ELF (Executable and Linkable Format)

tags: Security PWN

Online Resources

Angelboy/basic knowledge

Workflow

Static library

Dynamic linking library

Section

• .bss - 存放未初始化值的全域變數 (global variable)
• .data - 存放具初始化值的全域變數
• .rodata - 存放唯讀 (read-only) 資料
• .text - 存放編譯後的 code

Protections

PIE - Position-Independent Executable

turn off protection

(choose one)
-no-pie
sudo -s echo 0 > /proc/sys/kernel/randomize_va_space (ASLR)

NX - No-eXecute

turn off protection

-z execstack

Canary - stack protector

turn off protection

gcc -fno-stack-protector //disable
gcc -fstack-protector //partly enable
gcc -fstack-protector-all //enable

RELRO - Relocation Read-Only

turn off protection

-z norelro

• In partial RELRO
  • the non-PLT part of the GOT section (.got from readelf output) is read only
  • .got.plt is still writeable.
• In complete RELRO
  • the entire GOT (.got and .got.plt both) is marked as read-only.

Other

FORTIFY

gcc -D_FORTIFY_SOURCE=1 adds checks at compile-time only (some headers are necessary as #include <string.h>) gcc -D_FORTIFY_SOURCE=2 also adds checks at run-time (detected buffer overflow terminates the program)

turn off protection

-U_FORTIFY_SOURCE
-D_FORTIFY_SOURCE=2

Lazy Binding

0x601010:       0x00007ffff7dee870
puts_got
0x601018:       0x0000000000400586

call   0x400580 \<puts@plt>
0x400580 \<puts@plt>: jmp    QWORD PTR [rip+0x200a92]        # [0x601018]
0x400586 \<puts@plt+6>:       push   0x0
0x40058b \<puts@plt+11>:      jmp    0x400570
0x400570:    push   QWORD PTR [rip+0x200a92]        # [0x601008]
0x400576:    jmp    QWORD PTR [rip+0x200a94]        # [0x601010]
0x7ffff7dee870 <_dl_runtime_resolve_avx>:    push   rbx

0x601010:       0x00007ffff7dee870
puts_got
0x601018:       0x00007ffff7a7c690

• .got
• .got.plt