Link to this headingMemory Corruption
Link to this headingRelocation Read Only (RELRO)
Dynamically linked executables are linked against the ld-linux.so shared library.
This Library is executed before your program to setup all of the library functions
How the lookup works:
- GOT and PLT are setup
- Main function is run
- When there is a call to an external library their is a jump into the dereferenced pointer in the PLT.
- The pointer address is a location in the
.got.pltsection. (jmp DWORD PTR ds:0x804a00c) - The pointer value is a location in the
.pltsection. (0x804a00c: 0x08048306)
- The pointer address is a location in the
- If the call has not been preformed before then a lookup must take place
- A Null is pushed on the stack
- Then a jump to the lookup routine for that function. (This function is located in the
.plttable)- Then a data value for the ld library is pushed on to the stack. (This value is located right after the function and is in the
.plttable) - Then a jump into the ld library. (This value is located right after the data value and is in the
.plttable)
- Then a data value for the ld library is pushed on to the stack. (This value is located right after the function and is in the
- The address is resolved and ld updates the
.got.plttable with the address of the library function.- the ld function also removes the information from the stack
Partial RELRO:
.gotis R only.got.pltis RW only- Rearranges Global Variables to add it after the
.got.plt- This makes it harder to use a overflow to read or write the
.got.plttable.
- This makes it harder to use a overflow to read or write the
Full RELRO:
- Same as Partial RELRO
- The linker resolves all symbols before the execution of the main function.
- The linker when is done resolving the symbols removes the write protection making the
.gotR only
- The linker when is done resolving the symbols removes the write protection making the
- The
.got.pltsection is merged into the.gotand wont appear in the section name of the binary
Link to this headingGlobal Offset Table (GOT)
- This contains the Table of Addresses for external symbols.
- This is filled in by the
ld-linux.soshared library.
If the GOT is readable the GOT can be used to leak the memory offset of a library
If the GOT is writable the GOT can be used to overwrite an address
GOT PLT:
- The Global Offset Table contains a Procedure Linkage Table.
- This contains target addresses that have already been looked up
Link to this headingProcedure Linkage Table (PLT)
- This contains the Table of Jumps to external symbols.
- If the correct address is not been filled in the
got.pltthis contains a function to lookup that address before it calls it
*PLT GOT:
- The Procedure Linkage Table contains a Global Offset Table.
- This seems to just be a jump to the GOT
Link to this headingAttacks
If a exploit can write to negative indexes then it is possible to write the __malloc_hook function to jump to the address in rax