- Complete title: Position-independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure
- PDF: 0304b6d21644bb73a71459198fc7349c32a8e061_pirop_eurosp18.pdf
Most of the time, you either need a leak or a side-channel to bypass ASLR, the paper claims that you don't, if you have a non-linear relative memory write (OOB access on arrays, type confusion, user-after-free, …). The exploitation process is divided in 4 phases:
- Stack massaging: for function calls, (randomized) values/arguments/code pointers/… are pushed on the stack and never cleared. The goal of this step is to make the program write useful data/pointers on the stack.
- Patch least-significant bits of code pointers on the stack that aren't usually subject to ASLR.
- Patch least-significant bits of data/operand on the stack. We now have a complete ROP-chain: data and pointer to gadgets.
- Jump to the payload location to execute it
Although no code is published, the authors demonstrate on Youtube their exploit for CVE-2012-5976 (Asterisk) and kinda-CVE-2016-1977 (Firefox).
This approach bypasses more or less any randomisation-based mitigations, since for performance reasons, code must be aligned.
The paper is well written and full of interesting thoughts and details, you should read it.