Exploitation 18716 .dtors 0000000c 080495ac 080495ac 000005ac 22
CONTENTS, ALLOC, LOAD, DATA
17 .jcr 00000004 080495b8 080495b8 000005b8 22
CONTENTS, ALLOC, LOAD, DATA
18 .dynamic 000000c8 080495bc 080495bc 000005bc 22
CONTENTS, ALLOC, LOAD, DATA
19 .got 00000004 08049684 08049684 00000684 22
CONTENTS, ALLOC, LOAD, DATA
20 .got.plt 0000001c 08049688 08049688 00000688 22
CONTENTS, ALLOC, LOAD, DATA
21 .data 0000000c 080496a4 080496a4 000006a4 22
CONTENTS, ALLOC, LOAD, DATA
22 .bss 00000004 080496b0 080496b0 000006b0 22
ALLOC
23 .comment 0000012f 00000000 00000000 000006b0 20
CONTENTS, READONLY
24 .debug_aranges 00000058 00000000 00000000 000007e0 23
CONTENTS, READONLY, DEBUGGING
25 .debug_pubnames 00000025 00000000 00000000 00000838 20
CONTENTS, READONLY, DEBUGGING
26 .debug_info 000001ad 00000000 00000000 0000085d 20
CONTENTS, READONLY, DEBUGGING
27 .debug_abbrev 00000066 00000000 00000000 00000a0a 20
CONTENTS, READONLY, DEBUGGING
28 .debug_line 0000013d 00000000 00000000 00000a70 20
CONTENTS, READONLY, DEBUGGING
29 .debug_str 000000bb 00000000 00000000 00000bad 20
CONTENTS, READONLY, DEBUGGING
30 .debug_ranges 00000048 00000000 00000000 00000c68 2**3
CONTENTS, READONLY, DEBUGGING
reader@hacking:~/booksrc $
Another interesting detail about the .dtors section is that it is included in
all binaries compiled with the GNU C compiler, regardless of whether any
functions were declared with the destructor attribute. This means that the
vulnerable format string program, fmt_vuln.c, must have a .dtors section
containing nothing. This can be inspected using nm and objdump.
reader@hacking:~/booksrc $ nm ./fmt_vuln | grep DTOR
08049694 d DTOR_END
08049690 d DTOR_LIST
reader@hacking:~/booksrc $ objdump -s -j .dtors ./fmt_vuln
./fmt_vuln: file format elf32-i386
Contents of section .dtors:
8049690 ffffffff 00000000 ........
reader@hacking:~/booksrc $
As this output shows, the distance between DTOR_LIST and DTOR_END
is only four bytes this time, which means there are no addresses between them.
The object dump verifies this.