ret2dl_resolve(x86_64)

Transcript

1. None
2. None
3. None
4. None

5. Elf64_Rela r_offset (size=0x8) r_info (size=0x8) r_addend (size=0x8)

6. Elf64_Rela r_offset (size=0x8) r_info (size=0x8) r_addend (size=0x8) typedef struct {

   Elf64_Addr r_offset; /* Address */ Elf64_Xword r_info; /* Relocation type and symbol index */ Elf64_Sxword r_addend; /* Addend */ } Elf64_Rela;

7. Elf64_Rela r_offset (size=0x8) r_info (size=0x8) r_addend (size=0x8) 
   GOT Elf64_Symindex

8. None

9. Elf64_Sym st_name (size=0x4) st_info (size=0x1) st_other (size=0x1) st_shndx (size=0x2) st_value

   (size=0x8) st_size (size=0x8)

10. Elf64_Sym st_name (size=0x4) st_info (size=0x1) st_other (size=0x1) st_shndx (size=0x2) st_value

    (size=0x8) st_size (size=0x8) typedef struct { Elf64_Word st_name; /* Symbol name (string tbl index) */ unsigned char st_info; /* Symbol type and binding */ unsigned char st_other; /* Symbol visibility */ Elf64_Section st_shndx; /* Section index */ Elf64_Addr st_value; /* Symbol value */ Elf64_Xword st_size; /* Symbol size */ } Elf64_Sym;

11. Elf64_Sym st_name (size=0x4) st_info (size=0x1) st_other (size=0x1) st_shndx (size=0x2) st_value

    (size=0x8) st_size (size=0x8) 
    offset 
12. None
13. None
14. None

15. “Hello, world!” %* '&”hello”
    '$'( puts() (+   “hello.c”#,! “hello”

    "+$)

16. “Hello, world!” ).$+*”hello”
    +"(+,puts() ,/#   “hello.c”'0% “hello” !&/(-

     
17. None

18. [email protected]
    

19. 0x601018<[email protected]>
    0x400416

20. 0x601018<[email protected]>
    0x400416<puts@plt+6>

21. 1. Stack
    0(reloc_offset)push

22. 1. Stack0(reloc_offset)push 2. 0x400400(.plt
    )

23. 1. Stack 0(reloc_offset)push 2. 0x400400(.plt
    )  3. [0x601008]push [0x601010](_dl_runtime_resolve()) 

    link_map    
24. None
25. None
26. None
27. None

28. .rela.plt .dynstr .dynsym puts
    Elf64_Rela __libc_start_m ain
    Elf64_Rela  

     puts
    ELF64_Sym __libc_start_m ain
    ELF64_Sym    libc.so.6¥x00 puts¥x00 __libc_start_main ¥x00 ...

29. .rela.plt .dynstr .dynsym puts Elf64_Rela __libc_start_m ain Elf64_Rela  

     puts ELF64_Sym __libc_start_m ain ELF64_Sym libc.so.6¥x00 puts¥x00 __libc_start_main ¥x00 ...    .rela.plt reloc_offset Elf64_Rela
    

30. .rela.plt .dynstr .dynsym puts Elf64_Rela __libc_start_m ain Elf64_Rela puts ELF64_Sym

    __libc_start_m ain ELF64_Sym    libc.so.6¥x00 puts¥x00 __libc_start_main ¥x00 ... .dynsym r_info >> 32 Elf64_Sym
       

31. .rela.plt .dynstr .dynsym puts Elf64_Rela __libc_start_m ain Elf64_Rela puts ELF64_Sym

    __libc_start_m ain ELF64_Sym    libc.so.6¥x00 puts¥x00 __libc_start_main ¥x00 ... .dynstr
     st_name      
32. None

33. puts()
    reloc_offset

34. puts()Elf64_Rela
     = rela.plt + puts()rela_offset * Elf64_Rela
      = 0x400398

    + 0x0 * 0x18 = 0x400398

35. puts()Elf64_Rela
     = rela.plt + puts()rela_offset * Elf64_Rela
      = 0x400398

    + 0x0 * 0x18 = 0x400398 r_info = puts()Elf64_Sym
    index << 32 | R_386_JMP_SLOT = 0x1 << 32 | 0x7 = 0x0000000100000007

36. puts()Elf64_Sym
     = .dynsym + puts()Elf64_Rela
    r_info << 32* Elf64_Rela
      =

    0x4002b8 + 0x1 * 0x18 = 0x4002d0

37. puts()Elf64_Sym
     = .dynsym + puts()Elf64_Rela
    r_info << 32* Elf64_Sym
      =

    0x4002b8 + 0x1 * 0x18 = 0x4002d0 st_name = 0xb st_info = 0x12

38. puts()  = .dynstr  + puts() Elf64_Sym
    st_name =

    0x400318 + 0xb = 0x400323
39. None
40. None
41. None
42. None

43. .rela.plt .dynstr .dynsym puts
    Elf64_Rela __libc_start_m ain
    Elf64_Rela  

     puts
    ELF64_Sym __libc_start_m ain
    ELF64_Sym    libc.so.6¥x00 puts¥x00 __libc_start_main ¥x00 ...

44. .bss
    Elf64_Relo
    Elf64_Sym “system¥x00” push
    reloc_offset _dl_runtime_resolve(“/bin/sh”)

45. .bss
    Elf64_Relo
    Elf64_Sym “system¥x00” push
    reloc_offset _dl_runtime_resolve(“/bin/sh”)
    reloc_offset = (A

    - .rela.plt) / 0x18 A

46. .bss
    Elf64_Relo
    Elf64_Sym “system¥x00” push
    reloc_offset _dl_runtime_resolve(“/bin/sh”)
    r_info = ((B

    - .dynsym) / 0x18) << 32 | 0x7 B

47. .bss
    Elf64_Relo
    Elf64_Sym “system¥x00” push
    reloc_offset _dl_runtime_resolve(“/bin/sh”)
    st_name = (C

    - .dynstr) C
48. None
49. None
50. None
51. None
52. None
53. None
54. None
55. None
56. None
57. None
58. None
59. None
60. None