| description |
|---|
09/20/2023 |
Often referred to as an extension upon Address Space Layout Randomization (ASLR), The Position Independent Executable, or PIE feature, loads executable binaries at random addresses within their own memory space so that the kernel can aid in the disallowance towards text relocation.
- PIE will only impact the binary, nothing else
This is because attackers will commonly place reoccurring addresses within exploit code.
This makes attacking the binary slightly more complicated.
In other words, every time that you run the binary, it will get loaded within a different memory address/space.
This memory protection only randomizes the address of the binary (ELF) itself. It does not randomize the libc library, stack, or the heap (this is ASLR's job).
The attacker will have to find gadget locations and function addresses manually and utilize their offset to the binary base.
Simply put, you will need to simply find a single address and PIE can be bypassed.
A common technique to bypass PIE is to leak the address off of the stack directly.
Of course there are other ways as well.
Due to the way that PIE randomization works, the base address of the binary enabled with the PIE protection will ALWAYS end in the hexadecimal characters 000.
So, ensure that the base address ends in 000 during exploitation.
- Specify the
-fpieoption togccwhen compiling - Specify the
-pieoption toldwhen linking
{% content-ref url="../leaking-bypassing-pie-and-libc-base-ret2system.md" %} leaking-bypassing-pie-and-libc-base-ret2system.md {% endcontent-ref %}