From f8af83b6b4bc8dace599e22ebce691f9d5bfa3a7 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Mon, 17 Jun 2024 11:28:38 +0200 Subject: [PATCH] f --- .../arbitrary-write-2-exec/aw2exec-got-plt.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md b/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md index f95d06af0..fdffd0591 100644 --- a/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md +++ b/binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md @@ -62,15 +62,15 @@ Common functions of the libc are going to call **other internal functions** whos Find [**more information about this technique here**](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries). -## **Free2system** +### **Free2system** In heap exploitation CTFs it's common to be able to control the content of chunks and at some point even overwrite the GOT table. A simple trick to get RCE if one gadgets aren't available is to overwrite the `free` GOT address to point to `system` and to write inside a chunk `"/bin/sh"`. This way when this chunk is freed, it'll execute `system("/bin/sh")`. -## **Strlen2system** +### **Strlen2system** Another common technique is to overwrite the **`strlen`** GOT address to point to **`system`**, so if this function is called with user input it's posisble to pass the string `"/bin/sh"` and get a shell. -Moreover, if `puts` is used with user input, it's possible to overwrite the `puts` GOT address to point to `system` and pass the string `"/bin/sh"` to get a shell because **`puts` will call `strlen` with the user input**. +Moreover, if `puts` is used with user input, it's possible to overwrite the `strlen` GOT address to point to `system` and pass the string `"/bin/sh"` to get a shell because **`puts` will call `strlen` with the user input**. ## **One Gadget**