Cryptomancer
2017-11-12, 01:38
I have a program that I'm using to demo a return-into-libc exploit. Every time I run it in GDB the libc and ld shared objects are loaded at different base addresses despite ASLR being disabled system wide. I can't figure out why this would be. I'm running Kali Linux 2017-02, GCC 7.2.1, GDB 7.12 with PEDA.
This is the output of two consecutive runs of the same program in the same GDB session.
gdb-peda$ vmmap
Start End Perm Name
0x00400000 0x00401000 r-xp /root/Example3.1D.exe
0x00401000 0x00402000 r--p /root/Example3.1D.exe
0x00402000 0x00403000 rw-p /root/Example3.1D.exe
**0xb7d7a000** 0xb7f2b000 r-xp /lib/i386-linux-gnu/libc-2.24.so
0xb7f2b000 0xb7f2d000 r--p /lib/i386-linux-gnu/libc-2.24.so
0xb7f2d000 0xb7f2e000 rw-p /lib/i386-linux-gnu/libc-2.24.so
0xb7f2e000 0xb7f31000 rw-p mapped
0xb7f51000 0xb7f54000 rw-p mapped
0xb7f54000 0xb7f57000 r--p [vvar]
0xb7f57000 0xb7f59000 r-xp [vdso]
**0xb7f59000** 0xb7f7c000 r-xp /lib/i386-linux-gnu/ld-2.24.so
0xb7f7c000 0xb7f7d000 r--p /lib/i386-linux-gnu/ld-2.24.so
0xb7f7d000 0xb7f7e000 rw-p /lib/i386-linux-gnu/ld-2.24.so
0xbffdf000 0xc0000000 rw-p [stack]
And
gdb-peda$ vmmap
Start End Perm Name
0x00400000 0x00401000 r-xp /root/Example3.1D.exe
0x00401000 0x00402000 r--p /root/Example3.1D.exe
0x00402000 0x00403000 rw-p /root/Example3.1D.exe
**0xb7db4000** 0xb7f65000 r-xp /lib/i386-linux-gnu/libc-2.24.so
0xb7f65000 0xb7f67000 r--p /lib/i386-linux-gnu/libc-2.24.so
0xb7f67000 0xb7f68000 rw-p /lib/i386-linux-gnu/libc-2.24.so
0xb7f68000 0xb7f6b000 rw-p mapped
0xb7f8b000 0xb7f8e000 rw-p mapped
0xb7f8e000 0xb7f91000 r--p [vvar]
0xb7f91000 0xb7f93000 r-xp [vdso]
**0xb7f93000** 0xb7fb6000 r-xp /lib/i386-linux-gnu/ld-2.24.so
0xb7fb6000 0xb7fb7000 r--p /lib/i386-linux-gnu/ld-2.24.so
0xb7fb7000 0xb7fb8000 rw-p /lib/i386-linux-gnu/ld-2.24.so
0xbffdf000 0xc0000000 rw-p [stack]
For proof that ASLR is disabled:
gdb-peda$ aslr
ASLR is OFF
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : ENABLED
RELRO : Partial
And
root@kali:~# cat /proc/sys/kernel/randomize_va_space
0
I tested this on an older version of Kali, 2016-02 with GDB 7.11 with the same binary (not recompiled) and the libraries load at the same address every time with ASLR disabled. So is there some other function in Kali that would force randomization of library base addresses besides ASLR? Thanks.
This is the output of two consecutive runs of the same program in the same GDB session.
gdb-peda$ vmmap
Start End Perm Name
0x00400000 0x00401000 r-xp /root/Example3.1D.exe
0x00401000 0x00402000 r--p /root/Example3.1D.exe
0x00402000 0x00403000 rw-p /root/Example3.1D.exe
**0xb7d7a000** 0xb7f2b000 r-xp /lib/i386-linux-gnu/libc-2.24.so
0xb7f2b000 0xb7f2d000 r--p /lib/i386-linux-gnu/libc-2.24.so
0xb7f2d000 0xb7f2e000 rw-p /lib/i386-linux-gnu/libc-2.24.so
0xb7f2e000 0xb7f31000 rw-p mapped
0xb7f51000 0xb7f54000 rw-p mapped
0xb7f54000 0xb7f57000 r--p [vvar]
0xb7f57000 0xb7f59000 r-xp [vdso]
**0xb7f59000** 0xb7f7c000 r-xp /lib/i386-linux-gnu/ld-2.24.so
0xb7f7c000 0xb7f7d000 r--p /lib/i386-linux-gnu/ld-2.24.so
0xb7f7d000 0xb7f7e000 rw-p /lib/i386-linux-gnu/ld-2.24.so
0xbffdf000 0xc0000000 rw-p [stack]
And
gdb-peda$ vmmap
Start End Perm Name
0x00400000 0x00401000 r-xp /root/Example3.1D.exe
0x00401000 0x00402000 r--p /root/Example3.1D.exe
0x00402000 0x00403000 rw-p /root/Example3.1D.exe
**0xb7db4000** 0xb7f65000 r-xp /lib/i386-linux-gnu/libc-2.24.so
0xb7f65000 0xb7f67000 r--p /lib/i386-linux-gnu/libc-2.24.so
0xb7f67000 0xb7f68000 rw-p /lib/i386-linux-gnu/libc-2.24.so
0xb7f68000 0xb7f6b000 rw-p mapped
0xb7f8b000 0xb7f8e000 rw-p mapped
0xb7f8e000 0xb7f91000 r--p [vvar]
0xb7f91000 0xb7f93000 r-xp [vdso]
**0xb7f93000** 0xb7fb6000 r-xp /lib/i386-linux-gnu/ld-2.24.so
0xb7fb6000 0xb7fb7000 r--p /lib/i386-linux-gnu/ld-2.24.so
0xb7fb7000 0xb7fb8000 rw-p /lib/i386-linux-gnu/ld-2.24.so
0xbffdf000 0xc0000000 rw-p [stack]
For proof that ASLR is disabled:
gdb-peda$ aslr
ASLR is OFF
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : ENABLED
RELRO : Partial
And
root@kali:~# cat /proc/sys/kernel/randomize_va_space
0
I tested this on an older version of Kali, 2016-02 with GDB 7.11 with the same binary (not recompiled) and the libraries load at the same address every time with ASLR disabled. So is there some other function in Kali that would force randomization of library base addresses besides ASLR? Thanks.