Hookless in MetaCTF 2021 writeup
tacbliw opened this issue · comments
Hi, in your writeup for Hookess
challenge in MetaCTF 2021, you wrote
we probably could also have leaked the address of the bss or program base, via ld.so vars..
and overwrite a GOT entry... we left that as an exercise for the most motivated...
I wonder how to leak program base from ld.so?
Thanks
Look at this capture, when using gef extension,
you can do: scan ld.so binary
it will print you reference to binary mapping zone (exec,bss,etc..) in ld.so
like you can see, in the picture:
you can see that there are many reference to binary addresses in ld.so,
that we can leak too, to calculate program base,
and eventually overwrite a GOT entry.