute it but this will not work here this mitigation could be bypass by Ret2libc exploit technique use function inside binary pass it to stack and aslo they are another way depend on gadgets inside binary or shared library this technique is ROP Return Oriented Programming i will make separate article .
After we get little info about ASLR and NX now it’s time to see how we can bypass it, to bypass ASLR there are many ways like Ret2PLT use Procedural Linkage Table contains a stub code for each global function. A call instruction in text segment doesnt call the function (‘function’) directly instead it calls the stub code(func@PLT) why we use Return in PLT because it’not randomized it’s address know before execution itself another technique is overwrite GOT and brute-forcing this technique use when the address partial randomized like 2 or 3 bytes just randomized .
in this article i will explain technique combine Ret2plt and some ROP gadgets and Ret2libc see let divided it
first find Ret2PLT
we compile it with following Flags
now let check ASLR it’s enable it
as you see in above image libc it’s randomized but it could be brute-force it
now let open file in gdb
now it’s clear NX was enable it now let fuzzing binary .
we create pattern and we going to pass to binary to detect where overflow occur
now we can see they are pattern in EIP we use another tool to find where overflow occurred.
1028 to overwrite EBP if we add 4bytes we going control EIP and we can redirect our execution.
now we have control EIP .
ok after we do basic overflow steps now we need way let us to bypass ASLR+NX .
first find functions PLT in binary file.
we find strcpy and system PLT now how we going to build our exploit depend on two methods just.
second we must find writable section in binary file to fill it and use system like to we did in traditional Ret2libc.
first think in .bss section is use by compilers and linkers for the part of the data segment containing static allocated variables that are not initialized .
after that we will use strcpy to write string in .bss address but what address ?
ok let back to function we find it in PLT strcpy as we know we will be use to write string and system to execute command but will can;t find /bin/sh in binary file we have another way is to look at binary.
now we have string address it’s time to combine all pieces we found it.
1-use strcpy to copy from SRC to DEST SRC in this case it’s our string «sh» and DEST it’s our writable area «.bss» but we need to chain two method strcpy and system we look for gadgets depend on our parameters in this case just we need pop pop ret.
we chose 0x080484ba does’t matter register name we need just two pop .
2-after we write string we use system like we use it in Ret2libc but in this case «/bin/sh» will be .bss address.
we got Shell somtime you need to chain many technique to get final exploit to bypass more than one mitigation.