Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

Added note on Glibc GOT

Browse source
This commit is contained in:
7Rocky 2024-04-06 14:57:25 +02:00
parent cf4648a626
commit b556bc5d1e
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md
View file

@ -22,13 +22,13 @@ Other ways to support HackTricks:
**Partial RELRO** takes a simpler approach to enhance security without significantly impacting the binary's performance. By **positioning the GOT above the program's variables in memory, Partial RELRO aims to prevent buffer overflows from reaching and corrupting the GOT**. 
This **doesn't prevent to GOT** to be abused **from arbitrary write** vulnerabilities.
This **doesn't prevent the GOT** to be abused **from arbitrary write** vulnerabilities.
### **Full RELRO**
**Full RELRO** steps up the protection by **making the GOT completely read-only.** Once the binary starts all the function addresses are resolved and loaded in the GOT, then, GOT is marked as read-only, effectively preventing any modifications to it during runtime.
However, the trade-off with Full RELRO is in terms of performance and startup time. Because it necessitates resolving all dynamic symbols at startup before marking the GOT as read-only, **binaries with Full RELRO enabled may experience longer load times**. This additional startup overhead is why Full RELRO is not enabled by default in all binaries.
However, the trade-off with Full RELRO is in terms of performance and startup time. Because it needs to resolve all dynamic symbols at startup before marking the GOT as read-only, **binaries with Full RELRO enabled may experience longer load times**. This additional startup overhead is why Full RELRO is not enabled by default in all binaries.
It's possible to see if Full RELRO is enabled in a binary with:
@ -40,6 +40,8 @@ readelf -l /proc/ID_PROC/exe | grep BIND_NOW
If Full RELRO is enabled, the only way to bypass it is to find another way that doesn't need to write in the GOT table to get arbitrary execution.
Note that LIBC's GOT is usually Partial RELRO, so it can be modified with an arbitrary write. More information in [Targetting libc GOT entries](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries).
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>