Bugtraq mailing list archives

Re: Overwriting ELF .dtors section to modify program execution

From: Mariusz Woloszyn <emsi () IPARTNERS PL>
Date: Fri, 15 Dec 2000 12:46:22 +0100

On Tue, 12 Dec 2000, Guido Bakker wrote:

        * If the target binary is readable by the attacker it will be very
easy to determine the exact position where we want to write and point to our
shellcode, just by analyzing the ELF image and determining .dtors position
will
be enough. In this circumstance the reliability of the exploit is usually
drastically increased.
        * It is simpler than other techniques like overwriting an entry in the
Global Offset Table.

Hi!

It's good to remind that if program calls exit() (most do) the fnlist is
the best place to overwrite. As we described it in our Phrack article
(http://phrack.infonexus.com/search.phtml?view&article=p56-5):

"The fnlist address is dependent on the libc library, so it
will be the same for every process on a particular machine."

The vulnerable binary does not have to be readable! :)

Greets,

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners, GTS Poland

Current thread:

Overwriting ELF .dtors section to modify program execution Guido Bakker (Dec 13)
- Re: Overwriting ELF .dtors section to modify program execution Mariusz Woloszyn (Dec 16)
- <Possible follow-ups>
- Re: Overwriting ELF .dtors section to modify program execution Brock Tellier (Dec 15)