RELRO Checking is not correct #155
Description
PEDA's RELRO checking is incomplete.
In my case, it may identify a crafted ELF file without RELRO as FULL RELRO, which generates difficulty for writing exploit.
gdb-peda$ checksec
CANARY : disabled
FORTIFY : disabled
NX : ENABLED
PIE : disabled
RELRO : FULL
gdb-peda$ p puts
$1 = {<text variable, no debug info>} 0x400480 <puts@plt>
gdb-peda$ nearpc 0x400480
0x400471: xor eax,0x200b92
0x400476: jmp QWORD PTR [rip+0x200b94] # 0x601010
0x40047c: nop DWORD PTR [rax+0x0]
0x400480 <puts@plt>: jmp QWORD PTR [rip+0x200b92] # 0x601018
0x400486 <puts@plt+6>: push 0x0
0x40048b <puts@plt+11>: jmp 0x400470
0x400490 <quick_exit@plt>: jmp QWORD PTR [rip+0x200b8a] # 0x601020
0x400496 <quick_exit@plt+6>: push 0x1
gdb-peda$ telescope 0x601018
0000| 0x601018 --> 0x7ffff7a64a30 (push r13)
0008| 0x601020 --> 0x7ffff7a27810 (lea rsi,[rip+0x3a7f09] # 0x7ffff7dcf720)
0016| 0x601028 --> 0x7ffff7af4180 (lea rax,[rip+0x2e0771] # 0x7ffff7dd48f8)
0024| 0x601030 --> 0x0
0032| 0x601038 --> 0x0
0040| 0x601040 --> 0x0
0048| 0x601048 --> 0x0
0056| 0x601050 --> 0x0
gdb-peda$ vmmap 0x601018
Start End Perm Name
0x00601000 0x00602000 rw-p /u/antor/u28/zhan3299/trojai/ZeroPatch/workshop/easiest_patchIt is easy to check that the GOT of puts function is writable, but checksec reports is as FULL RELRO
Details can be found here