Skip to content

Commit 84f5454

Browse files
carlospolopgitbook-bot
carlospolop
authored and
gitbook-bot
committed
GITBOOK-4341: No subject
1 parent 0eb2242 commit 84f5454

File tree

5 files changed

+188
-524
lines changed

5 files changed

+188
-524
lines changed

SUMMARY.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -764,7 +764,6 @@
764764
* [WWW2Exec - \_\_malloc\_hook](binary-exploitation/arbitrary-write-2-exec/aw2exec-\_\_malloc\_hook.md)
765765
* [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md)
766766
* [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
767-
* [Linux Exploiting (Basic) (SPA)](binary-exploitation/linux-exploiting-basic-esp.md)
768767

769768
## 🔩 Reversing
770769

binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,14 +60,21 @@ The **GOT of libc** is usually compiled with **partial RELRO**, making it a nice
6060

6161
Common functions of the libc are going to call **other internal functions** whose GOT could be overwritten in order to get code execution.
6262

63-
Find [**more information about this tachnique here**](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries).
63+
Find [**more information about this technique here**](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries).
6464

6565
## **One Gadget**
6666

6767
{% content-ref url="../rop-return-oriented-programing/ret2lib/one-gadget.md" %}
6868
[one-gadget.md](../rop-return-oriented-programing/ret2lib/one-gadget.md)
6969
{% endcontent-ref %}
7070

71+
## **Abusing GOT from Heap**
72+
73+
A common way to obtain RCE from a heap vulnerability is to abuse a fastbin so it's possible to add the part of the GOT table into the fast bin, so whenever that chunk is allocated it'll be possible to **overwrite the pointer of a function, usually `free`**.\
74+
Then, pointing `free` to `system` and freeing a chunk were was written `/bin/sh\x00` will execute a shell.
75+
76+
It's possible to find an [**example here**](https://ctf-wiki.mahaloz.re/pwn/linux/glibc-heap/chunk\_extend\_overlapping/#hitcon-trainging-lab13)**.**
77+
7178
## **Protections**
7279

7380
The **Full RELRO** protection is meant to protect agains this kind of technique by resolving all the addresses of the functions when the binary is started and making the **GOT table read only** after it:

0 commit comments

Comments
 (0)