ASLR
Address Space Layout Randomization
ASLR 會造成 stack 與 heap 隨機化
aslr on
sudo sysctl -w kernel.randomize_va_space=2
aslr off
sudo sysctl -w kernel.randomize_va_space=0
32bit可以使用
ulimit -s unlimited
關閉,原因為下arch/x86/mm/mmap.c static int mmap_is_legacy(void) { if (current->personality & ADDR_COMPAT_LAYOUT) return 1; if (rlimit(RLIMIT_STACK) == RLIM_INFINITY) return 1; return sysctl_legacy_va_layout; }
Many attacks on ASLR exist including brute force, even on 64 bit systems. http://www.tapironline.no/last-ned/1081
solution
- ret2libc
- 在32bit下
libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7 _ _ _ 000)
通常只有3位數會改變,可以暴力攻擊
References
http://security.cs.pub.ro/hexcellents/wiki/kb/exploiting/home#address-space-layout-randomization