Format String Overflow: 50% complete are now halfway through abundant Chapter format string overflow. It 's interesting how there are little-known uses of this technique. Usually we tend to overwrite a pointer in the GOT
dtors section or section
to run a shellcode. In older distributions could also alter the section
PLT or the point at which the function was mapped
_fini () . Today, however, the latter two areas are mapped in executables but not editable (just list them with
readelf to notice). Any attempt to write and then cause a crash.
Fortunately, there are still many distributions (Slackware, Debian and Ubuntu just to name a few) that allow copy of a shellcode in areas writable (not executable then) but that once accessed by the GOT (or from any other "pointer") allow you to execute the shellcode. Things get complicated, however, significantly in the presence of distributions that are functionally similar to Exec Shield (Fedora / RHEL distro Hardened or those with grsecurity). The Exploiting becomes very difficult but not impossible.
Not to mention the applications built with FORTIFY_SOURCE. This is a beautiful beast that makes it impossible to use the operator "% n" areas of memory that could be written, but I'll maybe in another operation of the blog.
soon
