1

I've been writing Heap-based buffer overflow exploits for a deliberately vulnerable (that I wrote). To hijack control flow, I overwrite the function's return address on stack.

These exploits depend on the stack being at a particular (hardcoded) location.

I assumed this OK because I disabled ASLR (I'm running Ubuntu 14.04, x86_64):

I disabled ASLR by adding kernel.randomize_va_space = 0 to my /etc/sysctl.conf and rebooting the machine. I've confirmed ASLR has been disabled through the following command:

$ cat /proc/sys/kernel/randomize_va_space   
0

But the address of the stack when main begins clearly changes. To test this, I loaded the program in gdb and broke on the first asm instruction and did the following:

(gdb) p $rsp
$1 = (void *) 0x7fffffffe538

Then I rebooted and I did the same

(gdb) p $rsp
$1 = (void *) 0x7fffffffe558

Is this behavior expected? Can I disable it so that a particular binary will always have the same stack address? If not do real exploits need to leak the stack's address to do this? Is there a common technique for this?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
Jon
  • 1,122
  • 8
  • 10
  • 1
    I modified the question to just specifically ask about disabling stack ASLR on Linux. Modern Linux systems *do* use ASLR by default, so clearly "real" exploits have to deal with it. Disabling ASLR might makes sense while playing around with something, I guess. This attracted two "belongs on superuser" close votes, but that seems weird to me. This is something you'd only do for programming reasons. – Peter Cordes May 12 '16 at 08:59
  • 5
    You have disabled ASLR correctly, what you are seeing is just minor variation due to whatever is on the stack, most probably environment variables. The actual start of the stack is presumably the same, you can check with `info proc mappings`. – Jester May 12 '16 at 11:21

0 Answers0