Buffer overflow Mona modules all show Rebase SafeSEH ASLR True

Almost every beginners (noob friendly) tutorial written for Stack based buffer overflow explains when using mona module to locate a safe reliable memory address for our EIP to JMP to our shellcode should have Rebase, Safe SEH, ASLR disabled.

enter image description here

However in a recent stack based buffer overflow challenge, all the modules mona provided showed they were protected except for the executable itself.

I used a module (DLL) that had those protections shown by mona to JMP to my shellcode and successfully execute my shellcode which really confused me.

If the executable itself is not protected does that mean we can use any DLL to JMP to our shellcode? if not what is the proper way to handle this situation?

Bypass ASLR in buffer overflow

Iam new in buffer overflow and i have some questions :

0- Is all dll files in windows are loaded at memory or some of them only , If some of them , Who tell windows to load this and leave this

1- How an .exe program know a dll’s functions memory location , after it (program) became an exe file (0,1) // While ASLR is enabled and location changed every time windows reboot

2- Why we didn’t use it’s method to find a (call/jmp esp)’s location in buffer overflow when ASLR is enabled

3- I want a resources to study basics of how os work and reverse engineering that I need for a (pentester) not a malware analyst or reverse engineer

ASLR doesn’t work?

I have following code:

#include <stdio.h> #include <stdlib.h>  int main() {         int *ptr1 = malloc(16);         int val1 = 0x12345678;         printf("stack: %p\nheap: %p\n", &val1, ptr1);         return 0; } 

Compilation: gcc -fpie -pie main.c

I wanted to test how aslr behaves under debugger, so i started gdb session, broke at main and ran the program. At main I show memory layout using ‘info proc mappings’: enter image description here

And those values should be randomized as far as i know due to aslr. But every time I re-run the program those values remains the same. I’m using Centos 8, x86_64. I also disabled built-in kernel ASLR by ‘echo 0 > /proc/sys/kernel/randomize_va_space’, but I don’t think it matters.

I also checked if ALSR is enabled using checksec: enter image description here

Is it normal behavior or am I missing something?

EDIT: I saw that when I run binary without gdb everything works totally fine. What can I do to make it work under debugger?

Bypassing ASLR using information leaks

Most of my questions were answered in this post ASLR bypass with info leak

However, I just want to know the process of getting the memory address from the information leak to then using it in the final exploit.

It seems to me that there is a two step process involved:

  1. Use the first exploit to target a vulnerability and get a memory address (printed to screen? What are the other ways?)

  2. “Copy and paste”? the address into the second exploit where it will compute the offsets required and send the second exploit, all this while the targeted process is still running (from step 1).

So it requires either some manual or automated method to pass the memory address from step 1 to step 2.

The part that I don’t quite understand is how does one get from step 1 and pass the information to step 2?

Can ASLR (Address Space Layout Randomization) be implemented within applications?

I am familiar with the concept of ASLR being used by a kernel to load the heap, stack, and data segments of a program in unpredictable addresses. However, in the BlueHat 2019 talk by Microsoft security engineer Matt Miller mentioned that Microsoft Office and Microsoft Edge implement ASLR. How exactly does an application implement ASLR?

Below is the video of the talk, linked to start at time index 11:30 when he mentions ASLR in Office and Edge.