Atexit Exploitation Guide

This skill helps you exploit arbitrary write vulnerabilities by hijacking exit handlers to achieve code execution when a program terminates via

return

or

exit()

.

When to Use This Skill

Use this skill when:

• You have an arbitrary write primitive and need code execution
• The target program exits via

  return

  or

  exit()

  (not

  _exit()

  )
• You're analyzing binaries for atexit-based vulnerabilities
• You need to understand PTR_MANGLE/PTR_DEMANGLE pointer obfuscation
• You're working with link_map, TLS dtor_list, or exit_function_list structures

Core Concepts

Exit Handler Execution Flow

When a program exits via

return

or

exit()

:

1. __run_exit_handlers()

   is called
2. TLS destructors are executed via

   __call_tls_dtors()

3. atexit/on_exit registered functions are called
4. DT_FINI_ARRAY destructors are executed

Critical: If the program exits via

_exit()

syscall, exit handlers are NOT executed. Always verify with a breakpoint on

__run_exit_handlers()

.

Pointer Mangling (x86/x64)

On x86/x64, function pointers in exit handlers are obfuscated:

• XORed with a random

  PTR_MANGLE

  cookie
• Rotated 17 bits right

mov    rax, QWORD PTR [rbx]      ; load mangled ptr
ror    rax, 0x11                 ; rotate right 17 bits
xor    rax, QWORD PTR fs:0x30    ; XOR with PTR_MANGLE cookie

Other architectures (m68k, mips32, mips64, aarch64, arm, hppa) do NOT implement mangling - the pointer is used as-is.

Exploitation Techniques

Technique 1: link_map DT_FINI_ARRAY Overwrite

The

link_map

structure contains

l_info[DT_FINI_ARRAY]

which points to an array of destructor functions.

Attack vectors:

1. Fake fini_array: Overwrite

   l_info[DT_FINI_ARRAY]

   to point to a fake

   Elf64_Dyn

   structure in controlled memory (e.g.,

   .bss

   )
   • The fake structure's

     d_un.d_ptr

     should point to your one_gadget address
   • Account for

     map->l_addr

     offset in calculations

2. Stack pointer overwrite: ld.so leaves a pointer to

   link_map

   on the stack. Overwrite it to point to a fake fini_array containing your one_gadget.

Structure layout:

struct Elf64_Dyn {
    Elf64_Sxval d_tag;  // DT_FINI_ARRAY = 0x1e
    union {
        Elf64_Xword d_val;  // function address (one_gadget)
        Elf64_Addr d_ptr;   // offset from l_addr
    } d_un;
};

Technique 2: TLS dtor_list Overwrite

The

tls_dtor_list

is a linked list of destructor functions stored near the stack canary.

Structure:

struct dtor_list {
    dtor_func func;      // function pointer (mangled)
    void *obj;           // argument to function
    struct link_map *map;
    struct dtor_list *next;
};

Exploitation steps:

1. Overflow to overwrite the PTR_MANGLE cookie with 0x00 (bypasses XOR)
2. Overwrite the stack canary
3. Chain multiple dtor_list entries with your function addresses
4. Account for 17-bit rotation when calculating mangled pointers

Mangled pointer calculation:

def mangle_ptr(addr, cookie):
    # Rotate right 17 bits, then XOR with cookie
    rotated = ((addr >> 17) | (addr << (64 - 17))) & 0xffffffffffffffff
    return rotated ^ cookie

def demangle_ptr(mangled, cookie):
    # XOR with cookie, then rotate left 17 bits
    xored = mangled ^ cookie
    return ((xored << 17) | (xored >> (64 - 17))) & 0xffffffffffffffff

Technique 3: exit_function_list Overwrite

The

initial

structure contains an array of exit functions with different flavors:

struct exit_function {
    enum exit_function_flavor flavor;
    union {
        void (*at) (void);           // ef_at
        void (*on) (int, void *);    // ef_on (with arg)
        void (*cxa) (void *, int);   // ef_cxa (with arg)
    } func;
};

Flavors:

• ef_at

  : atexit() registered function, no arguments

• ef_on

  : on_exit() registered function, takes (status, arg)

• ef_cxa

  : C++ destructor, takes (arg, status)

Exploitation:

1. Leak or erase the PTR_MANGLE cookie
2. Overwrite a

   cxa

   or

   on

   entry with

   system

   and

   /bin/sh

   as argument
3. The function will be demangled and called during exit

Practical Workflow

Step 1: Verify Exit Handler Execution

# Set breakpoint on exit handler
break __run_exit_handlers
# Run program and verify breakpoint is hit
run

If breakpoint is NOT hit, the program uses

_exit()

and these techniques won't work.

Step 2: Locate Target Structures

# Find link_map (usually in ld.so)
info proc mappings | grep ld.so
# Find TLS dtor_list
gef> tls
# Find initial structure
gef> p initial

Step 3: Calculate Mangled Pointers

Use the

calculate_mangled_pointer.py

script (see scripts/) to compute the correct mangled values for your target addresses.

Step 4: Craft the Exploit

1. For link_map: Create fake Elf64_Dyn structure with one_gadget
2. For TLS: Chain dtor_list entries with mangled function pointers
3. For exit_function_list: Overwrite flavor and function pointer fields

Step 5: Trigger Exit

Ensure the program exits via

return

or

exit()

, not

_exit()

or

abort()

.

Architecture Considerations

Architecture	PTR_MANGLE	Exploitation Difficulty
x86/x64	Yes	Harder (need cookie)
aarch64	No	Easier (direct ptr)
arm	No	Easier (direct ptr)
mips32/64	No	Easier (direct ptr)
m68k	No	Easier (direct ptr)
hppa	No	Easier (direct ptr)

Common Pitfalls

1. Program uses _exit(): Exit handlers won't run. Check with GDB breakpoint.
2. Wrong mangling calculation: Remember 17-bit rotation + XOR, not just XOR.
3. ASLR: Need to leak libc base to calculate one_gadget addresses.
4. Stack canary: TLS technique requires overwriting canary first.
5. Architecture mismatch: Mangling only applies to x86/x64.

References

• Notes on Abusing Exit Handlers
• Code Execution on Last libc
• DanteCTF 2023 - Sentence To Hell
• Angstrom CTF 2021 - Wallstreet

Scripts

See

scripts/

directory for helper tools:

• calculate_mangled_pointer.py

  - Compute mangled/demangled pointers

• generate_fake_structures.py

  - Create fake Elf64_Dyn and dtor_list structures

• find_exit_handlers.py

  - Analyze binaries for exit handler vulnerabilities