Re: Solaris sparc newbie exploit coding misc questions

[backblue <backblue () tvtel pt>]

ework0 wrote:

> Hello,
>
> I gather together some misc questions about designing buffer overflows 
> PoC's for the solaris sparc architecture:
>
> 1. Basically, what is the stack address? how can be the same among 
> different process? stack base addr is not related to memory locations? 
> How can I get the stack base address? On solaris 10 sparc, running 
> this code:
>
> #include <stdio.h>
>
> unsigned long get_sp(void){
>        __asm__("or %sp,%sp,%i0");
> }
>
>
> int main()
> {
>        long i;
>        i = get_sp();
>        printf("0x%x \n",i);
>       }
>
> Return: 0xffffffff
>
> What's missing?
>
> 2. Shellcode on Solaris sparc: In some documentation, it says we 
> always should include setreuid() because /bin/sh always check for 
> this, but, i have seen some exploit code with a simple /bin/sh execve 
> call.
>
> 3. What is exactly the term 'padding' in exploit coding? My english is 
> very basic and the translation to my language doesnt help much.
>
> I think that is more than enough, thanks for your kind help to any of 
> these questions,
I think solaris kernel have non-exec stack by default, do you have that 
disable? you can disable it, at least in solaris9 you could.
padding it's just take offset to left or to right in memory to exacly 
math your shellcode, btw try doing that with return into libc, i think 
it's easyer than that.