/dtor |grep goodbye
08048386 t goodbye
Next let??™s look at the location of the DTOR section in the file:
$ nm ./dtor |grep DTOR
08049508 d __DTOR_END__
08049500 d __DTOR_LIST__
Chapter 8: Advanced Linux Exploits
179
PART III
Finally, let??™s check the contents of the .dtors section:
$ objdump -s -j .dtors ./dtor
./dtor: file format elf32-i386
Contents of section .dtors:
8049500 ffffffff 86830408 00000000 ............
$
Yep, as you can see, a pointer to the goodbye function is stored in the DTOR section
between the 0xffffffff and 0x00000000 markers. Again, notice the little-endian notation.
Putting It All Together
Now back to our vulnerable format string program: fmtstr. Recall the location of the
DTORS section:
$ nm ./fmtstr |grep DTOR #notice how we are only interested in DTOR
0804951c d __DTOR_END__
08049518 d __DTOR_LIST__
And the initial values (empty):
$ objdump -s -j .dtors ./fmtstr
./fmtstr: file format elf32-i386
Contents of section .dtors:
8049518 ffffffff 00000000 ........
$
It turns out that if we overwrite either an existing function pointer in DTORS or the
ending marker (0x00000000) with our target return address (in this case our shellcode
address), the program will happily jump to that location and execute.
Pages:
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358