PWN Exploitation of exit_hook and Its Principles
· One min read
_rtld_global
- Arbitrary Write OG once
- Write func + arg1 twice
- Forge _rtld_global structure
Cause
In short, when exit calls _dl_fini, it will invoke _rtld_lock_lock_recursive and _rtld_lock_unlock_recursive for locking and unlocking. After these macros expand, they are respectively _rtld_global._dl_lock_lock_recursive(&_rtld_global._dl_load_lock.mutex) and _rtld_global._dl_lock_unlock_recursive(&_rtld_global._dl_load_lock.mutex)
Usage
libc-2.23 _rtld_global:0x5f0040 __rtld_lock_lock_recursive: 3848 __rtld_lock_unlock_recursive: 3856
libc-2.27 _rtld_global:0x619060 __rtld_lock_lock_recursive: 3840 __rtld_lock_unlock_recursive: 3848
libc-2.31 _rtld_global:0x23e060 __rtld_lock_lock_recursive: 3848 __rtld_lock_unlock_recursive: 3856
Modify _rtld_lock_lock_recursive/_rtld_lock_unlock_recursive to OneGadget.
Or modify _rtld_lock_lock_recursive/_rtld_lock_unlock_recursive to func, then modify _rtld_global._dl_load_lock.mutex to arg1.
info
This Content is generated by ChatGPT and might be wrong / incomplete, refer to Chinese version if you find something wrong.