As in my previous blog i have specified how GOT is vulnerable, this is one of the case where you can exploit which is using pointers.
I have used the small program which directly explains the concept.
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
char *pointer = NULL;
char buffer[10];
pointer = buffer;
strcpy(pointer, argv[1]);
printf("Array contains %s at %p\n", pointer, &pointer);
strcpy(pointer, argv[2]);
printf("Array contains %s at %p\nUse this as argument %s \n", pointer, &pointer,argv[3]);
return EXIT_SUCCESS;
}
By just looking at the program you should understand the vulnerability, which the program is using “strcpy” to copy. So here is the idea of the to exploit the program.
[*] Using first strcpy overflow the array “buffer” and change the pointer to the GOT of printf.
pointer <– [GOT]
[*] Using the second “strcpy” overwrite the GOT with “system” function, which will spawn you shell at the time of calling second printf function.
[GOT]<– “address of system” (because same pointer is used in the strcpy)
[*] Also supply third argument as “;/bin/sh;” that will do “system(“Array contains %s at %p\nUse this as argument %s \n”, pointer, &pointer,argv[3]);”
I got this idea by looking at this resource. My blog may not be that great as that article but still i tried giving brief description about it.
Paruchuri Rakesh 