Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/binary-exploitation/basic-binary-exploitation-methodology/elf-tricks.md

390 lines
23 KiB
Markdown
Raw Normal View History

Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
# Maelezo Muhimu ya ELF
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
* Je, unafanya kazi katika **kampuni ya usalama wa mtandao**? Unataka kuona **kampuni yako ikionyeshwa kwenye HackTricks**? au unataka kupata upatikanaji wa **toleo jipya zaidi la PEASS au kupakua HackTricks kwa PDF**? Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
* Pata [**swagi rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* **Jiunge na** [**💬**](https://emojipedia.org/speech-balloon/) [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **nifuata** kwenye **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**repo ya hacktricks**](https://github.com/carlospolop/hacktricks) **na** [**repo ya hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## Vichwa vya Programu
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Hivi hufafanua kwa mzigo jinsi ya kupakia **ELF** kwenye kumbukumbu:
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
```bash
readelf -lW lnstat
Elf file type is DYN (Position-Independent Executable file)
Entry point 0x1c00
There are 9 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R 0x8
INTERP 0x000238 0x0000000000000238 0x0000000000000238 0x00001b 0x00001b R 0x1
[Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x003f7c 0x003f7c R E 0x10000
LOAD 0x00fc48 0x000000000001fc48 0x000000000001fc48 0x000528 0x001190 RW 0x10000
DYNAMIC 0x00fc58 0x000000000001fc58 0x000000000001fc58 0x000200 0x000200 RW 0x8
NOTE 0x000254 0x0000000000000254 0x0000000000000254 0x0000e0 0x0000e0 R 0x4
GNU_EH_FRAME 0x003610 0x0000000000003610 0x0000000000003610 0x0001b4 0x0001b4 R 0x4
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10
GNU_RELRO 0x00fc48 0x000000000001fc48 0x000000000001fc48 0x0003b8 0x0003b8 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.build-id .note.ABI-tag .note.package .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .dynamic .got .data .bss
04 .dynamic
05 .note.gnu.build-id .note.ABI-tag .note.package
06 .eh_frame_hdr
07
08 .init_array .fini_array .dynamic .got
```
Programu iliyotangulia ina **vichwa vya programu 9**, kisha, **upangaji wa sehemu** unaonyesha katika kichwa cha programu gani (kutoka 00 hadi 08) **kila sehemu inapatikana**.
### PHDR - Kichwa cha Programu
Ina meza za vichwa vya programu na metadata yenyewe.
### INTERP
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Inaonyesha njia ya mzigo wa kutumia kusoma faili ya binary kwenye kumbukumbu.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
### LOAD
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Vichwa hivi hutumiwa kuonyesha **jinsi ya kusoma faili ya binary kwenye kumbukumbu.**\
Kila kichwa cha **LOAD** huonyesha eneo la **kumbukumbu** (ukubwa, ruhusa, na usawazishaji) na inaonyesha baits za **ELF binary za kunakili hapo**.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Kwa mfano, la pili lina ukubwa wa 0x1190, linapaswa kuwa katika 0x1fc48 na ruhusa za kusoma na kuandika na litajazwa na 0x528 kutoka kwa offset 0xfc48 (hailazi nafasi yote iliyohifadhiwa). Kumbukumbu hii italeta sehemu `.init_array .fini_array .dynamic .got .data .bss`.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
### DYNAMIC
Kichwa hiki husaidia kuunganisha programu na mahitaji yake ya maktaba na kutumia marekebisho. Angalia sehemu ya **`.dynamic`**.
