Vulnerability Development mailing list archives

Re: Overwriting ELF .dtors section to modify program execution

From: Iván Arce <core.lists.exploit-dev () CORE-SDI COM>
Date: Tue, 19 Dec 2000 20:17:56 -0300

this is probably a useless post but i cant help it, i feel
obliged to say that Gerardo Richarte has been
expounding this and other forms of exploiting buffer
overflows for months if not years in several lists and no
one seems to credit him.
maybe he will come out of his cave and compile all the
stuff he's been playing with WRT buffer overflows and
different ways to exploit them... richie??

-i

---

"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 Its nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce


==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email   : iarce () core-sdi com
http://www.core-sdi.com
Florida 141 2do cuerpo Piso 7
C1005AAG Buenos Aires, Argentina.
Tel/Fax : +(54-11) 4331-5402
=====================================================================



----- Original Message -----
From: "Pascal Bouchareine" <pb () HERT ORG>
Newsgroups: core.lists.exploit-dev
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, December 17, 2000 1:54 AM
Subject: Re: Overwriting ELF .dtors section to modify program execution

On Fri, Dec 15, 2000 at 12:46:22PM +0100, Mariusz Woloszyn wrote:

It's good to remind that if program calls exit() (most do) the fnlist is
the best place to overwrite. As we described it in our Phrack article
(http://phrack.infonexus.com/search.phtml?view&article=p56-5):


That anyone here should read if they did not already, really great.

"The fnlist address is dependent on the libc library, so it
will be the same for every process on a particular machine."


So true. I wrote a little note about atexit() "abusing" via an argv[]
structure (which is very similar to the fnlist one..).  I attach this
poor thing below, ftip.

Olaf Kirch was one of the first people to mention that an offset was
not needed when locally exploiting bugs, since our ability to pass
arguments/env vars to a vulnerable program, and to guess quite exactly
where they will reside in the process memory.

This becomes especially clean and easy to exploit format bugs.

Sorry for the attachement thing, I have no place to put it online for
the time being.

--
Kalou.
                             ldiq    t0, 0xbeeffedadeadbabe



--- For a personal reply use iarce () core-sdi com

Current thread:

Re: Overwriting ELF .dtors section to modify program execution Pascal Bouchareine (Dec 17)
- Re: Overwriting ELF .dtors section to modify program execution Iván Arce (Dec 20)