|
|
|
|
|
|
by nvarsj
1682 days ago
|
|
|
It definitely makes generic exploits harder. Without RELRO it's easy to leak libc once you find an overflow. You can also easily take control via overwriting the GOT pointers. Unsure what you mean by any in the binary - with PIE you can't do much even if you know a fixed offset, unless you can leak the binary location. Although if you can read/write into the stack you can usually find something useful regardless of RELRO/etc. One of my favorite examples of bypassing relro is the sudo exploit that took advantage of a simple format string vulnerability. It was downplayed at the time by the sudo maintainer as not easy to exploit due to FORTIFY. But you could get full root just doing a very simple payload, because sudo already calls system(/bin/sh) and FORTIFY itself was easily exploitable. [1][2] 1: https://www.sudo.ws/alerts/sudo_debug.html 2: https://www.vnsecurity.net/research/2012/02/16/exploiting-su... |
|
|