Rakesh Paruchuri 5:51 am on December 25, 2015  

HACK Using Global Offset Table

This method is useful when ASLR(Address Space Layout Randomization) is enable or one is unable to overwrite a Instruction Pointer.

Global Offset Table is something like a cache. It actually stores the address of the shared library after the first hit i.e after the first call of their respective shared library. The below diagrams and program will give an detail idea.

#include<stdio.h>

int main(){

printf("This is my first call\n");
printf("This is my secound call\n");

return 0;
}

For the particular program we will absorb the change in the GOT before and after the HIT.

Before the First hit:

plt_before

 

(gdb) disassemble main
Dump of assembler code for function main:
0x0804841d <+0>:    push   ebp
0x0804841e <+1>:    mov    ebp,esp
0x08048420 <+3>:    and    esp,0xfffffff0
0x08048423 <+6>:    sub    esp,0x10
0x08048426 <+9>:    mov    DWORD PTR [esp],0x80484d0
0x0804842d <+16>:    call   0x80482f0 <printf@plt>
0x08048432 <+21>:    mov    DWORD PTR [esp],0x80484e6
0x08048439 <+28>:    call   0x80482f0 <printf@plt>
0x0804843e <+33>:    leave
0x0804843f <+34>:    ret
End of assembler dump.
(gdb) disassemble 0x80482f0
Dump of assembler code for function printf@plt:
0x080482f0 <+0>:    jmp    DWORD PTR ds:0x804a00c
-->0x080482f6 <+6>:    push   0x0
0x080482fb <+11>:    jmp    0x80482e0
End of assembler dump.

When you dissemble the plt of the above printf function and dereference the it before the first HIT,

(gdb) x/wx 0x804a00c
0x804a00c <printf@got.plt>:    0x080482f6

 

So when you absorb the result of the above dereferenced value, it is the address in the second line of the disassembled plt(represented in arrow). As it is the first call it is trying to initialize the value into the GOT by searching the complete libc. To make the system faster it saves the address of the libc in GOT.

After the First HIT:

plt_after

 

 

(gdb) x/wx 0x804a00c
0x804a00c <printf@got.plt>:	0xf7e54280

The address likely seemed to be the printf’s libc.

So the main concept which is to be remembered is, after the first call of the any of libc function, the dereferenced value of their respective GOT is the address of the their respective libc function.

So taking advantage of this functionality What if you change the dereferenced value??

So we will try to hack a program in my next blog 😛