### NOTE
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Hii hifadhi habari za metadata za muuzaji kuhusu faili ya binary.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
### GNU\_EH\_FRAME
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Inaainisha eneo la meza za kufungua upya stack, zinazotumiwa na wachunguzi na kazi za kutunza mizunguko ya C++.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
### GNU\_STACK
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Ina mazingira ya ulinzi wa kuzuia utekelezaji wa stack. Ikiwa imewezeshwa, faili ya binary haitaweza kutekeleza nambari kutoka kwenye stack.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
### GNU\_RELRO
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Inaonyesha usanidi wa RELRO (Relocation Read-Only) wa faili ya binary. Ulinzi huu utaweka sehemu fulani za kumbukumbu kama kusoma tu (kama vile `GOT` au meza za `init` na `fini`) baada ya programu kusomwa na kabla haijaanza kukimbia.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Katika mfano uliotangulia inaiga baits 0x3b8 hadi 0x1fc48 kama kusoma tu ikigusa sehemu `.init_array .fini_array .dynamic .got .data .bss`.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Tambua kuwa RELRO inaweza kuwa ya sehemu au kamili, toleo la sehemu halilindi sehemu **`.plt.got`**, ambayo hutumiwa kwa **kufunga uvivu** na inahitaji nafasi hii ya kumbukumbu kuwa na **ruhusa za kuandika** kuandika anwani za maktaba mara ya kwanza wanapopatikana.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
### TLS
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Inaainisha meza ya vipengele vya TLS, ambavyo huhifadhi habari kuhusu pembejeo za mnyororo wa ndani.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
## Vichwa vya Sehemu
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Vichwa vya sehemu hutoa mtazamo wa kina zaidi wa faili ya binary ya ELF.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
```
objdump lnstat -h
lnstat: file format elf64-littleaarch64
Sections:
Idx Name Size VMA LMA File off Algn
0 .interp 0000001b 0000000000000238 0000000000000238 00000238 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.gnu.build-id 00000024 0000000000000254 0000000000000254 00000254 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .note.ABI-tag 00000020 0000000000000278 0000000000000278 00000278 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .note.package 0000009c 0000000000000298 0000000000000298 00000298 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .gnu.hash 0000001c 0000000000000338 0000000000000338 00000338 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym 00000498 0000000000000358 0000000000000358 00000358 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .dynstr 000001fe 00000000000007f0 00000000000007f0 000007f0 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .gnu.version 00000062 00000000000009ee 00000000000009ee 000009ee 2**1
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .gnu.version_r 00000050 0000000000000a50 0000000000000a50 00000a50 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .rela.dyn 00000228 0000000000000aa0 0000000000000aa0 00000aa0 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .rela.plt 000003c0 0000000000000cc8 0000000000000cc8 00000cc8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
11 .init 00000018 0000000000001088 0000000000001088 00001088 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
12 .plt 000002a0 00000000000010a0 00000000000010a0 000010a0 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .text 00001c34 0000000000001340 0000000000001340 00001340 2**6
CONTENTS, ALLOC, LOAD, READONLY, CODE
14 .fini 00000014 0000000000002f74 0000000000002f74 00002f74 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
15 .rodata 00000686 0000000000002f88 0000000000002f88 00002f88 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .eh_frame_hdr 000001b4 0000000000003610 0000000000003610 00003610 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
17 .eh_frame 000007b4 00000000000037c8 00000000000037c8 000037c8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
18 .init_array 00000008 000000000001fc48 000000000001fc48 0000fc48 2**3
CONTENTS, ALLOC, LOAD, DATA
19 .fini_array 00000008 000000000001fc50 000000000001fc50 0000fc50 2**3
CONTENTS, ALLOC, LOAD, DATA
20 .dynamic 00000200 000000000001fc58 000000000001fc58 0000fc58 2**3
CONTENTS, ALLOC, LOAD, DATA
21 .got 000001a8 000000000001fe58 000000000001fe58 0000fe58 2**3
CONTENTS, ALLOC, LOAD, DATA
22 .data 00000170 0000000000020000 0000000000020000 00010000 2**3
CONTENTS, ALLOC, LOAD, DATA
23 .bss 00000c68 0000000000020170 0000000000020170 00010170 2**3
ALLOC
24 .gnu_debugaltlink 00000049 0000000000000000 0000000000000000 00010170 2**0
CONTENTS, READONLY
25 .gnu_debuglink 00000034 0000000000000000 0000000000000000 000101bc 2**2
CONTENTS, READONLY
```
### Sehemu za Meta
* **Jedwali la String**: Inaleta pamoja strings zote zinazohitajika na faili ya ELF (lakini sio zile zinazotumiwa na programu). Kwa mfano, inaleta majina ya sehemu kama vile `.text` au `.data`. Na kama `.text` iko kwenye offset 45 katika jedwali la strings itatumia nambari **45** katika uga wa **jina**.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
* Ili kupata mahali ambapo jedwali la string liko, ELF ina pointer kwenye jedwali la string.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
* **Jedwali la Alama**: Inaleta habari kuhusu alama kama vile jina (offset katika jedwali la strings), anwani, saizi na metadata zaidi kuhusu alama.
