[18110] in bugtraq
Re: Overwriting ELF .dtors section to modify program execution
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Fri Dec 15 18:27:34 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Message-Id: <Pine.LNX.4.04.10012151242100.17034-100000@dzyngiel.ipartners.pl>
Date: Fri, 15 Dec 2000 12:46:22 +0100
Reply-To: Mariusz Woloszyn <emsi@IPARTNERS.PL>
From: Mariusz Woloszyn <emsi@IPARTNERS.PL>
X-To: Guido Bakker <guidob@synnergy.net>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00121209563402.00233@force>
Content-Transfer-Encoding: 8bit
On Tue, 12 Dec 2000, Guido Bakker wrote:
> * If the target binary is readable by the attacker it will be very
> easy to determine the exact position where we want to write and point to our
> shellcode, just by analyzing the ELF image and determining .dtors position
> will
> be enough. In this circumstance the reliability of the exploit is usually
> drastically increased.
> * It is simpler than other techniques like overwriting an entry in the
> Global Offset Table.
>
Hi!
It's good to remind that if program calls exit() (most do) the fnlist is
the best place to overwrite. As we described it in our Phrack article
(http://phrack.infonexus.com/search.phtml?view&article=p56-5):
"The fnlist address is dependent on the libc library, so it
will be the same for every process on a particular machine."
The vulnerable binary does not have to be readable! :)
Greets,
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners, GTS Poland
