whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/exploit/binaries/plt_got.md

1.1 KiB
Raw Blame History

Procedure Lookup Table, Global Offset Table

  • Both are part of dynamic binaries
  • PLT resolves called function address of shared object
  • A function call inside the binary, to a function inside a shared object is done via PLT
  • PLT contains dynamic address, references GOT
  • GOT contains the absolute address of the called functions. Dynamic linker updates the GOT
  • Lazy Linking is the process of loading the called SO function after they are called for the first time

pwn

  • Overwrite the GOT address of a called functions, which then will be returned instead

  • Check the disassembly of the binary for SO function call

x/s <functionaddress>
x/3i <functionaddress>

  • This is the PLT address

  • Check the GOT address of the PLT. There should be PTR via jmp to the GOT address of the function

  • Rewrite this address with for example system. Take a look where it is placed

p system
  • Set the address of the jmp to GOT to system address
set *<foundGOTjmpAddress>=<foundSystemAddress>
  • Fill the buffer with the argument to system