Vulnerability Development mailing list archives
Re: Overwriting ELF .dtors section to modify program execution
From: Pascal Bouchareine <pb () HERT ORG>
Date: Sat, 16 Dec 2000 21:03:32 +0100
On Fri, Dec 15, 2000 at 12:46:22PM +0100, Mariusz Woloszyn wrote:
It's good to remind that if program calls exit() (most do) the fnlist is the best place to overwrite. As we described it in our Phrack article (http://phrack.infonexus.com/search.phtml?view&article=p56-5):
That anyone here should read if they did not already, really great.
"The fnlist address is dependent on the libc library, so it will be the same for every process on a particular machine."
So true. I wrote a little note about atexit() "abusing" via an argv[] structure (which is very similar to the fnlist one..). I attach this poor thing below, ftip. Olaf Kirch was one of the first people to mention that an offset was not needed when locally exploiting bugs, since our ability to pass arguments/env vars to a vulnerable program, and to guess quite exactly where they will reside in the process memory. This becomes especially clean and easy to exploit format bugs. Sorry for the attachement thing, I have no place to put it online for the time being. -- Kalou. ldiq t0, 0xbeeffedadeadbabe
Attachment:
heap_atexit.txt
Description:
Current thread:
- Re: Overwriting ELF .dtors section to modify program execution Pascal Bouchareine (Dec 17)
- Re: Overwriting ELF .dtors section to modify program execution Iván Arce (Dec 20)