alwin.berger/FRET-LibAFL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
FRET-LibAFL/utils/noaslr/README.md
WorksButNotTested 07047cb3bb
Added noaslr (#1333)
2023-06-30 20:37:48 +02:00

5.9 KiB
Raw Permalink Blame History

NOASLR

noaslr is a launcher for running applications with ASLR disabled without having to disable the feature system-wide.

libnoaslr is a dynamic shared object which can be injected into an application at startup using LD_PRELOAD which will cause it to disable ASLR.

Also included is demo an application which reads and prints the contents of the file passed as its single argument. By passing /proc/self/maps as its argument it can be observed that the application loads at the same default address each time it is run.

Test

App

$ cargo make run

Library

$ cargo make runlib

Example

App

$ ./target/debug/noaslr ./target/debug/demo -- /proc/self/maps

Library

$ LD_PRELOAD=target/debug/libnoaslr.so ./target/debug/demo /proc/self/maps

Output

...

555555554000-55555556d000 r--p 00000000 fd:03 78381550 /home/jon/git/LibAFL/utils/noaslr/target/debug/demo 55555556d000-5555556a1000 r-xp 00019000 fd:03 78381550 /home/jon/git/LibAFL/utils/noaslr/target/debug/demo 5555556a1000-5555556ee000 r--p 0014d000 fd:03 78381550 /home/jon/git/LibAFL/utils/noaslr/target/debug/demo 5555556ee000-5555556fb000 r--p 00199000 fd:03 78381550 /home/jon/git/LibAFL/utils/noaslr/target/debug/demo 5555556fb000-5555556fc000 rw-p 001a6000 fd:03 78381550 /home/jon/git/LibAFL/utils/noaslr/target/debug/demo 5555556fc000-55555571d000 rw-p 00000000 00:00 0 [heap] 7ffff7d74000-7ffff7d76000 rw-p 00000000 00:00 0 7ffff7d76000-7ffff7d98000 r--p 00000000 fd:03 9972607 /usr/lib/x86_64-linux-gnu/libc-2.31.so 7ffff7d98000-7ffff7f10000 r-xp 00022000 fd:03 9972607 /usr/lib/x86_64-linux-gnu/libc-2.31.so 7ffff7f10000-7ffff7f5e000 r--p 0019a000 fd:03 9972607 /usr/lib/x86_64-linux-gnu/libc-2.31.so 7ffff7f5e000-7ffff7f62000 r--p 001e7000 fd:03 9972607 /usr/lib/x86_64-linux-gnu/libc-2.31.so 7ffff7f62000-7ffff7f64000 rw-p 001eb000 fd:03 9972607 /usr/lib/x86_64-linux-gnu/libc-2.31.so 7ffff7f64000-7ffff7f68000 rw-p 00000000 00:00 0 7ffff7f68000-7ffff7f69000 r--p 00000000 fd:03 9972611 /usr/lib/x86_64-linux-gnu/libdl-2.31.so 7ffff7f69000-7ffff7f6b000 r-xp 00001000 fd:03 9972611 /usr/lib/x86_64-linux-gnu/libdl-2.31.so 7ffff7f6b000-7ffff7f6c000 r--p 00003000 fd:03 9972611 /usr/lib/x86_64-linux-gnu/libdl-2.31.so 7ffff7f6c000-7ffff7f6d000 r--p 00003000 fd:03 9972611 /usr/lib/x86_64-linux-gnu/libdl-2.31.so 7ffff7f6d000-7ffff7f6e000 rw-p 00004000 fd:03 9972611 /usr/lib/x86_64-linux-gnu/libdl-2.31.so 7ffff7f6e000-7ffff7f74000 r--p 00000000 fd:03 9972655 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so 7ffff7f74000-7ffff7f85000 r-xp 00006000 fd:03 9972655 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so 7ffff7f85000-7ffff7f8b000 r--p 00017000 fd:03 9972655 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so 7ffff7f8b000-7ffff7f8c000 r--p 0001c000 fd:03 9972655 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so 7ffff7f8c000-7ffff7f8d000 rw-p 0001d000 fd:03 9972655 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so 7ffff7f8d000-7ffff7f91000 rw-p 00000000 00:00 0 7ffff7f91000-7ffff7f94000 r--p 00000000 fd:03 9961835 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7f94000-7ffff7fa6000 r-xp 00003000 fd:03 9961835 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7fa6000-7ffff7faa000 r--p 00015000 fd:03 9961835 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7faa000-7ffff7fab000 r--p 00018000 fd:03 9961835 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7fab000-7ffff7fac000 rw-p 00019000 fd:03 9961835 /usr/lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff7fac000-7ffff7fae000 rw-p 00000000 00:00 0 7ffff7fc8000-7ffff7fc9000 ---p 00000000 00:00 0 7ffff7fc9000-7ffff7fcb000 rw-p 00000000 00:00 0 7ffff7fcb000-7ffff7fce000 r--p 00000000 00:00 0 [vvar] 7ffff7fce000-7ffff7fcf000 r-xp 00000000 00:00 0 [vdso] 7ffff7fcf000-7ffff7fd0000 r--p 00000000 fd:03 9972533 /usr/lib/x86_64-linux-gnu/ld-2.31.so 7ffff7fd0000-7ffff7ff3000 r-xp 00001000 fd:03 9972533 /usr/lib/x86_64-linux-gnu/ld-2.31.so 7ffff7ff3000-7ffff7ffb000 r--p 00024000 fd:03 9972533 /usr/lib/x86_64-linux-gnu/ld-2.31.so 7ffff7ffc000-7ffff7ffd000 r--p 0002c000 fd:03 9972533 /usr/lib/x86_64-linux-gnu/ld-2.31.so 7ffff7ffd000-7ffff7ffe000 rw-p 0002d000 fd:03 9972533 /usr/lib/x86_64-linux-gnu/ld-2.31.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0 [vsyscall]


# About
## APP
`noaslr` does the following:
* Uses the `personality` API to set the flag `ADDR_NO_RANDOMIZE`.
* Uses the `execve` API to launch the child application.

## Lib
`libnoasl` does the following:
* Uses rusts `ctor` crate to define a function as `__attribute__((constructor))`
* Uses the `personality` API to determine if the flag `ADDR_NO_RANDOMIZE` is set
* If the flag is set, the constructor returns, otherwise...
* Uses the `personality` API again to set the flag
* Reads the program arguments from `/proc/self/cmdline`
* Reads the program environment variables from `/proc/self/environ`
* Uses the `execvpe` API to re-launch the application

# Usage

Tool launching applications with ASLR disabled

Usage: noaslr [-- ...]

Arguments: Name of the application to launch

[ARGS]... Arguments passed to the target

Options: -h, --help Print help (see a summary with '-h')

-V, --version Print version