Exploitation 191This section consists of many jump instructions, each one corresponding to
the address of a function. It works like a springboard—each time a shared
function needs to be called, control will pass through the PLT.
An object dump disassembling the PLT section in the vulnerable format
string program (fmt_vuln.c) shows these jump instructions:
reader@hacking:~/booksrc $ objdump -d -j .plt ./fmt_vuln
./fmt_vuln: file format elf32-i386
Disassembly of section .plt:
080482b8 __gmon_start__@plt-0x10:
80482b8: ff 35 6c 97 04 08 pushl 0x804976c
80482be: ff 25 70 97 04 08 jmp *0x8049770
80482c4: 00 00 add %al,(%eax)
...
080482c8 __gmon_start__@plt:
80482c8: ff 25 74 97 04 08 jmp *0x8049774
80482ce: 68 00 00 00 00 push $0x0
80482d3: e9 e0 ff ff ff jmp 80482b8 <_init+0x18>
080482d8 __libc_start_main@plt:
80482d8: ff 25 78 97 04 08 jmp *0x8049778
80482de: 68 08 00 00 00 push $0x8
80482e3: e9 d0 ff ff ff jmp 80482b8 <_init+0x18>
080482e8 strcpy@plt:
80482e8: ff 25 7c 97 04 08 jmp *0x804977c
80482ee: 68 10 00 00 00 push $0x10
80482f3: e9 c0 ff ff ff jmp 80482b8 <_init+0x18>
080482f8 printf@plt:
80482f8: ff 25 80 97 04 08 jmp *0x8049780
80482fe: 68 18 00 00 00 push $0x18
8048303: e9 b0 ff ff ff jmp 80482b8 <_init+0x18>
08048308 exit@plt:
8048308: ff 25 84 97 04 08 jmp *0x8049784
804830e: 68 20 00 00 00 push $0x20
8048313: e9 a0 ff ff ff jmp 80482b8 <_init+0x18>
reader@hacking:~/booksrc $
One of these jump instructions is associated with the exit() function,
which is called at the end of the program. If the jump instruction used for
the exit() function can be manipulated to direct the execution flow into
shellcode instead of the exit() function, a root shell will be spawned. Below,
the procedure linking table is shown to be read only.