Skip to content

Instantly share code, notes, and snippets.

@key-moon

key-moon/check_aslr_entropy.py

Last active May 22, 2024 17:11
Show Gist options
  • Save key-moon/08a75b7fd47b48acee13c09ed33307f0 to your computer and use it in GitHub Desktop.
Save key-moon/08a75b7fd47b48acee13c09ed33307f0 to your computer and use it in GitHub Desktop.
Download ZIP
Check aslr entropy
Raw
check_aslr_entropy.py
import subprocess
open("/tmp/exp.c", "w").write('''
#include<stdio.h>
char buf[10000];
int main() {
void* val;
fread(buf, 1, 10000, fopen("/proc/self/maps", "r"));
puts(buf);
printf("%llx stackvar\\n", (unsigned long long)&val);
}
''')
subprocess.run('gcc /tmp/exp.c -o /tmp/exp', shell=True)
binary_addrs = []
heap_offsets = []
libc_addrs = []
stack_addrs = []
stackvar_addrs = []
for _ in range(100):
lines = subprocess.check_output('/tmp/exp', shell=True).splitlines()
binary_addr = int(lines[0].split(b'-')[0], 16)
heap_addr = int(next(filter(lambda l: b"[heap]" in l, lines)).split(b'-')[0], 16)
libc_addr = int(next(filter(lambda l: b"libc.so.6" in l, lines)).split(b'-')[0], 16)
stack_addr = int(next(filter(lambda l: b"[stack]" in l, lines)).split(b'-')[0], 16)
stackvar_addr = int(next(filter(lambda l: b"stackvar" in l, lines)).split()[0], 16)
binary_addrs.append(binary_addr)
heap_offsets.append(heap_addr - binary_addr)
libc_addrs.append(libc_addr)
stack_addrs.append(stack_addr)
stackvar_addrs.append(stackvar_addr)
def print_entropy(addrs):
res = 0
for bit in range(64):
if len(set([addr >> bit & 1 for addr in addrs])) == 2:
res += 2**bit
log_entropy = res.bit_count()
print(f"entropy: 2^{log_entropy}")
print(f" mask: {hex(res).rjust(14)}")
print(f" base: {hex(addrs[0] & ~res).rjust(14)}")
subprocess.run("cat /proc/version", shell=True)
print("\nbinary address entropy:")
print_entropy(binary_addrs)
print("\nheap offsets entropy:")
print_entropy(heap_offsets)
print("\nlibc address entropy:")
print_entropy(libc_addrs)
print("\nstack address entropy:")
print_entropy(stack_addrs)
print("\nstack variable address entropy:")
print_entropy(stackvar_addrs)
Raw
result.txt
Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2
binary address entropy:
entropy: 2^34
mask: 0x3ffffffff000
base: 0x400000000000
heap offsets entropy:
entropy: 2^14
mask: 0x3fff000
base: 0x0
libc address entropy:
entropy: 2^24
mask: 0x1fffffe00000
base: 0x600000000000
stack address entropy:
entropy: 2^22
mask: 0x3fffff000
base: 0x7ffc00000000
stack variable address entropy:
entropy: 2^30
mask: 0x3fffffff0
base: 0x7ffc00000000
Raw
result_in_docker.txt
Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2
binary address entropy:
entropy: 2^34
mask: 0x3ffffffff000
base: 0x400000000000
heap offsets entropy:
entropy: 2^14
mask: 0x3fff000
base: 0x0
libc address entropy:
entropy: 2^32
mask: 0xffffffff000
base: 0x700000000000
stack address entropy:
entropy: 2^22
mask: 0x3fffff000
base: 0x7ffc00000000
stack variable address entropy:
entropy: 2^30
mask: 0x3fffffff0
base: 0x7ffc00000000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment