ASLR bypass without infoleak

I am trying to bypass aslr. I found a memory region where the address is not randomized and it is executable so a perfect place to put shellcode. But I am having trouble reading/inserting shellcode in that region. So at first I tried finding mov gadgets with dereferencing to move data to that region. But I couldn’t find any gadgets. Then I thought maybe I can do a syscall to read (the binary only reads data from a file, only two libc functions are used “fopen” and “fgets”). But I couldn’t find any syscall gadget. Now I am trying to take input by using fgets but my problem is the third parameter in fgets. How do I get the value of file stream/stdin? So I can call fgets and take input in the memory region I found.

About the Binary:
It reads data from a file and has a buffer overflow in the logic. It only uses two libc functions in the code which are “fopen” and “fgets”. It has ASLR but NX is disabled also there is partial RELRO.

Go to Source
Author: user40061

what is an example of out of bounds read in order to leak sensitive information?

I Am trying to understand a little bit better behind the scenes on bypassing aslr by reading the bytes in the memory of a process, but how can I make an example of an info leak in WIN32? my code does the leaks of bytes , but how can I check the image base based on those bytes?

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv) {
    char a[16];

    strncpy(a, "0123456789abcdef", sizeof(a));

    //... lots of code passes, functions are called...
    //... we finally come back to array a ...

    printf("%sn", a);
}

Go to Source
Author: pepe