4.1 KiB
AWS2Exec - .dtors & .fini_array
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
.dtors
{% hint style="danger" %} Nowadays is very weird to find a binary with a .dtors section. {% endhint %}
The destructors are functions that are executed before program finishes (after the main
function returns).
The addresses to these functions are stored inside the .dtors
section of the binary and therefore, if you manage to write the address to a shellcode in __DTOR_END__
, that will be executed before the programs ends.
Get the address of this section with:
objdump -s -j .dtors /exec
rabin -s /exec | grep “__DTOR”
Usually you will find the DTOR markers between the values ffffffff
and 00000000
. So if you just see those values, it means that there isn't any function registered. So overwrite the 00000000
with the address to the shellcode to execute it.
{% hint style="warning" %} Ofc, you first need to find a place to store the shellcode in order to later call it. {% endhint %}
.fini_array
Essentially this is a structure with functions that will be called before the program finishes, like .dtors
. This is interesting if you can call your shellcode just jumping to an address, or in cases where you need to go back to main
again to exploit the vulnerability a second time.
objdump -s -j .fini_array ./greeting
./greeting: file format elf32-i386
Contents of section .fini_array:
8049934 a0850408
#Put your address in 0x8049934
Note that this won't create an eternal loop because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to have 1 more execution of the vuln.
{% hint style="danger" %}
Note that with Full RELRO, the section .fini_array
is made read-only.
{% endhint %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.