Vulnerability Development mailing list archives
Re: Solaris sparc newbie exploit coding misc questions
From: backblue <backblue () tvtel pt>
Date: Thu, 13 Oct 2005 18:31:07 +0100
ework0 wrote:
I think solaris kernel have non-exec stack by default, do you have that disable? you can disable it, at least in solaris9 you could. padding it's just take offset to left or to right in memory to exacly math your shellcode, btw try doing that with return into libc, i think it's easyer than that.Hello,I gather together some misc questions about designing buffer overflows PoC's for the solaris sparc architecture:1. Basically, what is the stack address? how can be the same among different process? stack base addr is not related to memory locations? How can I get the stack base address? On solaris 10 sparc, running this code:#include <stdio.h> unsigned long get_sp(void){ __asm__("or %sp,%sp,%i0"); } int main() { long i; i = get_sp(); printf("0x%x \n",i); } Return: 0xffffffff What's missing?2. Shellcode on Solaris sparc: In some documentation, it says we always should include setreuid() because /bin/sh always check for this, but, i have seen some exploit code with a simple /bin/sh execve call.3. What is exactly the term 'padding' in exploit coding? My english is very basic and the translation to my language doesnt help much.I think that is more than enough, thanks for your kind help to any of these questions,
Current thread:
- Solaris sparc newbie exploit coding misc questions ework0 (Oct 13)
- Re: Solaris sparc newbie exploit coding misc questions Valdis . Kletnieks (Oct 17)
- Re: Solaris sparc newbie exploit coding misc questions backblue (Oct 17)
- <Possible follow-ups>
- Re: Solaris sparc newbie exploit coding misc questions Marco Ivaldi (Oct 17)