|Main Problem: Where is the start address of the
buffer? This must be known in advance to overwrite the
copy of %i7 accordingly.
|Minimal variations (different C compiler, different
compilation options, different libraries, different
release of the operating system) cause this address
|The nop operations (no operation)
increase the probability that we hit our malicious
|Next problem: How to address relatively to the
location of the code? Solution: After the call
operation, that instruction is pointed to by %o7.
|Hint: The SPARC processor is a three address machine
where the two operands are specified first and are
followed by the target.
|Afterwards, we prepare the exec system call:
%o0 is the first parameter which points to
the path of the binary we want to execute. In
this example: ``/bin/sh''.
|The second parameter in %o1 points to the vector argv
which consists of ``/bin/sh'', ``-c'', and the command we
want to execute.