Collaborate Disseminate
ASLR allows to randomize the base address of userspace applications. In Linux, the length of the randomized part of the mmap address can be specified via the kernel build config. It is bound by the minimum and maximum values of the respect… Continue reading Downsides of increased ASLR entropy
I heard that android introduced aslr starting with android 5. However, if it worked as designed, it would not be able to work on user devices with CVE2023-21250, which was patched in July of this year.
Is there a structural flaw in Android… Continue reading Android ASLR has structure flaw?
Let’s assume we have this simple program:
void main() {
int x;
printf("%p", &x);
}
Assuming the stack is mapped something like this:
0x007ffffffdd000 0x007ffffffff000 0x00000000000000 rw- [stack]
I might get an outp… Continue reading Where do stack pointer differences to stack base originate from on Linux?
I am trying to bypass the ASLR using the returntoplt attack for this I have to use a gadget pop rdi; ret I was able to find this gadget in __libc_csu_inint but for some reason whenever I use this address it gets corrupted in the stack. I c… Continue reading _libc_csu_init address is getting corrupted in x86_64
I’ve been working with Buffer Overflow attacks, and I would like to know if there is another method for Stack-Randomization beside the ASLR method.
Continue reading which methods are used beside ASLR for Stack-Randomization?
I have read about ASLR and understand that it randomizes the location in memory where an executable is loaded every time it is run.
But I have a doubt, take an example of an elf executable. It tells where the program should be loaded in vi… Continue reading How does ASLR work
We build OpenSSL in FIPS mode, to be used as a DLL. According to the OpenSSL FIPS module (https://www.openssl.org/docs/fips/UserGuide-1.2.pdf), we supply a parameter to the compiler –with-baseaddr=0xFB00000. This parameter allows an integ… Continue reading OpenSSL 1.0.2, for 32 bit FIPS, is doing a base-address verification. Where and how is that implemented?
We all know that DEP and ASLR are memory corruption protection mechanisms,
My Question is where can i find an entire list of all the protection mechanisms ?
And if there’s a way to check the presence of each protection mechanism in a Windo… Continue reading What are the memory corruption protections mechanisms other than DEP and ASLR?
The majority of my cyber security background comes in the form of web application vulnerability testing, and whilst I do have a degree of prior experience in studying and performing application exploitations it has been several years since… Continue reading Are buffer overflow and similar attacks still possible?
I have this program that uses ASLR and it leaks information when i overflow a buffer, namely the address of printf. Furthermore i can overwrite the return address. How can i use this to spawn a shell? My approach would have been to calcul… Continue reading How to exploit with Control over return address and knowing the address of printf