Bugtraq mailing list archives
Re: Overwriting ELF .dtors section to modify program execution
From: Mariusz Woloszyn <emsi () IPARTNERS PL>
Date: Fri, 15 Dec 2000 12:46:22 +0100
On Tue, 12 Dec 2000, Guido Bakker wrote:
* If the target binary is readable by the attacker it will be very easy to determine the exact position where we want to write and point to our shellcode, just by analyzing the ELF image and determining .dtors position will be enough. In this circumstance the reliability of the exploit is usually drastically increased. * It is simpler than other techniques like overwriting an entry in the Global Offset Table.
Hi! It's good to remind that if program calls exit() (most do) the fnlist is the best place to overwrite. As we described it in our Phrack article (http://phrack.infonexus.com/search.phtml?view&article=p56-5): "The fnlist address is dependent on the libc library, so it will be the same for every process on a particular machine." The vulnerable binary does not have to be readable! :) Greets, -- Mariusz Wołoszyn Internet Security Specialist, Internet Partners, GTS Poland
Current thread:
- Overwriting ELF .dtors section to modify program execution Guido Bakker (Dec 13)
- Re: Overwriting ELF .dtors section to modify program execution Mariusz Woloszyn (Dec 16)
- <Possible follow-ups>
- Re: Overwriting ELF .dtors section to modify program execution Brock Tellier (Dec 15)