Don't like this style? Click here to change it! blue.css

Welcome .... Click here to logout


So what makes this possible? Well printf("1234%n", &x); writes the number 4 into the address &x

Now we play together and I can explain as we go.

Target 1: The stack return address

I think this isn't too tough for us.

Target 2: The GOT table

OK so this one is cute: there is a magic table (the GOT) which holds the address location of imported functions. If we can overwrite an address in the got then we can swap out the function that will get called.

GOT PLT Lazy Linking

My analogy version of this is a little bit like a librarian (the linker) who knows where to find what you need. If your executable is a book then at the back of the book is the phone number for the libarian. That librarian will take requests and can be found reliably by you. Then the librarian brings you the book open to a particular page that you can now reference whenever you need.

So I'm going to go through some examples and we'll talk out all of the details how exactly your binary looks up the locations of external library functions.

Our goal is to understand this

Here are the talking points followed by some screenshots that I might want to refer to. But this lecture will mostly be video based not text based.

Using 3baby_boi as the demo of PLT/GOT lazy-linking

Let's step through the PLT lazy-linking process.

The idea is to "memoize" the first expensive library address lookup.

(BTW: FULL RELRO means we do the entire PLT process for all imported library functions in advance so that the GOT table can be truly read-only)

The GOT table raw

the GOT table raw

How to print an address from memory

The ops of the linker (i.e. let's NOT dissect that)

the linker...

Quick Pwntools Version