I've been playing with a binary programmed in C that has a buffer overflow to investigate how the different binary protections work and I've run into a situation that I can't quite figure out. I made a small ROP chain to run execve to instance /bin/sh. The binary has no PIE and no canary, but on the host I do have ASLR enabled. I'm running it in a virtual machine with Ubuntu 20.04 freshly installed.
Logically the gadget addresses are not going to be modified by ASLR, but when I write the /bin/sh string in a .data zone shouldn't this address be randomized? Doesn't ASLR randomize .data?
Right now I am able to get /bin/sh instance by hardcoding the .data address I want to write to.