### Sehemu Kuu
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
* **`.text`**: Maelekezo ya programu ya kukimbia.
* **`.data`**: Variables za kimataifa zenye thamani iliyowekwa wazi katika programu.
* **`.bss`**: Variables za kimataifa zilizoachwa bila kuanzishwa (au kuanzishwa kwa sifuri). Variables hapa zinaanzishwa moja kwa moja kuwa sifuri hivyo kuzuia sifuri zisizohitajika kuongezwa kwenye binary.
* **`.rodata`**: Variables za kimataifa zenye thamani zisizobadilika (sehemu isiyoweza kusomwa).
* **`.tdata`** na **`.tbss`**: Kama .data na .bss wakati variables za thread-local zinapotumiwa (`__thread_local` katika C++ au `__thread` katika C).
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
* **`.dynamic`**: Angalia chini.
## Alama
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Alama ni mahali lenye jina katika programu ambalo linaweza kuwa function, object la data la kimataifa, variables za thread-local...
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
```
readelf -s lnstat
Symbol table '.dynsym' contains 49 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000001088 0 SECTION LOCAL DEFAULT 12 .init
2: 0000000000020000 0 SECTION LOCAL DEFAULT 23 .data
3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strtok@GLIBC_2.17 (2)
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND s[...]@GLIBC_2.17 (2)
5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strlen@GLIBC_2.17 (2)
6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fputs@GLIBC_2.17 (2)
7: 0000000000000000 0 FUNC GLOBAL DEFAULT UND exit@GLIBC_2.17 (2)
8: 0000000000000000 0 FUNC GLOBAL DEFAULT UND _[...]@GLIBC_2.34 (3)
9: 0000000000000000 0 FUNC GLOBAL DEFAULT UND perror@GLIBC_2.17 (2)
10: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterT[...]
11: 0000000000000000 0 FUNC WEAK DEFAULT UND _[...]@GLIBC_2.17 (2)
12: 0000000000000000 0 FUNC GLOBAL DEFAULT UND putc@GLIBC_2.17 (2)
[...]
```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Kila kuingia cha alama kina:
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
- **Jina**
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
- **Vipengele vya kufunga** (dhaifu, mahali au kuu): Alama ya mahali inaweza kupatikana tu na programu yenyewe wakati alama za kuu zinashirikiwa nje ya programu. Kitu dhaifu ni kwa mfano kazi inayoweza kubadilishwa na moja tofauti.
