Skip to content

Memory Corruption

Memory Corruption

Relocation Read Only (RELRO)

Dynamically linked executables are linked against the ld-linux.so shared library.
This Library is executed before your program to setup all of the library functions

How the lookup works:
1. GOT and PLT are setup
2. Main function is run
3. When there is a call to an external library their is a jump into the dereferenced pointer in the PLT.
- The pointer address is a location in the .got.plt section. (jmp DWORD PTR ds:0x804a00c)
- The pointer value is a location in the .plt section. (0x804a00c: 0x08048306)
4. If the call has not been preformed before then a lookup must take place
- A Null is pushed on the stack
- Then a jump to the lookup routine for that function. (This function is located in the .plt table)
- Then a data value for the ld library is pushed on to the stack. (This value is located right after the function and is in the .plt table)
- Then a jump into the ld library. (This value is located right after the data value and is in the .plt table)
5. The address is resolved and ld updates the .got.plt table with the address of the library function.
- the ld function also removes the information from the stack

Source

Partial RELRO:
- .got is R only
- .got.plt is RW only
- Rearranges Global Variables to add it after the .got.plt
- This makes it harder to use a overflow to read or write the .got.plt table.

Full RELRO:
- Same as Partial RELRO
- The linker resolves all symbols before the execution of the main function.
- The linker when is done resolving the symbols removes the write protection making the .got R only
- The .got.plt section is merged into the .got and wont appear in the section name of the binary

Global Offset Table (GOT)

  • This contains the Table of Addresses for external symbols.
  • This is filled in by the ld-linux.so shared library.

If the GOT is readable the GOT can be used to leak the memory offset of a library
If the GOT is writable the GOT can be used to overwrite an address

GOT PLT:
- The Global Offset Table contains a Procedure Linkage Table.
- This contains target addresses that have already been looked up

Procedure Linkage Table (PLT)

  • This contains the Table of Jumps to external symbols.
  • If the correct address is not been filled in the got.plt this contains a function to lookup that address before it calls it

*PLT GOT:
- The Procedure Linkage Table contains a Global Offset Table.
- This seems to just be a jump to the GOT

Attacks

If a exploit can write to negative indexes then it is possible to write the __malloc_hook function to jump to the address in rax