abelrguezr/aslr-bypass
skills/binary-exploitation/common-binary-protections-and-bypasses/aslr/aslr/SKILL.md
How to check, disable, and bypass ASLR (Address Space Layout Randomization) on Linux systems. Use this skill whenever the user mentions ASLR, address randomization, memory layout, binary exploitation, CTF challenges involving memory addresses, or needs to work around ASLR for debugging or exploitation. This includes checking ASLR status, disabling it for testing, brute-forcing addresses, using information leaks, or exploiting fixed addresses like vsyscall/vDSO.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills aslr-bypassInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:07 AM28.4s5 files scanned
SKILL.md
- name:
- aslr-bypass
- description:
- How to check, disable, and bypass ASLR (Address Space Layout Randomization) on Linux systems. Use this skill whenever the user mentions ASLR, address randomization, memory layout, binary exploitation, CTF challenges involving memory addresses, or needs to work around ASLR for debugging or exploitation. This includes checking ASLR status, disabling it for testing, brute-forcing addresses, using information leaks, or exploiting fixed addresses like vsyscall/vDSO.
ASLR Bypass Techniques
Address Space Layout Randomization (ASLR) randomizes memory addresses used by processes to make exploitation harder. This skill covers checking ASLR status, disabling it for testing, and various bypass techniques.
Quick Reference
| Task | Command |
|------|--------|
| Check ASLR status | cat /proc/sys/kernel/randomize_va_space |
| Disable ASLR (temp) | echo 0 \| sudo tee /proc/sys/kernel/randomize_va_space |
| Enable ASLR (full) | echo 2 \| sudo tee /proc/sys/kernel/randomize_va_space |
| Disable for one run | setarch \arch` -R ./binary` |
Understanding ASLR Values
- 0: No randomization (everything static)
- 1: Conservative (libraries, stack, mmap, VDSO randomized)
- 2: Full (plus brk() memory randomized)
Bypass Techniques
1. Brute-Force (32-bit)
On 32-bit systems, entropy is limited:
- Stack: ~11 bits effective (524,288 possible addresses)
- Code/data: 16 bits
- mmap/libraries: 16 bits
Approaches:
- Use large NOP sleds and retry until execution lands on them
- Add shellcode in environment variables for local exploits
- Brute-force libc base addresses
- For remote servers: time-based detection (e.g.,
usleep(10)causes 10s delay when hit)
Use the script: scripts/brute_force_stack.py for automated stack brute-forcing
2. Brute-Force (64-bit)
64-bit has much higher entropy, but you can:
- Fill stack with environment variables
- Retry hundreds/thousands of times locally
- Target specific stack addresses that occasionally contain NOPs
Use the script: scripts/brute_force_stack.py with appropriate architecture settings
3. Information from /proc/[pid]/stat
When you have local access to the target machine, /proc/[pid]/stat reveals:
startcode/endcode: TEXT segment boundariesstartstack: Stack start addressstart_data/end_data: BSS boundarieskstkesp/kstkeip: Current ESP/EIParg_start/arg_end: Command line argumentsenv_start/env_end: Environment variables
Use the script: scripts/read_proc_stat.py to parse and extract addresses
4. Using Information Leaks
If the challenge provides a leak:
Given libc leak:
from pwn import *
elf = context.binary = ELF('./vuln')
libc = elf.libc
p = process()
# Receive leak
p.recvuntil('at: ')
system_leak = int(p.recvline(), 16)
# Calculate libc base
libc.address = system_leak - libc.sym['system']
# Build payload
payload = flat(
'A' * offset,
libc.sym['system'],
0x0,
next(libc.search(b'/bin/sh'))
)
p.sendline(payload)
p.interactive()
ret2plt leak: Use buffer overflow to call a function and leak its GOT entry address
Format string leak: Use format string vulnerability to read GOT entries
5. Fixed Addresses (No Leak Needed)
vsyscall
The vsyscall page has a fixed address not subject to ASLR:
- Address:
0xffffffffff600000(x86_64) - Contains syscall stubs and a
retinstruction - Can be used in ROP chains without leaking
Example gadget at 0xffffffffff600809: ret instruction
vDSO
The vDSO (virtual dynamic shared object) may have predictable addresses depending on kernel configuration:
- Check if kernel has
CONFIG_COMPAT_VDSO - Address may not be randomized in some configurations
KASLR on ARM64 (Android)
On many ARM64 Android kernels, the linear map base is fixed:
PAGE_OFFSET = 0xffffff8000000000
PHYS_OFFSET = memstart_addr (from /proc/kallsyms)
Translation: virt = ((phys - PHYS_OFFSET) | PAGE_OFFSET)
Exploitation:
grep memstart /proc/kallsymsto findmemstart_addr- Read 8 bytes at that address (little-endian) to get
PHYS_OFFSET - Calculate virtual addresses:
virt = ((phys - PHYS_OFFSET) | 0xffffff8000000000)
This breaks KASLR for targets reachable via the direct map.
Scripts
Check ASLR Status
./scripts/check_aslr.sh
Toggle ASLR
./scripts/toggle_aslr.sh enable # Set to 2 (full)
./scripts/toggle_aslr.sh disable # Set to 0 (off)
Brute-Force Stack
./scripts/brute_force_stack.py ./binary --arch x86_64 --max-attempts 10000
Parse Process Stat
./scripts/read_proc_stat.py <pid>
When to Use Each Technique
| Scenario | Recommended Approach | |----------|---------------------| | Local testing/debugging | Disable ASLR temporarily | | 32-bit binary, local | Brute-force with NOP sled | | 32-bit binary, remote | Time-based detection (usleep) | | 64-bit binary, local | Brute-force with env vars | | Have info leak | Calculate offsets from leak | | No leak, x86_64 | Use vsyscall fixed addresses | | Android ARM64 | Exploit fixed linear map | | Local access to target | Read /proc/[pid]/stat |
Important Notes
- 64-bit brute-forcing is impractical for remote targets due to high entropy
- Always test locally first before attempting remote exploitation
- ASLR changes are temporary unless written to
/etc/sysctl.conf - vsyscall/vDSO addresses vary by architecture and kernel version
- KASLR bypass on Android requires kernel read primitive or root
References
- Defeating KASLR by Doing Nothing at All (Project Zero)
- man7.org /proc/pid/stat
- ARM64 linear map randomization removal
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026