- **Aina**: NOTYPE (aina haikufafanuliwa), OBJECT (data ya kikoa cha kimataifa), FUNC (kazi), SECTION (sehemu), FILE (faili ya msingi ya nambari kwa wachunguzi wa hitilafu), TLS (kigezo cha mnyororo wa eneo), GNU\_IFUNC (kazi isiyo ya moja kwa moja kwa ajili ya uhamishaji)
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
- Indeksi wa **Sehemu** ambapo iko
- **Thamani** (anwani kumbukumbu)
- **Ukubwa**
## Sehemu ya Kudumu
```
readelf -d lnstat
Dynamic section at offset 0xfc58 contains 28 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x0000000000000001 (NEEDED) Shared library: [ld-linux-aarch64.so.1]
0x000000000000000c (INIT) 0x1088
0x000000000000000d (FINI) 0x2f74
0x0000000000000019 (INIT_ARRAY) 0x1fc48
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x1fc50
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x338
0x0000000000000005 (STRTAB) 0x7f0
0x0000000000000006 (SYMTAB) 0x358
0x000000000000000a (STRSZ) 510 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x1fe58
0x0000000000000002 (PLTRELSZ) 960 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0xcc8
0x0000000000000007 (RELA) 0xaa0
0x0000000000000008 (RELASZ) 552 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000006ffffffe (VERNEED) 0xa50
0x000000006fffffff (VERNEEDNUM) 2
0x000000006ffffff0 (VERSYM) 0x9ee
0x000000006ffffff9 (RELACOUNT) 15
0x0000000000000000 (NULL) 0x0
```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Directory ya NEEDED inaonyesha kwamba programu **inahitaji kupakia maktaba iliyotajwa** ili iendelee. Directory ya NEEDED inakamilika mara tu maktaba **inapokuwa kamili na tayari kutumika**.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
## Uhamishaji
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Mzigo lazima pia uhamishe mahitaji baada ya kuzipakia. Uhamishaji huu unaonyeshwa kwenye meza ya uhamishaji katika muundo wa REL au RELA na idadi ya uhamishaji inatolewa katika sehemu za kudumu RELSZ au RELASZ.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
```
readelf -r lnstat
Relocation section '.rela.dyn' at offset 0xaa0 contains 23 entries:
Offset Info Type Sym. Value Sym. Name + Addend
00000001fc48 000000000403 R_AARCH64_RELATIV 1d10
00000001fc50 000000000403 R_AARCH64_RELATIV 1cc0
00000001fff0 000000000403 R_AARCH64_RELATIV 1340
000000020008 000000000403 R_AARCH64_RELATIV 20008
000000020010 000000000403 R_AARCH64_RELATIV 3330
000000020030 000000000403 R_AARCH64_RELATIV 3338
000000020050 000000000403 R_AARCH64_RELATIV 3340
000000020070 000000000403 R_AARCH64_RELATIV 3348
000000020090 000000000403 R_AARCH64_RELATIV 3350
0000000200b0 000000000403 R_AARCH64_RELATIV 3358
0000000200d0 000000000403 R_AARCH64_RELATIV 3360
0000000200f0 000000000403 R_AARCH64_RELATIV 3370
000000020110 000000000403 R_AARCH64_RELATIV 3378
000000020130 000000000403 R_AARCH64_RELATIV 3380
000000020150 000000000403 R_AARCH64_RELATIV 3388
00000001ffb8 000a00000401 R_AARCH64_GLOB_DA 0000000000000000 _ITM_deregisterTM[...] + 0
00000001ffc0 000b00000401 R_AARCH64_GLOB_DA 0000000000000000 __cxa_finalize@GLIBC_2.17 + 0
00000001ffc8 000f00000401 R_AARCH64_GLOB_DA 0000000000000000 stderr@GLIBC_2.17 + 0
00000001ffd0 001000000401 R_AARCH64_GLOB_DA 0000000000000000 optarg@GLIBC_2.17 + 0
