| name | got-plt-exploitation |
| description | How to exploit GOT/PLT vulnerabilities in binary exploitation challenges. Use this skill whenever the user mentions GOT overwrites, PLT hijacking, arbitrary write to GOT, libc GOT exploitation, free2system, strlen2system, or any binary exploitation task involving dynamic linking vulnerabilities. Make sure to use this skill for CTF pwn challenges, binary analysis, or when working with dynamically linked binaries that have partial RELRO. |
GOT/PLT Exploitation Guide
This skill helps you exploit Global Offset Table (GOT) and Procedure Linkage Table (PLT) vulnerabilities in dynamically linked binaries to achieve arbitrary code execution.
Understanding GOT and PLT
GOT (Global Offset Table)
- Stores addresses of external functions resolved at runtime
- Each entry corresponds to a symbol from external libraries
- First call: dynamic linker resolves address and stores in GOT
- Subsequent calls: use cached GOT address (no re-resolution)
PLT (Procedure Linkage Table)
- Trampoline entries for external function calls
- First call: invokes dynamic linker to resolve address
- After resolution: GOT entry is updated, future calls use GOT directly
Key insight: GOT entries are writable (with partial RELRO), making them targets for exploitation.
Exploitation Workflow
Step 1: Check Binary Protections
First, determine if GOT exploitation is possible:
readelf -l ./binary | grep -i relro
checksec --file=./binary
- Full RELRO: GOT is read-only → GOT overwrite NOT possible
- Partial RELRO: GOT is writable → GOT overwrite IS possible
- No RELRO: GOT is writable → GOT overwrite IS possible
Step 2: Locate GOT Entries
objdump -s -j .got ./binary
gef➤ x/20x 0xADDR_GOT
gef➤ got
Step 3: Identify PLT Entries
objdump -j .plt -d ./binary
objdump -j .plt -d ./binary | grep system
Step 4: Choose Target Function
Select a function to overwrite in GOT:
Ideal candidates:
- Functions called with user-controlled parameters
- Functions that will be called after your overwrite
- Common targets:
free, strlen, printf, puts, gets
If system is in PLT:
- Overwrite target GOT entry with
system PLT address
- Control the parameter to pass
/bin/sh
If system is NOT in PLT:
- First leak
system address from libc
- Overwrite GOT entry with leaked
system address
Common Exploitation Techniques
Technique 1: Free2System
When to use: Heap vulnerabilities where you can control chunk content and overwrite GOT.
Steps:
- Overwrite
free GOT entry with system address
- Write
/bin/sh\x00 into a heap chunk
- Trigger
free() on that chunk
- Result:
system("/bin/sh") executes
Example:
payload = p64(system_addr)
payload += b'/bin/sh\x00'
Technique 2: Strlen2System
When to use: Binary calls strlen or puts with user input.
Steps:
- Overwrite
strlen GOT entry with system address
- Send
/bin/sh as input
- When
strlen is called, it executes system("/bin/sh")
Why it works: puts internally calls strlen with the same argument.
Technique 3: Heap-Based GOT Overwrite
When to use: Fastbin heap vulnerabilities.
Steps:
- Use fastbin to allocate chunk overlapping GOT
- Overwrite function pointer (usually
free) in GOT
- Point it to
system
- Free a chunk containing
/bin/sh
Practical Commands Reference
Binary Analysis
checksec --file=./binary
objdump -s -j .got ./binary
objdump -j .plt -d ./binary
nm ./binary | grep system
readelf -s ./binary | grep system
Debugging with GEF
gdb ./binary
gef➤ got
gef➤ x/20x 0xADDR
gef➤ break function_name
gef➤ continue
Finding One Gadget
one_gadget /lib/x86_64-linux-gnu/libc.so.6
one_gadget /lib/x86_64-linux-gnu/libc.so.6 --no-fd
Exploitation Checklist
Before attempting GOT exploitation, verify:
Common Pitfalls
- Full RELRO: GOT is read-only, cannot overwrite
- ASLR: Need to leak addresses first if ASLR is enabled
- Wrong GOT entry: Ensure you're overwriting the correct function
- Timing: Overwrite must happen before the function is called
- Parameter control: Target function must accept controllable input
Next Steps
After GOT exploitation:
- If successful: You have RCE, spawn shell
- If failed: Check if Full RELRO is enabled, try alternative techniques
- For libc GOT: Consider targeting internal libc functions
- For heap vulnerabilities: Combine with fastbin attacks
References