As in my previous blog i have specified how GOT is vulnerable, this is one of the case where you can exploit which is using pointers.
I have used the small program which directly explains the concept.
#include <stdio.h> #include <stdlib.h> int main(int argc, char **argv) { char *pointer = NULL; char buffer[10]; pointer = buffer; strcpy(pointer, argv[1]); printf("Array contains %s at %p\n", pointer, &pointer); strcpy(pointer, argv[2]); printf("Array contains %s at %p\nUse this as argument %s \n", pointer, &pointer,argv[3]); return EXIT_SUCCESS; }
By just looking at the program you should understand the vulnerability, which the program is using “strcpy” to copy. So here is the idea of the to exploit the program.
[*] Using first strcpy overflow the array “buffer” and change the pointer to the GOT of printf.
pointer <– [GOT]
[*] Using the second “strcpy” overwrite the GOT with “system” function, which will spawn you shell at the time of calling second printf function.
[GOT]<– “address of system” (because same pointer is used in the strcpy)
[*] Also supply third argument as “;/bin/sh;” that will do “system(“Array contains %s at %p\nUse this as argument %s \n”, pointer, &pointer,argv[3]);”
I got this idea by looking at this resource. My blog may not be that great as that article but still i tried giving brief description about it.