00000001ffd8 001400000401 R_AARCH64_GLOB_DA 0000000000000000 stdout@GLIBC_2.17 + 0
00000001ffe0 001e00000401 R_AARCH64_GLOB_DA 0000000000000000 __gmon_start__ + 0
00000001ffe8 001f00000401 R_AARCH64_GLOB_DA 0000000000000000 __stack_chk_guard@GLIBC_2.17 + 0
00000001fff8 002e00000401 R_AARCH64_GLOB_DA 0000000000000000 _ITM_registerTMCl[...] + 0
Relocation section '.rela.plt' at offset 0xcc8 contains 40 entries:
Offset Info Type Sym. Value Sym. Name + Addend
00000001fe70 000300000402 R_AARCH64_JUMP_SL 0000000000000000 strtok@GLIBC_2.17 + 0
00000001fe78 000400000402 R_AARCH64_JUMP_SL 0000000000000000 strtoul@GLIBC_2.17 + 0
00000001fe80 000500000402 R_AARCH64_JUMP_SL 0000000000000000 strlen@GLIBC_2.17 + 0
00000001fe88 000600000402 R_AARCH64_JUMP_SL 0000000000000000 fputs@GLIBC_2.17 + 0
00000001fe90 000700000402 R_AARCH64_JUMP_SL 0000000000000000 exit@GLIBC_2.17 + 0
00000001fe98 000800000402 R_AARCH64_JUMP_SL 0000000000000000 __libc_start_main@GLIBC_2.34 + 0
00000001fea0 000900000402 R_AARCH64_JUMP_SL 0000000000000000 perror@GLIBC_2.17 + 0
00000001fea8 000b00000402 R_AARCH64_JUMP_SL 0000000000000000 __cxa_finalize@GLIBC_2.17 + 0
00000001feb0 000c00000402 R_AARCH64_JUMP_SL 0000000000000000 putc@GLIBC_2.17 + 0
00000001feb8 000d00000402 R_AARCH64_JUMP_SL 0000000000000000 opendir@GLIBC_2.17 + 0
00000001fec0 000e00000402 R_AARCH64_JUMP_SL 0000000000000000 fputc@GLIBC_2.17 + 0
00000001fec8 001100000402 R_AARCH64_JUMP_SL 0000000000000000 snprintf@GLIBC_2.17 + 0
00000001fed0 001200000402 R_AARCH64_JUMP_SL 0000000000000000 __snprintf_chk@GLIBC_2.17 + 0
00000001fed8 001300000402 R_AARCH64_JUMP_SL 0000000000000000 malloc@GLIBC_2.17 + 0
00000001fee0 001500000402 R_AARCH64_JUMP_SL 0000000000000000 gettimeofday@GLIBC_2.17 + 0
00000001fee8 001600000402 R_AARCH64_JUMP_SL 0000000000000000 sleep@GLIBC_2.17 + 0
00000001fef0 001700000402 R_AARCH64_JUMP_SL 0000000000000000 __vfprintf_chk@GLIBC_2.17 + 0
00000001fef8 001800000402 R_AARCH64_JUMP_SL 0000000000000000 calloc@GLIBC_2.17 + 0
00000001ff00 001900000402 R_AARCH64_JUMP_SL 0000000000000000 rewind@GLIBC_2.17 + 0
00000001ff08 001a00000402 R_AARCH64_JUMP_SL 0000000000000000 strdup@GLIBC_2.17 + 0
00000001ff10 001b00000402 R_AARCH64_JUMP_SL 0000000000000000 closedir@GLIBC_2.17 + 0
00000001ff18 001c00000402 R_AARCH64_JUMP_SL 0000000000000000 __stack_chk_fail@GLIBC_2.17 + 0
00000001ff20 001d00000402 R_AARCH64_JUMP_SL 0000000000000000 strrchr@GLIBC_2.17 + 0
00000001ff28 001e00000402 R_AARCH64_JUMP_SL 0000000000000000 __gmon_start__ + 0
00000001ff30 002000000402 R_AARCH64_JUMP_SL 0000000000000000 abort@GLIBC_2.17 + 0
00000001ff38 002100000402 R_AARCH64_JUMP_SL 0000000000000000 feof@GLIBC_2.17 + 0
00000001ff40 002200000402 R_AARCH64_JUMP_SL 0000000000000000 getopt_long@GLIBC_2.17 + 0
00000001ff48 002300000402 R_AARCH64_JUMP_SL 0000000000000000 __fprintf_chk@GLIBC_2.17 + 0
00000001ff50 002400000402 R_AARCH64_JUMP_SL 0000000000000000 strcmp@GLIBC_2.17 + 0
00000001ff58 002500000402 R_AARCH64_JUMP_SL 0000000000000000 free@GLIBC_2.17 + 0
00000001ff60 002600000402 R_AARCH64_JUMP_SL 0000000000000000 readdir64@GLIBC_2.17 + 0
00000001ff68 002700000402 R_AARCH64_JUMP_SL 0000000000000000 strndup@GLIBC_2.17 + 0
