ASLRay is a Linux ELF x32/x64 ASLR DEP/NX bypass exploit tool with stack-spraying.
Properties:
ASLR bypass
DEP/NX bypass
Cross-platform
Minimalistic
Simplicity
Unpatchable
Dependencies:
Linux 2.6.12+ - would work on any x86-64 Linux-based OS
BASH - the whole script
Limitations:
The stack needs to be executable (-z execstack) for x64
Binary has to be exploited through arguments locally (not file, socket, or input)
No support for other architectures and OSes (TODO)
Need to know the buffer limit/size
You might have heard of Heap Spraying attack. Well, Stack Spraying is similar. However, it was considered unpractical for most cases, especially ASLR on x86-64.
My work will prove the opposite.
For 32-bit, there are 2^32 (4 294 967 296) theoretical addresses. Nevertheless, the kernel will allow controlling about only half of bits (2^(32/2) = 65 536) for an execution in a virtualized memory, which means that if we control more than 50 000 characters in stack, we are almost sure to point to our shellcode, regardless the address, thanks to kernel redirection and retranslation. According to my tests, even 100 or 10 characters are enough if the called function doesn't contain other variable creations, which will allow an ROP-style attack.
This can be achieved using shell variables, which aren't limited to a specific length, but the practical limit is about one hundred thousand. Otherwise, it will saturate the TTY.
So, to successfully exploit any shellcode, we need to put a NOP sled following the shellcode into a shell variable and just exploit the binary with a random address. Note that a NOP sled isn't necessary; this is just to universalize the exploit.
In a 64-bit system, the situation is different, but not so much as my discovery.
Of course, you wouldn't have to cover all 2^64 possibilities. The kernel allows only 48 bits, plus some of them are predictable and static, leaving us with about 2^(4x8+5) (137 438 953 472) possibilities.
I have mentioned the shell variable's size limit. Still, there is also a count limit, which appears to be about 10, thus allowing us to stock a 1,000,000-character shellcode, leaving us with just some tenth of thousand possibilities that can be tested rapidly and automatically. This time, however, you will need to brute force and use NOP-sleds to make things quicker.
That said, ASLR on both 32 and 64-bits can be easily bypassed in a few minutes and with a few lines of shell...
The DEP/NX, on the other hand, can be bypassed on x32 using return-to-libc technique by coupling it with statistical studies of different OSes, more specifically, their ASLR limitations and implementations, which can lead to successful exploitation for 2 reasons. The first one is being ASLR, not so random in its choice and has some constants and poor entropy (easy to guess libC address, and each OS has its constants). The second one is spraying the shell argument for libC into the environment (easy to find and pass it to libC).
To conclude, DEP/NX on 32-bits is weakened because of ASLR.
A more detailed description can be found in the Hakin9-12-14
Source code and additional information can be found here: https://github.com/cryptolok/ASLRay