[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: overwriting .dtors using gcc 3



On Tue, 7 Oct 2003, DownBload wrote:

> Now we see .dynamic section between .data and .dtors section.  That
> section will be overflowed if we want to overflow .dtors, and that is
> not good.
> .dtors technique will still work for format string bugs, wild pointers
> etc.

You can try to solve this problem setting LD_BIND_NOW=1 in environment, to
force the dynamic linker to process all relocations before trasferring
control to the program. See abo7-ex.c in:

http://www.0xdeadbeef.info/code/abo-raptor.tgz

Some other useful exploitation examples:

http://www.0xdeadbeef.info/code/misc-raptor.tgz
http://www.0xdeadbeef.info/code/vulndev-raptor.tgz

Cheers,

:raptor
-- 
Marco Ivaldi
Antifork Research, Inc.   http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233  0394 EF85 2008 DBFD B707