Offset2lib: Bypassing the Full ASLR on 64 bit GNU/Linux in less than one second

Title:Bypassing the Full ASLR on 64 bit GNU/Linux in less than one second
Authors:Hector Marco & Ismael Ripoll
Date:November 2014
Comment:Offset2lib is an ASLR weakness which can be exploited to bypass the ASLR on 64 bit GNU/Linux systems in less than one second.


During my PhD research, I have been working on several protection mechanisms at low level. I found a weakness on the ASLR while I was analyzing low level protection mechanisms. We named this weakness as Offset2lib. Basically, it allows an attacker to bypass the ASLR in a new and faster way.

In order to show the impact of this weakness and to make a more realistic the attack, I have created a proof of concept exploit to bypass NX, SSP and ASLR in a 64bit Ubuntu 14.04.1 LTS (Trusty Tahr). This attack is able to bypass:

It is worth mentioning that the attack does not rely on:

We have released the ASLR weakness details, presentation slices, the paper and a demonstrative video of the offset2lib attack at:

This work has been presented in the DeepSec 2014 security conference (20 Nov. 2014). The offset2lib weakness jointly with the Address Space Layout Randomization Next Generation ASLR-NG (which solves this problem) are part of my PhD thesis.

Hector Marco -