Skip to content
This repository has been archived by the owner on Jun 15, 2024. It is now read-only.
/ Libc-GOT-Hijacking Public archive

Binary Exploitation Skill. Gain RCE from arbitrary write.

Notifications You must be signed in to change notification settings

n132/Libc-GOT-Hijacking

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Libc-GOT-Hijacking

Important: You can only use this skill for glibcs < 2.39.

Transform arbitrary write to RCE.

This is a userspace attacking skill: If you can write arbitrary memory space, you can use this method to execute arbitrary code.

You only need to know the base address of Glibc Glibc is FULL RELRO by default for glibc2.39. A great security improvement! We can't hijack Libc GOT on libc version >= 2.39

glibc > 2.35 & glibc <=2.38

Compared to glibc<=2.35 there is mitigation implemented, which forbids the methods for the old library. However, we designed a method to bypass it and execute arbitrary code by once arbitrary write on Glibc's GOT table. This method performs Return Oriented Programming (ROP) attack on the Global Offset Table (GOT).

AttackFlow

You can find details, templates, demos, and everything you want in: Details and Templates

glibc <= 2.35

I learned the original method from Sammy Hajhamid also the methods for glibc <=2.35 are inspired by his work.

Based on his work, We designed a method to execute arbitrary code by once arbitrary write on Glibc's GOT table. The method uses PLT_0 to push libc_exe_address to the stack and then use POP RSP, RET to execute our ROPchain.

You can find details, templates, demos, and everything you want in: Details and Templates

Acknowledgments

  • Great job @swing on the impressive work with glibc >2.35!

  • Appreciate the original work done by @pepsipu.

Reference link