top | item 3646159 (no title) mpakes | 14 years ago Return-to-libc (a.k.a. ret2libc) is usually used to bypass NX-bit / DEP, but NX was disabled for level04 - the solution does not require return-to-libc. discuss order hn newest icebraining|14 years ago But it did have ASLR enabled, right? I didn't get how to bypass that without ret2libc.I think I'll try again tomorrow morning and see what I missed. rzhou|14 years ago On 32-bit machines, you can disable mmap randomization (and thus library randomization) using ulimit -s unlimited.Also, there's another useful place you can return to that isn't in libc. mpakes|14 years ago ASLR is enabled, yes.ASLR actually makes ret2libc much more difficult to pull off (esp. on 64-bit platforms), because the location of libc.so itself is randomized.
icebraining|14 years ago But it did have ASLR enabled, right? I didn't get how to bypass that without ret2libc.I think I'll try again tomorrow morning and see what I missed. rzhou|14 years ago On 32-bit machines, you can disable mmap randomization (and thus library randomization) using ulimit -s unlimited.Also, there's another useful place you can return to that isn't in libc. mpakes|14 years ago ASLR is enabled, yes.ASLR actually makes ret2libc much more difficult to pull off (esp. on 64-bit platforms), because the location of libc.so itself is randomized.
rzhou|14 years ago On 32-bit machines, you can disable mmap randomization (and thus library randomization) using ulimit -s unlimited.Also, there's another useful place you can return to that isn't in libc.
mpakes|14 years ago ASLR is enabled, yes.ASLR actually makes ret2libc much more difficult to pull off (esp. on 64-bit platforms), because the location of libc.so itself is randomized.
icebraining|14 years ago
I think I'll try again tomorrow morning and see what I missed.
rzhou|14 years ago
Also, there's another useful place you can return to that isn't in libc.
mpakes|14 years ago
ASLR actually makes ret2libc much more difficult to pull off (esp. on 64-bit platforms), because the location of libc.so itself is randomized.