hacktricks/binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md
2024-04-06 16:25:58 +00:00

3.5 KiB

WWW2Exec - atexit()

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

__atexit Structures

{% hint style="danger" %} Nowadays is very weird to exploit this. {% endhint %}

atexit() is a function to which other functions are passed as parameters. These functions will be executed when executing an exit() or the return of the main.
If you can modify the address of any of these functions to point to a shellcode for example, you will gain control of the process, but this is currently more complicated.
Currently the addresses to the functions to be executed are hidden behind several structures and finally the address to which it points are not the addresses of the functions, but are encrypted with XOR and displacements with a random key. So currently this attack vector is not very useful at least on x86 and x64_86.
The encryption function is PTR_MANGLE. Other architectures such as m68k, mips32, mips64, aarch64, arm, hppa... do not implement the encryption function because it returns the same as it received as input. So these architectures would be attackable by this vector.

You can find an in depth explanation on how this works in https://m101.github.io/binholic/2017/05/20/notes-on-abusing-exit-handlers.html

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: