Open ZhangZhuoSJTU opened 4 years ago
PEDA's RELRO checking is incomplete.
In my case, it may identify a crafted ELF file without RELRO as FULL RELRO, which generates difficulty for writing exploit.
without RELRO
FULL RELRO
gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : FULL gdb-peda$ p puts $1 = {<text variable, no debug info>} 0x400480 <puts@plt> gdb-peda$ nearpc 0x400480 0x400471: xor eax,0x200b92 0x400476: jmp QWORD PTR [rip+0x200b94] # 0x601010 0x40047c: nop DWORD PTR [rax+0x0] 0x400480 <puts@plt>: jmp QWORD PTR [rip+0x200b92] # 0x601018 0x400486 <puts@plt+6>: push 0x0 0x40048b <puts@plt+11>: jmp 0x400470 0x400490 <quick_exit@plt>: jmp QWORD PTR [rip+0x200b8a] # 0x601020 0x400496 <quick_exit@plt+6>: push 0x1 gdb-peda$ telescope 0x601018 0000| 0x601018 --> 0x7ffff7a64a30 (push r13) 0008| 0x601020 --> 0x7ffff7a27810 (lea rsi,[rip+0x3a7f09] # 0x7ffff7dcf720) 0016| 0x601028 --> 0x7ffff7af4180 (lea rax,[rip+0x2e0771] # 0x7ffff7dd48f8) 0024| 0x601030 --> 0x0 0032| 0x601038 --> 0x0 0040| 0x601040 --> 0x0 0048| 0x601048 --> 0x0 0056| 0x601050 --> 0x0 gdb-peda$ vmmap 0x601018 Start End Perm Name 0x00601000 0x00602000 rw-p /u/antor/u28/zhan3299/trojai/ZeroPatch/workshop/easiest_patch
It is easy to check that the GOT of puts function is writable, but checksec reports is as FULL RELRO
puts
Details can be found here
easiest_patch.zip
same problem
JackJuly
commented
1 year ago JackJuly
commented
1 year ago
PEDA's RELRO checking is incomplete.
In my case, it may identify a crafted ELF file
without RELROasFULL RELRO, which generates difficulty for writing exploit.It is easy to check that the GOT of
putsfunction is writable, but checksec reports is asFULL RELRODetails can be found here
easiest_patch.zip