Does ASLR enabled libc randomize function address?

Question

This is a basic question regarding ASLR

If I have a binary file which does not have ASLR enabled. However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?

Or the address will be the same every time because the main binary itself does not have ASLR enabled?

In gdb, I am fetching the address of system() function as shown below:

 (gdb) break main
 (gdb) run
 (gdb) print &system

So, does this return the address of system() from libc or the main binary's PLT?

Also, if I have a libc file from another system, then how can I find the address of system() inside it? By defaut, if I run gdb on my main binary, it will find the system() address for the libc on local system. Do I have to tell gdb to load the libc file (which I obtained from remote system)?

Answer 1

However, the libc file it uses has ASLR enabled, then will the address of system() in libc file be randomized every time?

Yes (assuming you have not disabled ASLR via other means). Note that GDB by default disables ASLR. If you want to observe ASLR effects while running your program under GDB, you need to set disable-randomization off.

Also, if I have a libc file from another system, then how can I find the address of system() inside it?

That's easy: nm libc.so.6 | grep ' system'. However that only tells you the offset within libc.so.6, you need to also know where the libc.so.6 was loaded on the other system.

This answer may be helpful to you.