Writable memory section before init and after init

Posted on In

0x0 Different

The memory mapping is little differnt

when init function is not called, notice that rw- page in the memory map have size of 0x2000 from 0x0804b000 - 0x0804d000

1
0x0804b000 - 0x0804d000 - usr     8K s rw- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; map.

however, after enter the main or called init function, the rw- page in the memory map now have size of 0x1000 from 0x0804c000 - 0x0804d000

1
0x0804c000 - 0x0804d000 - usr     4K s rw- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; obj._GLOBAL_OFFSET_TABLE_

0x1 Reason

init function will write data to 0x0804b000 - 0x0804c000, therefore, before init or before enter main, this page of memory is writable.

However, after finish the init and enter main. this page should no longer be modified. Therefore, the binary will memory protect this page and make it only readable. which means the writable area now is only in range of 0x0804c000 - 0x0804d000

0x2 Some Reminder

if you want to find some writable area, be sure to use dm (orvmmap in gdb) after the binary have execute to main.

0x3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
[0xf7fc1120]> dm
0x08048000 - 0x08049000 - usr     4K s r-- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; segment.ehdr
0x08049000 - 0x0804a000 - usr     4K s r-x /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; map._home_aynakeya_ctf_k3rn3lctf2021_silent_rop_silent_ROP.r_x
0x0804a000 - 0x0804b000 - usr     4K s r-- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; map._home_aynakeya_ctf_k3rn3lctf2021_silent_rop_silent_ROP.r__
0x0804b000 - 0x0804d000 - usr     8K s rw- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; map._home_aynakeya_ctf_k3rn3lctf2021_silent_rop_silent_ROP.rw_
0xf7fba000 - 0xf7fbe000 - usr    16K s r-- [vvar] [vvar] ; map._vvar_.r__
0xf7fbe000 - 0xf7fc0000 - usr     8K s r-x [vdso] [vdso] ; map._vdso_.r_x
0xf7fc0000 - 0xf7fc1000 - usr     4K s r-- /usr/lib/i386-linux-gnu/ld-2.31.so /usr/lib/i386-linux-gnu/ld-2.31.so
0xf7fc1000 - 0xf7fdf000 * usr   120K s r-x /usr/lib/i386-linux-gnu/ld-2.31.so /usr/lib/i386-linux-gnu/ld-2.31.so ; map._usr_lib_i386_linux_gnu_ld_2.31.so.r_x
0xf7fdf000 - 0xf7fea000 - usr    44K s r-- /usr/lib/i386-linux-gnu/ld-2.31.so /usr/lib/i386-linux-gnu/ld-2.31.so ; map._usr_lib_i386_linux_gnu_ld_2.31.so.r__
0xf7feb000 - 0xf7fed000 - usr     8K s rw- /usr/lib/i386-linux-gnu/ld-2.31.so /usr/lib/i386-linux-gnu/ld-2.31.so ; map._usr_lib_i386_linux_gnu_ld_2.31.so.rw_
0xffe81000 - 0xffea2000 - usr   132K s rw- [stack] [stack] ; map._stack_.rw_
[0x08049235]> dcu main
[0x08049235]> dm
0x08048000 - 0x08049000 - usr     4K s r-- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; segment.ehdr
0x08049000 - 0x0804a000 * usr     4K s r-x /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; map._home_aynakeya_ctf_k3rn3lctf2021_silent_rop_silent_ROP.r_x
0x0804a000 - 0x0804b000 - usr     4K s r-- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; map._home_aynakeya_ctf_k3rn3lctf2021_silent_rop_silent_ROP.r__
0x0804b000 - 0x0804c000 - usr     4K s r-- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; map._home_aynakeya_ctf_k3rn3lctf2021_silent_rop_silent_ROP.rw_
0x0804c000 - 0x0804d000 - usr     4K s rw- /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP /home/aynakeya/ctf/k3rn3lctf2021/silent-rop/silent-ROP ; obj._GLOBAL_OFFSET_TABLE_
0xf7dba000 - 0xf7dd7000 - usr   116K s r-- /usr/lib/i386-linux-gnu/libc-2.31.so /usr/lib/i386-linux-gnu/libc-2.31.so
0xf7dd7000 - 0xf7f32000 - usr   1.4M s r-x /usr/lib/i386-linux-gnu/libc-2.31.so /usr/lib/i386-linux-gnu/libc-2.31.so
0xf7f32000 - 0xf7fa2000 - usr   448K s r-- /usr/lib/i386-linux-gnu/libc-2.31.so /usr/lib/i386-linux-gnu/libc-2.31.so
0xf7fa2000 - 0xf7fa3000 - usr     4K s --- /usr/lib/i386-linux-gnu/libc-2.31.so /usr/lib/i386-linux-gnu/libc-2.31.so
0xf7fa3000 - 0xf7fa5000 - usr     8K s r-- /usr/lib/i386-linux-gnu/libc-2.31.so /usr/lib/i386-linux-gnu/libc-2.31.so
0xf7fa5000 - 0xf7fa7000 - usr     8K s rw- /usr/lib/i386-linux-gnu/libc-2.31.so /usr/lib/i386-linux-gnu/libc-2.31.so ; edi
0xf7fa7000 - 0xf7fa9000 - usr     8K s rw- unk0 unk0
0xf7fb8000 - 0xf7fba000 - usr     8K s rw- unk1 unk1
0xf7fba000 - 0xf7fbe000 - usr    16K s r-- [vvar] [vvar] ; map._vvar_.r__
0xf7fbe000 - 0xf7fc0000 - usr     8K s r-x [vdso] [vdso] ; map._vdso_.r_x
0xf7fc0000 - 0xf7fc1000 - usr     4K s r-- /usr/lib/i386-linux-gnu/ld-2.31.so /usr/lib/i386-linux-gnu/ld-2.31.so
0xf7fc1000 - 0xf7fdf000 - usr   120K s r-x /usr/lib/i386-linux-gnu/ld-2.31.so /usr/lib/i386-linux-gnu/ld-2.31.so ; map._usr_lib_i386_linux_gnu_ld_2.31.so.r_x
0xf7fdf000 - 0xf7fea000 - usr    44K s r-- /usr/lib/i386-linux-gnu/ld-2.31.so /usr/lib/i386-linux-gnu/ld-2.31.so ; map._usr_lib_i386_linux_gnu_ld_2.31.so.r__
0xf7feb000 - 0xf7fec000 - usr     4K s r-- /usr/lib/i386-linux-gnu/ld-2.31.so /usr/lib/i386-linux-gnu/ld-2.31.so ; map._usr_lib_i386_linux_gnu_ld_2.31.so.rw_
0xf7fec000 - 0xf7fed000 - usr     4K s rw- /usr/lib/i386-linux-gnu/ld-2.31.so /usr/lib/i386-linux-gnu/ld-2.31.so
0xffe81000 - 0xffea2000 - usr   132K s rw- [stack] [stack] ; map._stack_.rw_