Start with the getenv
program, and then use Table 8-2 to get your own values. Also, there is actually
no new line between the printf and the double quote.
Taking .dtors to root
Okay, so what?We can overwrite a staged canary value??¦big deal. It is a big deal because
some locations are executable and if overwritten may lead to system redirection and execution
of your shellcode. We will look at one of many such locations, called .dtors.
elf32 File Format
When the GNU compiler creates binaries, they are stored in elf32 file format. This format
allows for many tables to be attached to the binary. Among other things, these
tables are used to store pointers to functions the file may need often. There are two tools
you may find useful when dealing with binary files:
??? nm Used to dump the addresses of the sections of the elf format file
??? objdump Used to dump and examine the individual sections of the file
$ nm ./fmtstr |more
08049448 D _DYNAMIC
08049524 D _GLOBAL_OFFSET_TABLE_
08048410 R _IO_stdin_used
w _Jv_RegisterClasses
08049514 d __CTOR_END__
08049510 d __CTOR_LIST__
0804951c d __DTOR_END__
08049518 d __DTOR_LIST__
080483c8 t __do_global_ctors_aux
080482f4 t __do_global_dtors_aux
08049438 d __dso_handle
Gray Hat Hacking: The Ethical Hacker??™s Handbook
178
w __gmon_start__
U __libc_start_main@@GLIBC_2.
Pages:
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356