{"id":21889020,"url":"https://github.com/n132/libc-got-hijacking","last_synced_at":"2025-04-04T11:10:02.558Z","repository":{"id":209106391,"uuid":"723168627","full_name":"n132/Libc-GOT-Hijacking","owner":"n132","description":"Binary Exploitation Skill. Gain RCE from arbitrary write.","archived":false,"fork":false,"pushed_at":"2024-12-23T22:54:52.000Z","size":1011,"stargazers_count":217,"open_issues_count":0,"forks_count":16,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-03-28T10:07:08.539Z","etag":null,"topics":["binary","exploitation","hacking","template"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/n132.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-24T21:21:51.000Z","updated_at":"2025-03-25T01:12:41.000Z","dependencies_parsed_at":"2023-12-10T08:19:52.827Z","dependency_job_id":"d4ac37b7-a9db-47c1-90c6-fe7471b0d530","html_url":"https://github.com/n132/Libc-GOT-Hijacking","commit_stats":null,"previous_names":["n132/fx"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n132%2FLibc-GOT-Hijacking","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n132%2FLibc-GOT-Hijacking/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n132%2FLibc-GOT-Hijacking/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n132%2FLibc-GOT-Hijacking/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/n132","download_url":"https://codeload.github.com/n132/Libc-GOT-Hijacking/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247166168,"owners_count":20894654,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary","exploitation","hacking","template"],"created_at":"2024-11-28T11:18:41.533Z","updated_at":"2025-04-04T11:10:02.536Z","avatar_url":"https://github.com/n132.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Libc-GOT-Hijacking \n\nTransform arbitrary write to RCE.\n\nThis repo provides an idea that performs ROP on GOT and demonstrates its ability (even most people would never use it because of the existing simple method). Also, this repo shows an ignored fact: writable libc got is useful for exploitation.\n\nThis is a userspace attacking skill: If you can write arbitrary memory space, you can use this method to execute arbitrary code. \n\nThe simplest way to attack is to find a function using writable GOT value and set it `system` to perform `system(\"/bin/sh\")`. It depends on the challenges/cases and it's **good enough** for most cases and this repo is giving a more complex/verbose solution to gain not only RIP but ROP for generic cases.\n\n\n\u003e 1) You only need to know the base address of Glibc.\n\u003e 2) Libc makes it full RELRO at 2.39 so this skill doesn't work for glibc-2.39+.\n\u003e 3) However, it works for the libstdc++ on the latest Ubuntu LTS.\n\n# Before Reading\n\nThis repo is a generic solution to gain Code Execution (ROP level). \n- You don't need this repo **unless**\n    - You just want a generic solution without spending time debugging a specific case\n    - You need ROP instead of system(\"/bin/sh\").\n \nFor most simple cases, the simple solution is:\n- Hijack one got entry (\u003c=6 bytes write)\n- Find a trigger function for which the parameters are nice.\n    - Case 1: The trigger function takes controllable parameters. (e.g., `some_func(str)`). We set `some_func`'s got to `system`.\n    - Case 2: The trigger function takes stack pointers (in a retunable function stack frame) as the first parameter. -\u003e We set it to `gets` to get a buffer overflow.\n\n# Update \n- Dec 17th., 2024\nWhile exploiting a CTF challenge, I found `libstdc++` is a juicy target of this technique. It's still usable on the latest LTS-ubuntu(24.04).\n\n```sh\n[14:26:12] n132 :: xps  ➜  ~/Downloads/FL_Support_Center » pwn checksec /lib/x86_64-linux-gnu/libstdc++.so.6\n[*] '/lib/x86_64-linux-gnu/libstdc++.so.6'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    Canary found\n    NX:       NX enabled\n    PIE:      PIE enabled\n    FORTIFY:  Enabled\n```\n\nA simple way to get a shell is just to modify `fread/fwrite` got to `system` and `cin/cout` the string `/bin/sh`. But if ROP is what we want, we can do libc-got-hijacking (ROP over GOT) (even though it's unnecessary, it's a general solution!) \n\nHere is a demo (https://asciinema.org/a/krgiZ9HEX633nOhgT86OJy3aH)\n```c\n[18:34:04] n132 :: xps  ➜  ~/demo » cat ./rce.cpp \u0026\u0026 g++ ./rce.cpp -o ./rce \u0026\u0026 echo \"id\" | ./rce\n#include \u003ciostream\u003e\nint main(){\n    // Hijack fwrite@got[plt] to system\n    // cout gonna run arbitrary commands\n    int num = 915;\n    std::string str;\n    size_t libc_base = (size_t)system-0x00058740;\n    size_t * add_of_del_got = (size_t *)(libc_base + 0x277000 + 0x400000 + num*8);\n    * add_of_del_got = (size_t )system;\n    std::cin \u003e\u003e str;\n    std::cout \u003c\u003c str \u003c\u003c std::endl;\n}\nuid=1000(n132) gid=1000(n132) groups=1000(n132),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),114(lpadmin),984(docker)\n```\n\n## glibc (2.36-2.38)\n\nCompared to glibc\u003c=2.35 there is mitigation implemented, which forbids the methods for the old library. However, we designed a method to bypass it and execute arbitrary code by \nonce arbitrary write on Glibc's GOT table. This method performs Return Oriented Programming (ROP) attack on the Global Offset Table (GOT). \n\n![AttackFlow](./Img/AttackFlow.png)\n\n\nYou can find details, templates, demos, and everything you want in: [Details][0] and [Templates][3]\n\n\n## glibc (unk-2.35)\n\n\nI learned the original method from [Sammy Hajhamid][2] also the methods for glibc \u003c=2.35 are inspired by his work.\n\nBased on his work, We designed a method to execute arbitrary code by once arbitrary write on Glibc's GOT table. The method uses `PLT_0` to push `libc_exe_address` to the stack and then use `POP RSP, RET` to execute our `ROPchain`.\n\nYou can find details, templates, demos, and everything you want in: [Details][1] and [Templates][4]\n\n# Acknowledgments\n\n- Great job [@swing][5] on the impressive work with glibc \u003e2.35!\n\n- Appreciate the original work done by @pepsipu.\n\n# Reference link\n- [@pepsipu's Method][2]\n\n\n[0]: ./Post/README.md\n[1]: ./Pre/README.md\n[2]: https://hackmd.io/@pepsipu/SyqPbk94a\n[3]: ./Post/one_punch.py\n[4]: ./Pre/templates.md\n[5]: https://bestwing.me/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn132%2Flibc-got-hijacking","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fn132%2Flibc-got-hijacking","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn132%2Flibc-got-hijacking/lists"}