Vulnerability Development mailing list archives
Re: Overwriting ELF .dtors section to modify program execution
From: Iván Arce <core.lists.exploit-dev () CORE-SDI COM>
Date: Tue, 19 Dec 2000 20:17:56 -0300
this is probably a useless post but i cant help it, i feel obliged to say that Gerardo Richarte has been expounding this and other forms of exploiting buffer overflows for months if not years in several lists and no one seems to credit him. maybe he will come out of his cave and compile all the stuff he's been playing with WRT buffer overflows and different ways to exploit them... richie?? -i --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce () core-sdi com http://www.core-sdi.com Florida 141 2do cuerpo Piso 7 C1005AAG Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 ===================================================================== ----- Original Message ----- From: "Pascal Bouchareine" <pb () HERT ORG> Newsgroups: core.lists.exploit-dev To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, December 17, 2000 1:54 AM Subject: Re: Overwriting ELF .dtors section to modify program execution
On Fri, Dec 15, 2000 at 12:46:22PM +0100, Mariusz Woloszyn wrote:It's good to remind that if program calls exit() (most do) the fnlist is the best place to overwrite. As we described it in our Phrack article (http://phrack.infonexus.com/search.phtml?view&article=p56-5):That anyone here should read if they did not already, really great."The fnlist address is dependent on the libc library, so it will be the same for every process on a particular machine."So true. I wrote a little note about atexit() "abusing" via an argv[] structure (which is very similar to the fnlist one..). I attach this poor thing below, ftip. Olaf Kirch was one of the first people to mention that an offset was not needed when locally exploiting bugs, since our ability to pass arguments/env vars to a vulnerable program, and to guess quite exactly where they will reside in the process memory. This becomes especially clean and easy to exploit format bugs. Sorry for the attachement thing, I have no place to put it online for the time being. -- Kalou. ldiq t0, 0xbeeffedadeadbabe
--- For a personal reply use iarce () core-sdi com
Current thread:
- Re: Overwriting ELF .dtors section to modify program execution Pascal Bouchareine (Dec 17)
- Re: Overwriting ELF .dtors section to modify program execution Iván Arce (Dec 20)