33 lines
1.1 KiB
Markdown
33 lines
1.1 KiB
Markdown
# Procedure Lookup Table, Global Offset Table
|
|
|
|
* Both are part of dynamic binaries
|
|
* PLT resolves called function address of shared object
|
|
* A function call inside the binary, to a function inside a shared object is done via PLT
|
|
* __PLT__ contains dynamic address, references GOT
|
|
* __GOT__ contains the absolute address of the called functions. Dynamic linker updates the GOT
|
|
* __Lazy Linking__ is the process of loading the called SO function after they are called for the first time
|
|
|
|
|
|
## pwn
|
|
|
|
* Overwrite the GOT address of a called functions, which then will be returned instead
|
|
|
|
* Check the disassembly of the binary for SO function call
|
|
```sh
|
|
x/s <functionaddress>
|
|
x/3i <functionaddress>
|
|
```
|
|
* This is the PLT address
|
|
* Check the GOT address of the PLT. There should be `PTR` via `jmp` to the GOT address of the function
|
|
|
|
* Rewrite this address with for example `system`. Take a look where it is placed
|
|
```sh
|
|
p system
|
|
```
|
|
* Set the address of the `jmp` to GOT to `system` address
|
|
```sh
|
|
set *<foundGOTjmpAddress>=<foundSystemAddress>
|
|
```
|
|
|
|
* Fill the buffer with the argument to `system`
|