pete > courses > Crash Course in System Security (CSCI 1005), Winter 2025 > Day 07

W^X

ROP

ASLR

check /proc/<pid>/maps to see stack and libraries moving around

to disable ASLR:

$ sudo sh -c 'echo 0 > /proc/sys/kernel/randomize_va_space'

(echo 2 to re-enable it)

Exercises

Explore libc #1

Recall that within libc, everything stays in the same (relative) locations. Assume that you have a way to find the address of the sleep function within a running process. Write a program (a shell script will likely be easiest) that takes as input this address and calculates the address of the system function within the same process. It should automate the process of looking up the addresses of the functions within libc; it should not canonicalize the particular relative addresses of the two functions within the current installed instance.

Explore libc #2

Gather a list of usable gadgets from libc (ie, sequences of instructions that end in a ret/retq instruction). Organize them in such a way that they are easy-ish to search for desirable gadgets.

Make a ROP chain

Construct and inject a sequence of stack frames that cause an arbitrary (but intentional) sequence of ROP gadgets to be executed. That is, pick a small, random selection of gadgets and construct a ROP chain that executes them. Do so without marking the stack executable.

Do something useful with ROP

Pick a subset of gadgets, construct a chain of stack frames that cause them to be executed in sequence, overflow a buffer to make them execute. Do so without marking the stack executable. Note that you will still need to compile with -fno-stack-protector.

Finally, turn off ASLR (see above) and make it work from the shell.

More reading

• The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
• On the Effectiveness of Address-Space Randomization