Linux (x86) Exploit development Series 6: bypassing ASLR with RETURN-TO-PLT

What is ASLR?

Address Space layout randomization (ASLR) is a exploit mitigation technique that randomizes

• Stack address.
• Heap address.
• Shared Library address.

#echo 2 >/proc/sys/kernel/randomize_va_space

LIBC base address would get randomized.

Note: Only libc base address was randomized, offset of a particular function from its base address always remains constant!! Hence If we can bypass shared library base address randomization, vulnerable programs can be successfully exploited (using Below three techniques) even when ASLR is turned on!!

• RETURN-TO-PLT (this post)
• Brute Force (Part 2)
• GOT Overwrite and GOT dereference (Part 3)

What is RETURN-TO-PLT?

In the technique instead of returning to a libc function (whose address was randomized), attacker returns to a function ' s PLT (whose address is not randomized–its address was known prior to execution itself). Since ' [email protected] ' is not randomized, attacker no more needs to predict libc base address instead he can simply RET Urn to ' [e-mail protected] ' inorder to invoke ' function '.

What is the PLT, how does invoking ' [email protected] ' invokes ' function '?

Unlike a static library, the text segment of a shared library is shared by multiple processes, and only the data segment is unique to each process. This design reduces memory and disk usage. Because the text segment is shared by multiple processes, the text segment has only read and Execute permissions, so the dynamic linker cannot reposition the data symbols and function addresses within the text segment. How does the dynamic linker reposition shared library symbols at run time without modifying the text segment? , which is achieved through pic.

What is pic?

Pic was developed for such a thing-he ensured that the text segment of the shared library was used by each process without having to consider the redirection problem at load time. Pic is done in an indirect way--the text segment of a shared library does not contain an absolute virtual address, but rather a specific table of data segments. This table holds the absolute virtual addresses of global symbols and functions. The dynamic linker populates the table during the redirection process. In this case, you only need to modify the data segment when redirecting, without affecting the text segment

The dynamic linker uses the following two ways of redirecting global symbols and functions

Global offset Table (GOT): The Global offset table contains four-byte entries for each global variable, and the four bytes contain the address of the global variable. When a code snippet's instruction refers to a global variable, it does not use the absolute virtual address of the global variable, but instead points to an entry in the Got. This got entry is redirected by the dynamic linker when the shared library is loaded. In this way, pic indirectly redirects the global symbol through this table.

Process junction table (PLT): Plt contains a piece of code for each global function. The function call of the text segment does not call the function directly, but instead calls the pile program ([email protected]). This piece of code, with the help of the dynamic linker, resolves the address of the function and copies it to got, which occurs only the first time the function is called, and if the function is called again (called the Pile Code), the pile code will not parse the function address, but instead get the address of the function directly from the got and then jump over. Thus PIC uses this table to the relocate function addresses with the level of indirection.

This technique requires that the program use the functions we need to have [email protected]

Linux (x86) Exploit development Series 6: Using RETURN-TO-PLT to bypass ASLR