## https://sploitus.com/exploit?id=286E716C-ADE8-5E45-BD53-E4AB573CFD5D
# ASLR Bypass Simulator
An interactive educational web application for learning ASLR (Address Space Layout Randomization) bypass techniques. This simulator provides a safe, client-side environment to understand memory exploitation concepts used in offensive security.
## Features
- **5 Progressive Levels**: From basic format string leaks to complete ROP chain exploitation
- **Interactive Visualizations**: Real-time memory layout, stack, and heap visualizations
- **100% Client-Side**: No backend required, all simulations run in the browser
- **Safe by Design**: No real code execution, pure JavaScript simulation
## Levels
1. **Format String Info Leak** - Learn to leak memory addresses using printf vulnerabilities
2. **Partial Overwrite** - Exploit page-aligned addresses to bypass ASLR with minimal writes
3. **Brute Force (32-bit)** - Understand why 32-bit ASLR is vulnerable to brute forcing
4. **Heap Spray** - Fill memory with payloads to increase exploitation probability
5. **GOT/PLT Leak + ROP** - Complete exploitation chain with GOT leaks and ROP chains
## Tech Stack
- React 18 + TypeScript
- Vite for fast development and builds
- Tailwind CSS for styling
- No external runtime dependencies
## Getting Started
```bash
# Install dependencies
npm install
# Start development server
npm run dev
# Build for production
npm run build
# Preview production build
npm run preview
```
## Security
This application is designed with security as a priority:
### What This Simulator Does NOT Do
- No real memory manipulation
- No actual code execution
- No network requests for exploitation
- No eval() or Function() usage
- No dangerouslySetInnerHTML without sanitization
### Recommended CSP Headers for Deployment
```
Content-Security-Policy:
default-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
font-src 'self' https://fonts.gstatic.com;
img-src 'self' data:;
connect-src 'self';
frame-ancestors 'none';
base-uri 'self';
form-action 'self';
```
### Input Sanitization
All user inputs are sanitized:
- Format strings are validated and dangerous specifiers (%n) are blocked
- Hex inputs are validated for format
- Length limits prevent DoS
- HTML entities are escaped for display
## Educational Purpose
This simulator is intended for:
- Security researchers learning exploitation techniques
- CTF players practicing pwn challenges
- Developers understanding vulnerabilities to write secure code
- Students studying computer security
**All techniques demonstrated are for educational and defensive purposes only.**
## Project Structure
```
src/
โโโ components/
โ โโโ common/ # Reusable UI components
โ โโโ memory/ # Memory visualization components
โ โโโ levels/ # Level-specific components
โ โโโ layout/ # Layout components
โโโ simulation/ # Core simulation engine
โ โโโ aslr.ts # ASLR simulation
โ โโโ memory.ts # Stack/Heap simulation
โ โโโ formatString.ts # Safe format string parser
โ โโโ rop.ts # ROP chain builder
โ โโโ validation.ts # Level validation
โโโ hooks/ # React hooks
โโโ types/ # TypeScript type definitions
โโโ utils/ # Utility functions
โโโ data/ # Level configurations
```
## Contributing
Contributions are welcome! Please ensure:
1. No real exploit code is added
2. All inputs remain sanitized
3. Client-side only architecture is maintained
## License
MIT License - Use freely for educational purposes.
## Disclaimer
This tool simulates exploitation techniques for educational purposes only. The authors are not responsible for misuse. Always practice security research ethically and with proper authorization.