Note: This post is quite theoretical (yuk!) but I’ll work on providing a hands-on demo sometime in the future. Also given the current mitigations in Windows, you’ll need much more than bypassing ASLR
What is ASLR?
Address space layout randomization (ASLR) is a memory protection techniques that tries to prevent an attacker from creating a reliable exploit. What it does is simple, a binary is loaded at a different base address in memory upon restart (or reboot for OS dlls). It also randomizes the base addresses for memory segments like the heap and the stack. This makes it harder for attackers to guess the correct address.
ASLR was introduced in Windows Vista and is in all newer versions. To make use of it, the executable needs to be compiled with /DYNAMICBASE option as well. OS dlls have that by default.
A way to see this taking place is by attaching an executable supporting ASLR (WinRAR in example below). Attach it to OllyDbg and go to the memory tab (ALT+M).
Note that the he higher two bytes get randomized, lower ones don’t.
How does it make exploitation harder?
Most exploits require a way to redirect execution to the payload, this can be done by many different ways. What all these techniques got in common is finding an instruction that will “trigger” the payload by jumping to the address. Since addresses are hard coded they won’t work after restart/reboot/different machine.
JMP ESP instruction is located at
0x12345678 in test.dll, upon restart, address is now located at
Next I’ll discuss 4 (more like 3) techniques on bypassing ASLR, each with pros, cons and study cases if any.
1. Abusing non-ASLR enabled libraries
Programmers make mistakes, to make full use of ASLR, all loaded libraries need to be supporting it. If a single module doesn’t you can make use of it by finding search that library for the needed instruction to jump to your shellcode.
- CoolPlayer+ Portable 2.19.6 - ‘.m3u’ Stack Overflow (Egghunter + ASLR Bypass), can be found here.
2. Partial EIP overwrite
Since you control EIP, you also control how much of EIP you want to overwrite. As already mentioned, ASLR only randomizes the higher two bytes, what if you can make use of that and only overwrite the lower 2 bytes?
Example: DLL is loaded at
0xAABB0000, if you overwrite only the lower two bytes (thanks to small endianness) you can basically control EIP to jump anywhere in
- Big pool to search for the needed instruction from (16^4).
- Can’t use bad characters.
- MS07-017, more info can be found here.
2.1 Single byte overwrite
Sometimes a character gets appended to your string, for example a null byte. This will mess up with the previous technique as when you try to overwrite the lower 2 bytes of EIP it becomes
0xAA00XXYY instead of
Although this limits the possibility of finding a proper instruction, you might still be able to get away with a single byte.
0xAABB00FF for possible instructions that can be used to land you your shellcode. 256 combinations aren’t a lot so good luck with that.
- It’s not over yet.
- Very small search space (0x00 to 0xFF)
- Still can’t use bad characters.
3. Bruteforcing address space
Since we know that only the 2 higher bytes are randomized, what if we try to bruteforce all the possible combination? This method is risky (might crash the service), slow and adds a lot of overhead.
- Unless the higher bytes contain a bad char, it should work.
- Large search space (
- Huge overhead, service might crash and not restart.
- Still can’t use bad characters.
- Samba 2.2.8 (Linux x86) - ‘trans2open’ Overflow (Metasploit), can be found here.
4. Memory leak
5. Information Disclosure bug
6. Ultra-luck mode
Needed instruction is found at all the addresses in format
0x0001XXYY, … ,
- Very cool.
- Doesn’t work.
That’s it! I’ll work on a demo to utilize those techniques in the future.