killchain-compendium/exploit/binaries/plt_got.md

33 lines
1.1 KiB
Markdown
Raw Normal View History

2022-05-10 00:08:57 +02:00
# Procedure Lookup Table, Global Offset Table
* Both are part of dynamic binaries
* PLT resolves called function address of shared object
* A function call inside the binary, to a function inside a shared object is done via PLT
* __PLT__ contains dynamic address, references GOT
* __GOT__ contains the absolute address of the called functions. Dynamic linker updates the GOT
* __Lazy Linking__ is the process of loading the called SO function after they are called for the first time
## pwn
* Overwrite the GOT address of a called functions, which then will be returned instead
* Check the disassembly of the binary for SO function call
```sh
x/s <functionaddress>
x/3i <functionaddress>
```
* This is the PLT address
* Check the GOT address of the PLT. There should be `PTR` via `jmp` to the GOT address of the function
* Rewrite this address with for example `system`. Take a look where it is placed
```sh
p system
```
* Set the address of the `jmp` to GOT to `system` address
```sh
set *<foundGOTjmpAddress>=<foundSystemAddress>
```
* Fill the buffer with the argument to `system`