Results 1 to 3 of 3

Thread: Disabling ASLR does not work, libraries still being loaded at random base addresses

  1. #1
    Junior Member
    Join Date
    Nov 2017
    Posts
    5

    Disabling ASLR does not work, libraries still being loaded at random base addresses

    I have a program that I'm using to demo a return-into-libc exploit. Every time I run it in GDB the libc and ld shared objects are loaded at different base addresses despite ASLR being disabled system wide. I can't figure out why this would be. I'm running Kali Linux 2017-02, GCC 7.2.1, GDB 7.12 with PEDA.

    This is the output of two consecutive runs of the same program in the same GDB session.

    Code:
    gdb-peda$ vmmap
    Start      End        Perm  Name
    0x00400000 0x00401000 r-xp  /root/Example3.1D.exe
    0x00401000 0x00402000 r--p  /root/Example3.1D.exe
    0x00402000 0x00403000 rw-p  /root/Example3.1D.exe
    **0xb7d7a000** 0xb7f2b000 r-xp  /lib/i386-linux-gnu/libc-2.24.so
    0xb7f2b000 0xb7f2d000 r--p  /lib/i386-linux-gnu/libc-2.24.so
    0xb7f2d000 0xb7f2e000 rw-p  /lib/i386-linux-gnu/libc-2.24.so
    0xb7f2e000 0xb7f31000 rw-p  mapped
    0xb7f51000 0xb7f54000 rw-p  mapped
    0xb7f54000 0xb7f57000 r--p  [vvar]
    0xb7f57000 0xb7f59000 r-xp  [vdso]
    **0xb7f59000** 0xb7f7c000 r-xp  /lib/i386-linux-gnu/ld-2.24.so
    0xb7f7c000 0xb7f7d000 r--p  /lib/i386-linux-gnu/ld-2.24.so
    0xb7f7d000 0xb7f7e000 rw-p  /lib/i386-linux-gnu/ld-2.24.so
    0xbffdf000 0xc0000000 rw-p  [stack]
    And

    Code:
    gdb-peda$ vmmap
    Start      End        Perm  Name
    0x00400000 0x00401000 r-xp  /root/Example3.1D.exe
    0x00401000 0x00402000 r--p  /root/Example3.1D.exe
    0x00402000 0x00403000 rw-p  /root/Example3.1D.exe
    **0xb7db4000** 0xb7f65000 r-xp  /lib/i386-linux-gnu/libc-2.24.so
    0xb7f65000 0xb7f67000 r--p  /lib/i386-linux-gnu/libc-2.24.so
    0xb7f67000 0xb7f68000 rw-p  /lib/i386-linux-gnu/libc-2.24.so
    0xb7f68000 0xb7f6b000 rw-p  mapped
    0xb7f8b000 0xb7f8e000 rw-p  mapped
    0xb7f8e000 0xb7f91000 r--p  [vvar]
    0xb7f91000 0xb7f93000 r-xp  [vdso]
    **0xb7f93000** 0xb7fb6000 r-xp  /lib/i386-linux-gnu/ld-2.24.so
    0xb7fb6000 0xb7fb7000 r--p  /lib/i386-linux-gnu/ld-2.24.so
    0xb7fb7000 0xb7fb8000 rw-p  /lib/i386-linux-gnu/ld-2.24.so
    0xbffdf000 0xc0000000 rw-p  [stack]
    For proof that ASLR is disabled:

    Code:
    gdb-peda$ aslr
    ASLR is OFF
    gdb-peda$ checksec
    CANARY    : disabled
    FORTIFY   : disabled
    NX        : ENABLED
    PIE       : ENABLED
    RELRO     : Partial
    And

    Code:
    root@kali:~# cat /proc/sys/kernel/randomize_va_space
    0
    I tested this on an older version of Kali, 2016-02 with GDB 7.11 with the same binary (not recompiled) and the libraries load at the same address every time with ASLR disabled. So is there some other function in Kali that would force randomization of library base addresses besides ASLR? Thanks.

  2. #2
    Junior Member
    Join Date
    Nov 2017
    Posts
    5
    Turns out this was a bug in kernel 4.12. Upgrading to 4.13 resolved it.

  3. #3
    Senior Member
    Join Date
    Oct 2016
    Location
    /dev/sda
    Posts
    731
    Your problem was very professional. I'm glad it was fixed itself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •