5

I've been reading the posts here about bypassing ASLR. On 32bit systems this appears to be trivial but I was surprised to see how trivial. It takes mere seconds to bruteforce ASLR address'. The reason seems to be that according to my tests only 12 bits actually change in the address:

export BLAH=$"/bin/sh"

BLAH will be at 0xbff5a78b
BLAH will be at 0xbf87778b
BLAH will be at 0xbfe1e78b
BLAH will be at 0xbf9f778b
BLAH will be at 0xbffc378b
BLAH will be at 0xbffd978b
BLAH will be at 0xbfa7f78b
BLAH will be at 0xbf94878b
BLAH will be at 0xbfe4378b
BLAH will be at 0xbff7978b
BLAH will be at 0xbfe4078b

It seems that on my laptop all random address' are

BF XX X7 8B

where X is a random hex. My knowledge of the low level workings of a CPU are quite limited, so why are these the only bytes that change?

Is it correct to say that on a 32bit machine there are only 16^3 = 4096 ASLR address'?

How many bits change on a 64bit system?

Juicy
  • 1,447
  • 4
  • 17
  • 33

3 Answers3

8

ASLR on 32-bit is rather limited, but I think what you're seeing is an artefact of the system ASLR bias value.

Upon boot, a bias value is randomly generated for that "instance" of Windows running. Although parts of the address may seem to be the same across instances of the same process, they're actually just fed from the bias value, and that value will change on reboot.

So, in reality, it's not really exploitable. The address base will be random enough that a drive-by exploit will likely fail, even though it doesn't change much between instances.

Polynomial
  • 135,049
  • 43
  • 306
  • 382
6

In addition to what @Polynomial explains (which may or may not apply, depending on whether you are running Windows or some other operating system), ASLR swaps around pages: that's what the MMU knows about. A page is 4 kB (on x86 processors) so the low 12 bits of addresses are not impacted by ASLR. This leaves at most 20 bits for ASLR to play with. Address space allocation issues may further reduce the number of bits that can be modified through ASLR (if the DLL are too much scattered around the address space, that may prevent allocation of a big contiguous block of free RAM -- this is known as fragmentation).

On a 64-bit OS, address space is larger; not the full 64-bit, because the CPU does not actually support it, but 44 or 45 bits can be observed (it depends both on the CPU version and the operating system brand and version). Thus, you will get a dozen extra bits randomized by ASLR.

Tom Leek
  • 172,594
  • 29
  • 349
  • 481
0

Because 12 bits is enough to provide effective, if not perfect, security.

The malware gets only one shot at injecting the buffer overflow. If it fails, the application will most like just crash without infecting the program. 12 bits of randomization means the malware will work only once every 2^12, or 4096, times. If I'm a malware author or a hacker, that means I'm very likely to fail every single time I try it.

John Deters
  • 34,205
  • 3
  • 61
  • 113