Don't like this style? Click here to change it! blue.css
So what makes this possible? Well
printf("1234%n", &x); writes the number 4 into the address
Now we play together and I can explain as we go.
I think this isn't too tough for us.
OK so this one is cute: there is a magic table (the GOT) which holds the address location of imported functions. If we can overwrite an address in the got then we can swap out the function that will get called.
My analogy version of this is a little bit like a librarian (the linker) who knows where to find what you need. If your executable is a book then at the back of the book is the phone number for the libarian. That librarian will take requests and can be found reliably by you. Then the librarian brings you the book open to a particular page that you can now reference whenever you need.
So I'm going to go through some examples and we'll talk out all of the details how exactly your binary looks up the locations of external library functions.
Here are the talking points followed by some screenshots that I might want to refer to. But this lecture will mostly be video based not text based.
Let's step through the PLT lazy-linking process.
The idea is to "memoize" the first expensive library address lookup.
(BTW: FULL RELRO means we do the entire PLT process for all imported library functions in advance so that the GOT table can be truly read-only)
The GOT table raw
How to print an address from memory
The ops of the linker (i.e. let's NOT dissect that)