PEDA's RELRO checking is incomplete.
In my case, it may identify a crafted ELF file without RELRO as FULL RELRO, which generates difficulty for writing exploit.
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : FULL
gdb-peda$ p puts
$1 = {<text variable, no debug info>} 0x400480 <puts@plt>
gdb-peda$ nearpc 0x400480
0x400471: xor eax,0x200b92
0x400476: jmp QWORD PTR [rip+0x200b94] # 0x601010
0x40047c: nop DWORD PTR [rax+0x0]
0x400480 <puts@plt>: jmp QWORD PTR [rip+0x200b92] # 0x601018
0x400486 <puts@plt+6>: push 0x0
0x40048b <puts@plt+11>: jmp 0x400470
0x400490 <quick_exit@plt>: jmp QWORD PTR [rip+0x200b8a] # 0x601020
0x400496 <quick_exit@plt+6>: push 0x1
gdb-peda$ telescope 0x601018
0000| 0x601018 --> 0x7ffff7a64a30 (push r13)
0008| 0x601020 --> 0x7ffff7a27810 (lea rsi,[rip+0x3a7f09] # 0x7ffff7dcf720)
0016| 0x601028 --> 0x7ffff7af4180 (lea rax,[rip+0x2e0771] # 0x7ffff7dd48f8)
0024| 0x601030 --> 0x0
0032| 0x601038 --> 0x0
0040| 0x601040 --> 0x0
0048| 0x601048 --> 0x0
0056| 0x601050 --> 0x0
gdb-peda$ vmmap 0x601018
Start End Perm Name
0x00601000 0x00602000 rw-p /u/antor/u28/zhan3299/trojai/ZeroPatch/workshop/easiest_patchIt is easy to check that the GOT of puts function is writable, but checksec reports is as FULL RELRO
Details can be found here
easiest_patch.zip
PEDA's RELRO checking is incomplete.
In my case, it may identify a crafted ELF file
without RELROasFULL RELRO, which generates difficulty for writing exploit.It is easy to check that the GOT of
putsfunction is writable, but checksec reports is asFULL RELRODetails can be found here
easiest_patch.zip