Graphics Programs Reference
In-Depth Information
16 .dtors 0000000c 080495ac 080495ac 000005ac 2**2
CONTENTS, ALLOC, LOAD, DATA
17 .jcr 00000004 080495b8 080495b8 000005b8 2**2
CONTENTS, ALLOC, LOAD, DATA
18 .dynamic 000000c8 080495bc 080495bc 000005bc 2**2
CONTENTS, ALLOC, LOAD, DATA
19 .got 00000004 08049684 08049684 00000684 2**2
CONTENTS, ALLOC, LOAD, DATA
20 .got.plt 0000001c 08049688 08049688 00000688 2**2
CONTENTS, ALLOC, LOAD, DATA
21 .data 0000000c 080496a4 080496a4 000006a4 2**2
CONTENTS, ALLOC, LOAD, DATA
22 .bss 00000004 080496b0 080496b0 000006b0 2**2
ALLOC
23 .comment 0000012f 00000000 00000000 000006b0 2**0
CONTENTS, READONLY
24 .debug_aranges 00000058 00000000 00000000 000007e0 2**3
CONTENTS, READONLY, DEBUGGING
25 .debug_pubnames 00000025 00000000 00000000 00000838 2**0
CONTENTS, READONLY, DEBUGGING
26 .debug_info 000001ad 00000000 00000000 0000085d 2**0
CONTENTS, READONLY, DEBUGGING
27 .debug_abbrev 00000066 00000000 00000000 00000a0a 2**0
CONTENTS, READONLY, DEBUGGING
28 .debug_line 0000013d 00000000 00000000 00000a70 2**0
CONTENTS, READONLY, DEBUGGING
29 .debug_str 000000bb 00000000 00000000 00000bad 2**0
CONTENTS, READONLY, DEBUGGING
30 .debug_ranges 00000048 00000000 00000000 00000c68 2**3
CONTENTS, READONLY, DEBUGGING
r
eader@hacking:~/booksrc $
Another interesting detail about the
.dtors
section is that it is included in
all binaries compiled with the GNU C compiler, regardless of whether any
functions were declared with the destructor attribute. This means that the
vulnerable format string program, fmt_vuln.c, must have a
.dtors
section
containing nothing. This can be inspected using
nm
and
objdump
.
reader@hacking:~/booksrc $ nm ./fmt_vuln | grep DTOR
08049694 d __DTOR_END__
08049690 d __DTOR_LIST__
reader@hacking:~/booksrc $ objdump -s -j .dtors ./fmt_vuln
./fmt_vuln: file format elf32-i386
Contents of section .dtors:
8049690 ffffffff 00000000 ........
r
eader@hacking:~/booksrc $
As this output shows, the distance between
__DTOR_LIST__
and
__DTOR_END__
is only four bytes this time, which means there are no addresses between them.
The object dump verifies this.
