In part three, we introduced an example program named “big-roi” and discussed its defenses against binary exploitation. We can finally take everything we learned from the previous posts and build an exploit that leverages glibc.
In the previous blog post in this series, we examined the memory layout of a program at runtime on Linux and how glibc fits in with that model. In particular, we looked at the call stack, how it can be abused to leak information, and its relationship with ASLR. In this post, we will look at a purposely-vulnerable example program and its built-in defenses in preparation for hacking it.
In part one of this series, we examined the GNU C library and its relationship with a program and the operating system. We also reviewed tools and methods for figuring out important details such as glibc’s version and where it is loaded in a program’s memory at runtime. In this part, we will look at what is involved in locating glibc in memory by leveraging a program’s memory layout, and identifying glibc’s version based on code loaded in memory.
The GNU C Library (glibc) is an open-source implementation of the C standard library that is primarily found on Linux-based operating systems. It provides a powerful set of APIs that simplify interacting with operating systems, as well as functions and code for creating programs. From a hacker’s perspective, this functionality can be repurposed to extend an exploit’s capabilities and viability. In this series, we will explore leveraging glibc to exploit a vulnerable program on a x86 64-bit CPU.