00000001ff70 002800000402 R_AARCH64_JUMP_SL 0000000000000000 strchr@GLIBC_2.17 + 0
00000001ff78 002900000402 R_AARCH64_JUMP_SL 0000000000000000 fwrite@GLIBC_2.17 + 0
```plaintext
00000001ff80 002a00000402 R_AARCH64_JUMP_SL 0000000000000000 fflush@GLIBC_2.17 + 0
00000001ff88 002b00000402 R_AARCH64_JUMP_SL 0000000000000000 fopen64@GLIBC_2.17 + 0
00000001ff90 002c00000402 R_AARCH64_JUMP_SL 0000000000000000 __isoc99_sscanf@GLIBC_2.17 + 0
00000001ff98 002d00000402 R_AARCH64_JUMP_SL 0000000000000000 strncpy@GLIBC_2.17 + 0
00000001ffa0 002f00000402 R_AARCH64_JUMP_SL 0000000000000000 __assert_fail@GLIBC_2.17 + 0
00000001ffa8 003000000402 R_AARCH64_JUMP_SL 0000000000000000 fgets@GLIBC_2.17 + 0
```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
### Urekebishaji wa Stati
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Ikiwa **programu imepakia mahali tofauti** na anwani inayopendelewa (kawaida 0x400000) kwa sababu anwani tayari inatumika au kwa sababu ya **ASLR** au sababu nyingine yoyote, urekebishaji wa stati **hurekebisha pointa** ambazo zilikuwa na thamani zikitarajia binary ipakuliwe katika anwani inayopendelewa.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Kwa mfano, sehemu yoyote ya aina `R_AARCH64_RELATIV` inapaswa kurekebisha anwani kwenye upendeleo wa urekebishaji pamoja na thamani ya kuongeza.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
### Urekebishaji wa Kudumu na GOT
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Urekebishaji unaweza pia kurejelea alama ya nje (kama kazi kutoka kwa tegemezi). Kama vile kazi ya malloc kutoka libC. Kisha, mzigo unapopakia libC katika anwani ikichunguza wapi kazi ya malloc imepakuliwa, itaandika anwani hii kwenye jedwali la GOT (Global Offset Table) (inayoonyeshwa katika jedwali la urekebishaji) ambapo anwani ya malloc inapaswa kufafanuliwa.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
### Jedwali la Uunganishaji wa Taratibu
Sehemu ya PLT inaruhusu kufanya uunganishaji wa uvivu, ambao maana yake ni kwamba ufumbuzi wa eneo la kazi utafanywa mara ya kwanza inapofikiwa.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Kwa hivyo wakati programu inaita malloc, kimsingi inaita eneo linalofanana la `malloc` katika PLT (`malloc@plt`). Mara ya kwanza inapoitwa, inatatua anwani ya `malloc` na kuihifadhi ili wakati `malloc` inaitwa tena, anwani hiyo itatumika badala ya msimbo wa PLT.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
## Uanzishaji wa Programu
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Baada ya programu kupakia, ni wakati wake wa kufanya kazi. Walakini, msimbo wa kwanza unaorushwa **si mara zote ni `main`**. Hii ni kwa sababu kwa mfano katika C++ ikiwa **kigezo cha kawaida ni kitu cha darasa**, kipengee hiki lazima kianzishwe **kabla** ya `main` kuanza, kama vile:
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
```cpp
#include <stdio.h>
// g++ autoinit.cpp -o autoinit
class AutoInit {
public:
AutoInit() {
printf("Hello AutoInit!\n");
}
~AutoInit() {
printf("Goodbye AutoInit!\n");
}
};
AutoInit autoInit;
int main() {
printf("Main\n");
return 0;
}
```
