Last active
May 22, 2024 17:11
-
-
Save key-moon/08a75b7fd47b48acee13c09ed33307f0 to your computer and use it in GitHub Desktop.
Check aslr entropy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import subprocess | |
open("/tmp/exp.c", "w").write(''' | |
#include<stdio.h> | |
char buf[10000]; | |
int main() { | |
void* val; | |
fread(buf, 1, 10000, fopen("/proc/self/maps", "r")); | |
puts(buf); | |
printf("%llx stackvar\\n", (unsigned long long)&val); | |
} | |
''') | |
subprocess.run('gcc /tmp/exp.c -o /tmp/exp', shell=True) | |
binary_addrs = [] | |
heap_offsets = [] | |
libc_addrs = [] | |
stack_addrs = [] | |
stackvar_addrs = [] | |
for _ in range(100): | |
lines = subprocess.check_output('/tmp/exp', shell=True).splitlines() | |
binary_addr = int(lines[0].split(b'-')[0], 16) | |
heap_addr = int(next(filter(lambda l: b"[heap]" in l, lines)).split(b'-')[0], 16) | |
libc_addr = int(next(filter(lambda l: b"libc.so.6" in l, lines)).split(b'-')[0], 16) | |
stack_addr = int(next(filter(lambda l: b"[stack]" in l, lines)).split(b'-')[0], 16) | |
stackvar_addr = int(next(filter(lambda l: b"stackvar" in l, lines)).split()[0], 16) | |
binary_addrs.append(binary_addr) | |
heap_offsets.append(heap_addr - binary_addr) | |
libc_addrs.append(libc_addr) | |
stack_addrs.append(stack_addr) | |
stackvar_addrs.append(stackvar_addr) | |
def print_entropy(addrs): | |
res = 0 | |
for bit in range(64): | |
if len(set([addr >> bit & 1 for addr in addrs])) == 2: | |
res += 2**bit | |
log_entropy = res.bit_count() | |
print(f"entropy: 2^{log_entropy}") | |
print(f" mask: {hex(res).rjust(14)}") | |
print(f" base: {hex(addrs[0] & ~res).rjust(14)}") | |
subprocess.run("cat /proc/version", shell=True) | |
print("\nbinary address entropy:") | |
print_entropy(binary_addrs) | |
print("\nheap offsets entropy:") | |
print_entropy(heap_offsets) | |
print("\nlibc address entropy:") | |
print_entropy(libc_addrs) | |
print("\nstack address entropy:") | |
print_entropy(stack_addrs) | |
print("\nstack variable address entropy:") | |
print_entropy(stackvar_addrs) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 | |
binary address entropy: | |
entropy: 2^34 | |
mask: 0x3ffffffff000 | |
base: 0x400000000000 | |
heap offsets entropy: | |
entropy: 2^14 | |
mask: 0x3fff000 | |
base: 0x0 | |
libc address entropy: | |
entropy: 2^24 | |
mask: 0x1fffffe00000 | |
base: 0x600000000000 | |
stack address entropy: | |
entropy: 2^22 | |
mask: 0x3fffff000 | |
base: 0x7ffc00000000 | |
stack variable address entropy: | |
entropy: 2^30 | |
mask: 0x3fffffff0 | |
base: 0x7ffc00000000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 | |
binary address entropy: | |
entropy: 2^34 | |
mask: 0x3ffffffff000 | |
base: 0x400000000000 | |
heap offsets entropy: | |
entropy: 2^14 | |
mask: 0x3fff000 | |
base: 0x0 | |
libc address entropy: | |
entropy: 2^32 | |
mask: 0xffffffff000 | |
base: 0x700000000000 | |
stack address entropy: | |
entropy: 2^22 | |
mask: 0x3fffff000 | |
base: 0x7ffc00000000 | |
stack variable address entropy: | |
entropy: 2^30 | |
mask: 0x3fffffff0 | |
base: 0x7ffc00000000 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment