Master the fundamental concepts of binary exploitation through this focused micro-challenge.
ASLR randomizes the memory addresses used by process components: stack, heap, libraries, and (with PIE) the executable base. This makes it difficult for attackers to predict where to jump during an exploit.
Run the same program multiple times and observe that stack and libc addresses change each run. On 32-bit systems, entropy may be as low as 16 bits (~65536 positions), making brute force viable. On 64-bit, entropy is much higher.
Bypass techniques:
For example, leaking a libc address like 0x7f3a2b4c1000 lets you calculate system() at leaked_addr + known_offset.
You will print stack and libc addresses and document how an information leak defeats ASLR. Knowing one address in a memory region reveals the base, and all other addresses become base plus known offsets.
Once you leak printf at 0x7f1234567890, subtract the known offset from your libc version to get the libc base. Add the offset of system() to get its runtime address. The same technique works for stack addresses: leak a stack variable, calculate the distance to your shellcode or ROP chain. PIE requires leaking an address inside the executable to defeat code randomization too.
Implement a C program that demonstrates ASLR and information leaks.
Requirements:
Success Criteria:
Three hints are available for this task, revealed one at a time inside the code workspace so you can struggle productively before seeing them.
All starter code and reference implementations are available for your local setup.
View on Github