Hacker News new | ask | show | jobs
by dominicq 44 days ago
Huh? How does that work exactly? I've heard of /proc fuckery before but didn't know you could disable aslr with it.
2 comments
PhilipRoman 44 days ago
If you have /proc available, you don't even need to disable ASLR (all mappings are available to you)
link
stackghost 44 days ago
Hey you know what, I've used dd to write into process memory but haven't actually used it to disable KASLR, so it's possible I am misremembering. My bad.
link
dominicq 44 days ago
:(

Sounds super 1337 and I hope it's actually possible somehow.

link
aa-jv 44 days ago
Parse /proc/<pid>/maps to find the relevant target_addr in your process-under-attack. And then its a matter of:

    $ dd if=shellcode.bin of=/proc/<pid>/mem bs=1 seek=$((target_addr)) ...
See also: DDExec

https://github.com/arget13/DDexec

link
jeffbee 44 days ago
What legitimate purpose does this feature serve? Why should a process be able to write into the virtual memory of another process?
link
aa-jv 43 days ago
Testing and instrumentation.

This feature is used extensively in safety-critical testing procedures, for example. It is also used as a side channel for instrumenting long-running processes.

See also: debuggers and profilers, which simply wouldn't work without this capability.

I've also since learned that this feature is used in applications (e.g. Firefox) which sandbox their processes, as a means of crash-reporting when some process pisses in their sandbox, crashing ...

Sure, it 'seems' dangerous to have this capability - until you need to debug, profile, or instrument something ..

link