 | Main Problem: Where is the start address of the
buffer? This must be known in advance to overwrite the
copy of %i7 accordingly.
|
| Minimal variations (different C compiler, different
compilation options, different libraries, different
release of the operating system) cause this address
to change.
|
| The nop operations (no operation)
increase the probability that we hit our malicious
code.
|
| Next problem: How to address relatively to the
location of the code? Solution: After the call
operation, that instruction is pointed to by %o7.
|
| Hint: The SPARC processor is a three address machine
where the two operands are specified first and are
followed by the target.
|
| Afterwards, we prepare the exec system call:
%o0 is the first parameter which points to
the path of the binary we want to execute. In
this example: ``/bin/sh''.
|
| The second parameter in %o1 points to the vector argv[]
which consists of ``/bin/sh'', ``-c'', and the command we
want to execute.
|
![[Previous Chapter]](pprev.gif)
![[Previous Page]](prev.gif)
![[Contents]](up.gif)
![[Next Page]](next.gif)