Arbitrary Write To Rce
Convert an arbitrary write primitive from heap, format-string, or OOB bugs into reliable code execution when auditing or exploiting hardened Linux binaries.
Overview
Arbitrary Write to RCE is an agent skill for the Ship phase that converts an arbitrary memory write primitive into code execution by selecting glibc-version-appropriate targets such as GOT, _IO_FILE vtables, exit_funcs,
Install
npx skills add https://github.com/yaklang/hack-skills --skill arbitrary-write-to-rceWhat is this skill?
- Last-mile playbook from arbitrary write to code execution across major glibc-era targets
- Covers GOT, __malloc_hook, __free_hook, _IO_FILE vtable, __exit_funcs, TLS_dtor_list, _dl_fini, modprobe_path, .fini_arr
- Organized by glibc version compatibility to avoid dead hooks post-2.34
- Calls out pointer mangling and protection configuration via related binary-protection-bypass skill
- Routes to heap-exploitation, format-string, and stack-overflow skills for obtaining the write primitive
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 0/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have arbitrary write from a heap or format-string bug but do not know which overwrite target still works on your glibc and protection layout.
Who is it for?
Builders doing binary exploitation, CTF hardening reviews, or security research on Linux userland with an existing write primitive.
Skip if: Typical SaaS/API development, compliance-only checklists, or teams without native exploit primitives or legal authorization to test binaries.
When should I use this skill?
You have an arbitrary write primitive from heap exploitation, format string, or OOB write and need to convert it into code execution.
What do I get? / Deliverables
You follow a version-aware target checklist and related exploit skills to chain the write primitive into reliable code execution.
- Chosen overwrite target chain aligned to glibc era
- Cross-references to heap, format-string, or stack skills for primitive setup
Recommended Skills
Journey fit
Ship/security is the canonical shelf because the skill addresses exploitation and protection-aware targeting during security review and hardened release contexts, not product feature build. Subphase security matches offensive playbook content—GOT, hooks, _IO_FILE, TLS_dtor_list—and pairs with protection bypass routing in the same discipline.
How it compares
Specialized exploit playbook—not a general dependency vulnerability scanner or SAST skill.
Common Questions / FAQ
Who is arbitrary-write-to-rce for?
Advanced users exploiting or assessing native Linux binaries who already achieved arbitrary write and need expert routing on hooks, vtables, and linker-era targets.
When should I use arbitrary-write-to-rce?
During ship/security when validating exploit chains on staged binaries, CTF challenges, or authorized pentest targets after heap or format-string primitives are confirmed.
Is arbitrary-write-to-rce safe to install?
It teaches offensive techniques; only use on systems you own or are authorized to test, and review the Security Audits panel on this catalog page before installing.
SKILL.md
READMESKILL.md - Arbitrary Write To Rce
# SKILL: Arbitrary Write to Code Execution — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Expert techniques for converting an arbitrary write primitive into code execution. Covers every major overwrite target organized by glibc version compatibility: GOT, __malloc_hook, __free_hook, _IO_FILE vtable, __exit_funcs, TLS_dtor_list, _dl_fini, modprobe_path, .fini_array, C++ vtable, and setcontext gadget. This is the "last mile" skill. Base models often target hooks that no longer exist (post-glibc 2.34) or miss pointer mangling requirements. ## 0. RELATED ROUTING - [heap-exploitation](../heap-exploitation/SKILL.md) — obtaining the arbitrary write via heap attacks - [format-string-exploitation](../format-string-exploitation/SKILL.md) — obtaining the arbitrary write via %n - [stack-overflow-and-rop](../stack-overflow-and-rop/SKILL.md) — stack-based write primitives - [binary-protection-bypass](../binary-protection-bypass/SKILL.md) — which targets are available given protection configuration - [heap-exploitation IO_FILE_EXPLOITATION.md](../heap-exploitation/IO_FILE_EXPLOITATION.md) — deep _IO_FILE structure exploitation --- ## 1. TARGET SELECTION BY GLIBC VERSION | Target | glibc < 2.24 | 2.24–2.33 | ≥ 2.34 | Required Knowledge | |---|---|---|---|---| | GOT overwrite | OK (Partial RELRO) | OK (Partial RELRO) | OK (Partial RELRO) | Binary base | | `__malloc_hook` | OK | OK | **Removed** | libc base | | `__free_hook` | OK | OK | **Removed** | libc base | | `__realloc_hook` | OK | OK | **Removed** | libc base | | `_IO_FILE` vtable (direct) | OK | Vtable range check | Vtable range check | libc base + heap | | `_IO_FILE` via `_IO_str_jumps` | N/A | OK (2.24–2.27) | Patched | libc base + heap | | `_IO_FILE` via `_IO_wfile_jumps` | N/A | OK (≥ 2.28) | OK | libc base + heap | | `__exit_funcs` | OK | OK | OK | libc base + pointer guard | | `TLS_dtor_list` | N/A | N/A | OK | TLS addr + pointer guard | | `_dl_fini` / link_map | OK | OK | OK | ld.so base | | `modprobe_path` (kernel) | OK | OK | OK | Kernel base | | `.fini_array` | OK | OK | OK | Binary base (if writable) | | C++ vtable | OK | OK | OK | Object address + heap | | `setcontext` gadget | OK | OK (changed in 2.29) | OK | libc base | | Stack return address | Always | Always | Always | Stack address | --- ## 2. GOT OVERWRITE **Replace a function pointer in the Global Offset Table.** ### Requirements - Partial RELRO (`.got.plt` writable) — Full RELRO blocks this entirely ### Common Targets | Overwrite From | Overwrite To | Trigger | |---|---|---| | `printf@GOT` | `system` | Next `printf(user_input)` with input = `/bin/sh` | | `free@GOT` | `system` | Next `free(ptr)` where ptr points to `"/bin/sh"` | | `strlen@GOT` | `system` | Next `strlen(user_input)` | | `atoi@GOT` | `system` | Next `atoi(user_input)` with input = `"sh"` | | `puts@GOT` | `system` | Next `puts(user_input)` | | `exit@GOT` | `main` or gadget | Create loop for multi-shot exploit | | `__stack_chk_fail@GOT` | `ret` gadget | Neutralize canary check | ```python # Format string GOT overwrite from pwn import fmtstr_payload payload = fmtstr_payload(offset, {elf.got['printf']: libc.sym['system']}) # Heap-based GOT overwrite (tcache poisoning) # Allocate chunk at GOT address → write system address ``` --- ## 3. __malloc_hook / __free_hook (glibc < 2.34) ### __malloc_hook ```python # Overwrite __malloc_hook with one_gadget address # Triggered by any malloc call (including internal malloc in printf with large format) write(libc.sym['__malloc_hook'], one_gadget_addr) # Trigger: io.sendline('%100000c') # printf calls malloc internally for large format ``` ### __free_hook