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Tafadhali elewa kwamba hizi variables za kimataifa zinapatikana katika `.data` au `.bss` lakini katika orodha `__CTOR_LIST__` na `__DTOR_LIST__` vitu vya kuanzisha na kuharibu vimehifadhiwa kwa mpangilio ili kufuatilia.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Kutoka kwa msimbo wa C ni rahisi kupata matokeo sawa kwa kutumia vifaa vya GNU:
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
```c
__attributte__((constructor)) //Add a constructor to execute before
__attributte__((destructor)) //Add to the destructor list
```
Kutoka kwa mtazamo wa compiler, ili kutekeleza hatua hizi kabla na baada ya kazi ya `main` kutekelezwa, ni rahisi kuunda kazi ya `init` na kazi ya `fini` ambazo zitatajwa katika sehemu ya dynamic kama **`INIT`** na **`FIN`** na kuwekwa katika sehemu za `init` na `fini` za ELF.
Chaguo lingine, kama ilivyotajwa, ni kutaja orodha **`__CTOR_LIST__`** na **`__DTOR_LIST__`** katika viingilio vya **`INIT_ARRAY`** na **`FINI_ARRAY`** katika sehemu ya dynamic na urefu wa hizi unatajwa na **`INIT_ARRAYSZ`** na **`FINI_ARRAYSZ`**. Kila kuingilio ni kidude cha kazi ambacho kitaitwa bila hoja.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Zaidi ya hayo, ni rahisi pia kuwa na **`PREINIT_ARRAY`** na **pointers** ambazo zitatekelezwa **kabla** ya kidude cha **`INIT_ARRAY`**.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
### Mpangilio wa Uanzishaji
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
1. Programu inapakiwa kumbukani, vitu vya kimataifa vya tuli vinainishwa katika **`.data`** na vile visivyoainishwa vinawekwa sifuri katika **`.bss`**.
2. **Mahitaji yote** kwa programu au maktaba zina **anzishwa** na **kiunganishaji wa kudumu** unatekelezwa.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
3. Kazi za **`PREINIT_ARRAY`** zinatekelezwa.
4. Kazi za **`INIT_ARRAY`** zinatekelezwa.
5. Ikiwa kuna kuingilio la **`INIT`** linaitwa.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
6. Ikiwa ni maktaba, dlopen inamalizika hapa, ikiwa ni programu, ni wakati wa kuita **kituo cha kuingia halisi** (kazi ya `main`).
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
## Uhifadhi wa Wateja-Kwa-Wateja (TLS)
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Hizi hutajwa kwa kutumia neno **`__thread_local`** katika C++ au kifupisho cha GNU **`__thread`**.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Kila wateja atahifadhi eneo la kipekee kwa kivinjari hiki hivyo ni wateja pekee wanaweza kupata kivinjari chao.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Inapotumiwa, sehemu **`.tdata`** na **`.tbss`** hutumiwa katika ELF. Ambazo ni kama `.data` (inaanzishwa) na `.bss` (haikoanzishwa) lakini kwa TLS.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
Kila kivinjari kitakuwa na kuingilio katika kichwa cha TLS kinachotaja ukubwa na kivinjari cha TLS, ambacho ni kivinjari kitatumia katika eneo la data la kipekee la kivinjari.
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/REA
2024-04-07 03:36:12 +00:00
Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-04-07 03:54:31 +00:00
`__TLS_MODULE_BASE` ni ishara inayotumiwa kutaja anwani ya msingi ya uhifadhi wa wateja-kwa-wateja na inaelekeza kwenye eneo kumbukumbu linaloleta data yote ya wateja-kwa-wateja ya moduli.
Reference in a new issue Copy permalink