Return TO LIBC attack with ASLR enabled binary.
So the First thing which comes in our mind is that what is ASLR???
ASLR stands for “Address space layout randomization”. It is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities, designed to prevent the buffer overflow attacks. In order to prevent an attacker from reliably jumping to ESP, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
But How it affects our conventional Buffer overflow attacks???
Conventionally, in normal buffer overflow, what we try to do is that, we sends a payload in a pattern. Like, first we send bunch of A’s until EIP, then at EIP, we sends an address in reverse order like \xaf\x11\x50\x62 and then our payload (or reverse shell), which means we sends bunch of A’s until EIP, and then in EIP(which is of 4 chars), we send an address, which is the address of JMP ESP, as we want to jump to ESP to execute our payload, so we are jumping at ESP, which is done by sending this command in hex to EIP, and after sending this command, we sends our payload, which means after reaching to ESP, we want it to execute our shell, as ESP is the stack pointer which points towards top of stack.
But when ASLR is enabled, it randomizes the address, which means we can’t give the address of JMP ESP to EIP to execute that command, because ASLR randomizes these addresses, which means every-time we execute that binary, we will get a new address of JMP ESP, which means we can’t give that address to execute our payload.
How to find if ASLR is enabled or not??
Execute this command:
→ ldd (name of binary) | grep libc
Run this command multiple times and note the results. If the address in the results are changing every-time you execute the command, it means that ASLR is enabled there.
So how to overcome this??
So to overcome this, what we does is that we uses a method “return to libc”.
What is libc??
In very simple language, libc is the standard library for the C programming language, which has predefined classes and methods as a conventional library. C uses this library to import pre-defined functions, commands.
So, in this return to libc method, instead of giving the address of JMP ESP, we gives the address of pre-defined functions of the commands which we want to execute.
So, instead of executing JMP ESP on EIP followed by our shell code, what we does here is that in EIP, we directly executes “system /bin/bash” to escalate our privileges.
How we executes it??
As we know about libc, which is a standard library for C language, we uses the
address of the functions such as system, /bin/bash, and exit, and pass them in EIP to execute. So we executes the command in the order
system → exit → /bin/bash
So to execute them, we are giving the address of these functions from libc to EIP.
To find the addresses of these 3 functions, you can do:
For SYSTEM:
> readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
For EXIT:
> readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
For /bin/sh:
> strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
We gives the addresses of system, exit and /bin/bash by adding their address in base address of libc.
But a problem is here in this situation.
As we understood that we had to use system /bin/bash and also found the address of the same, but as ASLR is enabled in the machine, we can’t take the base address of libc directly to put in our script, as it will change next time we executes it.
So to overcome that, there is an option of brute-forcing for the addresses. We had to run this command multiple times to notice the change, as the change is minor, only of 2–3 bits. To check the same, use the same command as we used to check the existence of ASLR.
> ldd ./ovrflw | grep libc
Here we observes that only 2 and 3 bits are changing, so we can brute-force it to hit the correct address.
Suppose we run the command “ldd ./ovrflw | grep libc” and observes that only 2 bits are changing continuously. So in that case, we can calculate that one bit can change from 0-F, having 15 places, then 2 bits will give a combination of 15*15=225. So we had to ran our script 225 times to hit the correct one.
We randomly picks an address by running this command “ldd ./ovrflw | grep libc”, and assign it to the base address of libc in our script. And then we ran our script 225 times. As in 225 times, it will surely gone through that number which we had given to our base address of libc.
We can understand it as, we had 225 options for address field. Now we ran and note a address before running our script and assign it to base address of libc. And then ran our script 225 times, which means that in 225 different and total combination, it will surely have a combination which we had given to the base address of libc before. So whenever it touches that address, the address will match with the address we already using as base address, and it will execute our command of system /bin/bash and give us a root shell.
An example of a script for the same is given below
I hope you are able to understand how ASLR can be bypass.
