Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/n132/libc-got-hijacking

Binary Exploitation Skill. Gain RCE from arbitrary write.
https://github.com/n132/libc-got-hijacking

binary exploitation hacking template

Last synced: 2 months ago
JSON representation

Binary Exploitation Skill. Gain RCE from arbitrary write.

Host: GitHub
URL: https://github.com/n132/libc-got-hijacking
Owner: n132
Created: 2023-11-24T21:21:51.000Z (about 1 year ago)
Default Branch: main
Last Pushed: 2024-06-10T23:36:14.000Z (8 months ago)
Last Synced: 2024-06-11T02:11:31.650Z (8 months ago)
Topics: binary, exploitation, hacking, template
Language: Python
Homepage:
Size: 1 MB
Stars: 184
Watchers: 5
Forks: 13
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # Libc-GOT-Hijacking 

Important: You can only use this skill for glibcs < 2.39.

Transform arbitrary write to RCE.

This is a userspace attacking skill: If you can write arbitrary memory space, you can use this method to execute arbitrary code. 

> You only need to know the base address of Glibc

> Glibc is FULL RELRO by default for glibc2.39. A great security improvement! We can't hijack Libc GOT on libc version >= 2.39

## glibc > 2.35 & glibc <=2.38

Compared to glibc<=2.35 there is mitigation implemented, which forbids the methods for the old library. However, we designed a method to bypass it and execute arbitrary code by 

once arbitrary write on Glibc's GOT table. This method performs Return Oriented Programming (ROP) attack on the Global Offset Table (GOT). 

![AttackFlow](./Img/AttackFlow.png)

You can find details, templates, demos, and everything you want in: [Details][0] and [Templates][3]

## glibc <= 2.35

I learned the original method from [Sammy Hajhamid][2] also the methods for glibc <=2.35 are inspired by his work.

Based on his work, We designed a method to execute arbitrary code by once arbitrary write on Glibc's GOT table. The method uses `PLT_0` to push `libc_exe_address` to the stack and then use `POP RSP, RET` to execute our `ROPchain`.

You can find details, templates, demos, and everything you want in: [Details][1] and [Templates][4]

# Acknowledgments

- Great job [@swing][5] on the impressive work with glibc >2.35!

- Appreciate the original work done by @pepsipu.

# Reference link

- [@pepsipu's Method][2]

[0]: ./Post/README.md

[1]: ./Pre/README.md

[2]: https://hackmd.io/@pepsipu/SyqPbk94a

[3]: ./Post/one_punch.py

[4]: ./Pre/templates.md

[5]: https://bestwing.me/