Ret2dlresolve
[AD REMOVED]
Basic Information
As explained in the page about GOT/PLT and Relro, binaries without Full Relro will resolve symbols (like addresses to external libraries) the first time they are used. This resolution occurs calling the function _dl_runtime_resolve
.
The _dl_runtime_resolve
function takes from the stack references to some structures it needs in order to resolve the specified symbol.
Therefore, it's possible to fake all these structures to make the dynamic linked resolving the requested symbol (like system
function) and call it with a configured parameter (e.g. system('/bin/sh')
).
Usually, all these structures are faked by making an initial ROP chain that calls read
over a writable memory, then the structures and the string '/bin/sh'
are passed so they are stored by read in a known location, and then the ROP chain continues by calling _dl_runtime_resolve
with the address to $'/bin/sh'
.
[!TIP] This technique is useful specially if there aren't syscall gadgets (to use techniques such as ret2syscall or SROP) and there are't ways to leak libc addresses.
You can find a better explanation about this technique in the second half of the video:
{{#ref}} https://youtu.be/ADULSwnQs-s?feature=shared {{#endref}}
Structures
It's necessary to fake 3 structures: JMPREL
, STRTAB
and SYMTAB
. You have a better explanation about how these are built in https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures
Attack Summary
- Write fake estructures in some place
- Set the first argument of system (
$rdi = &'/bin/sh'
) - Set on the stack the addresses to the structures to call
_dl_runtime_resolve
- Call
_dl_runtime_resolve
system
will be resolved and called with'/bin/sh'
as argument
Example
You can find an example of this technique here containing a very good explanation of the final ROP chain, but here is the final exploit used:
from pwn import *
elf = context.binary = ELF('./vuln', checksec=False)
p = elf.process()
rop = ROP(elf)
# create the dlresolve object
dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])
rop.raw('A' * 76)
rop.read(0, dlresolve.data_addr) # read to where we want to write the fake structures
rop.ret2dlresolve(dlresolve) # call .plt and dl-resolve() with the correct, calculated reloc_offset
log.info(rop.dump())
p.sendline(rop.chain())
p.sendline(dlresolve.payload) # now the read is called and we pass all the relevant structures in
p.interactive()
References
[AD REMOVED]