Skip to content
This repository has been archived by the owner on Jun 15, 2024. It is now read-only.

Latest commit

 

History

History
48 lines (26 loc) · 1.68 KB

README.md

File metadata and controls

48 lines (26 loc) · 1.68 KB

Libc-GOT-Hijacking

Important: You can only use this skill for glibcs < 2.39.

Transform arbitrary write to RCE.

This is a userspace attacking skill: If you can write arbitrary memory space, you can use this method to execute arbitrary code.

You only need to know the base address of Glibc Glibc is FULL RELRO by default for glibc2.39. A great security improvement! We can't hijack Libc GOT on libc version >= 2.39

glibc > 2.35 & glibc <=2.38

Compared to glibc<=2.35 there is mitigation implemented, which forbids the methods for the old library. However, we designed a method to bypass it and execute arbitrary code by once arbitrary write on Glibc's GOT table. This method performs Return Oriented Programming (ROP) attack on the Global Offset Table (GOT).

AttackFlow

You can find details, templates, demos, and everything you want in: Details and Templates

glibc <= 2.35

I learned the original method from Sammy Hajhamid also the methods for glibc <=2.35 are inspired by his work.

Based on his work, We designed a method to execute arbitrary code by once arbitrary write on Glibc's GOT table. The method uses PLT_0 to push libc_exe_address to the stack and then use POP RSP, RET to execute our ROPchain.

You can find details, templates, demos, and everything you want in: Details and Templates

Acknowledgments

  • Great job @swing on the impressive work with glibc >2.35!

  • Appreciate the original work done by @pepsipu.

Reference link