0

I tried running Apache a few times to see the effect of ASLR

I know that because of alignment, the last byte and a half is 0, and because of "canonization" the first two bytes are irrelevant, so that leaves 4 bytes and a half to randomize which is quite a lot

But I noticed that the first two bytes are always 7fff so does that mean only 2 bytes and a half are random ?

Aaa Bbb
  • 627
  • 4
  • 12
  • Because of the address having to be canonical, not canonized. But yeah, sounds about right. – Peter Cordes Dec 01 '21 at 00:04
  • By comparison, [ASLR bits of Entropy of mmap()](https://stackoverflow.com/q/13826479) shows some kernel code using 28 bits of randomness for `mmap` addresses. But Linux wants the stack to be near the top of user-space virtual address space, so it fixes some of the bits. – Peter Cordes Dec 01 '21 at 10:20
  • @PeterCordes I see, it just seems weird since it can easily be bruteforced, on restarting services like Apache if one knows a vulnerability and needs absolute adresses for his shellcode – Aaa Bbb Dec 01 '21 at 13:34
  • @AaaBbb "easily"... well 3 nibbles are 2^20 possibilities. Doesn't seem that easy to me :') – Marco Bonelli Dec 01 '21 at 15:14
  • @MarcoBonelli it's about 3 hours with a 10ms ping if my calculation is right, looks feasible if you want to exploit a vuln and need absolute adresses – Aaa Bbb Dec 01 '21 at 16:19
  • @AaaBbb 3 hours with a 10ms ping yeah, but you're ignoring the time it would take for the service to crash, possibly restart, re-read the configuration and get back online. If that takes only 1 second (which is a very optimistic estimate) you're looking at ~300h of bruteforcing. Not to talk about any firewall rules that could block such a burst of requests coming from the same IP. – Marco Bonelli Dec 01 '21 at 20:46

0 Answers0