system) into the PLT. This then means the attacker can use the PLT function as if it was originally part of the binary, bypassing ASLR (if present) and requiring no libc leaks.
libcfunctions when they are first called using the PLT and GOT. During the relocation of a runtime symbol, RIP will jump to the PLT and attempt to resolve the symbol. During this process a "resolver" is called.
jmpin the PLT to resolve it.
/bin/sh) once resolved.
.rel.plt) stores the Relocation Table, which maps each entry to a symbol.
namecoresponds to our symbol name. The
offsetis the GOT entry for our symbol.
infostores additional metadata.
0x107 >> 8 = 1.
st_nameas this gives the offset in STRTAB of the symbol name. The other fields are not relevant to the exploit itself.
STRTABoffset of the symbol's string using the
R_SYMvalue we got from the
JMPREL, combined with
SYMTAB + R_SYM * size (16), and it appears that the offset (the
STRTAB, we get the symbol's name!
reloc_offsetvalue and jump to the beginning of the
.pltsection. A few instructions later, the
dl-resolve()function is called, with
reloc_offsetbeing one of the arguments. It then uses this
reloc_offsetto calculate the relocation and symtab entries.