No-stack-execute and ASLR return-to-X method

https://docs.google.com/document/d/1XyBFHFK__IZR2R9MsLNeo-71PUMR7pbEYEw5UvYQeOg/edit

放宽限制

Loosening our exploit assumptions:

ASLR

No Stack Execute

15-- ASLR off NX off

17-- ASLR on NX off (1st part)

17-- ASLR off NX on (2nd part)

18-- ASLR on NX on

First part : ASLR on NX off

After enabling ASLR, the start address of the exploit code will be different. Thus, we use other strategy to attck.

However, even with the ASLR on, the exploit code we parse into the program is still in the stack, e.g. in the caller function or in the callee function;

With the gdb and relative path, we can find that piece of exploit code;

28 bytes (buqi exploit code) + ret*(padding size) + pop-ret

pop-ret will execute the exploit code in the stack (in the caller function)

Second part : ASLR off NX on

Find the address of other function (like open a shell in the code), and then set the return address to be that function.

17 No-stack-execute and ASLR return-to-X method

No-stack-execute and ASLR return-to-X method

First part : ASLR on NX off

Second part : ASLR off NX on

results matching ""

No results matching ""