Write-What-Where

So what makes this possible? Well printf("1234%n", &x); writes the number 4 into the address &x

Now we play together and I can explain as we go.

Target 1: The stack return address

I think this isn't too tough for us.

Target 2: The GOT table

OK so this one is cute: there is a magic table (the GOT) which holds the address location of imported functions. If we can overwrite an address in the got then we can swap out the function that will get called.

GOT PLT Lazy Linking

My analogy version of this is a little bit like a librarian (the linker) who knows where to find what you need. If your executable is a book then at the back of the book is the phone number for the libarian. That librarian will take requests and can be found reliably by you. Then the librarian brings you the book open to a particular page that you can now reference whenever you need.

So I'm going to go through some examples and we'll talk out all of the details how exactly your binary looks up the locations of external library functions.

Here are the talking points followed by some screenshots that I might want to refer to. But this lecture will mostly be video based not text based.

Using 3baby_boi as the demo of PLT/GOT lazy-linking

Let's step through the PLT lazy-linking process.

The idea is to "memoize" the first expensive library address lookup.

• When we do call sym.imp.func1 the address it jumps to is the PLT address for func1 which is in a contiguous segment (with R-X permissions) from the machine code at some fixed offset
• The first line (of only 3 lines) at that address in the PLT part is a JUMP to the address stored in the GOT segment for func1, always.
• This segment gets populated in the beginning of the program and the first value if populates with is actually line 2 of the PLT!?!? so the first jump is actually just a one line progression as if there were no jump... cute
• All futures times will jump to some other address so these next 2 lines only run once
• a fixed value is pushed into the stack then the dynamic linker is called
• That linker identifies the address of the desired library function and stores that address in the address inside the GOT table (and then send you to that address)
• All future call sym.imp.func1 first jump to the address stored in GOT which will now directly be the correct op codes from the library

(BTW: FULL RELRO means we do the entire PLT process for all imported library functions in advance so that the GOT table can be truly read-only)

The GOT table raw

How to print an address from memory

The ops of the linker (i.e. let's NOT dissect that)

Quick Pwntools Version