While doing binary exploitation and studying the case when ASLR is enabled, I noticed I could make a reliable exploit by leaking an address of a function in the binary and finding the address of system in libc by adding a constant offset to that function.
So the binary is e.g. loaded at 0xb7719000, the function is at 0xb7719bc7.
libc is loaded at 0xb753c000 and system is at 0xb757c190.
ASLR is enabled:
$ cat /proc/sys/kernel/randomize_va_space
2
The binary is compiled as PIE:
gdb-peda$ checksec
CANARY : ENABLED
FORTIFY : disabled
NX : ENABLED
PIE : ENABLED
RELRO : FULL
My question resolves around the fact that I can use a leaked address in the binary to calculate reliably the address of system (which was practical, but I do not understand why).
Is the address difference between libc and the binary always a constant, even when ASLR is enabled and for a PIE executable? One would think intuitively, that both the binary as well as libc would be randomized separataly, and thus have a non constant difference.
