Re: Solaris sparc newbie exploit coding misc questions

[Valdis.Kletnieks () vt edu]

On Wed, 12 Oct 2005 13:36:46 MDT, ework0 said:

> 2. Shellcode on Solaris sparc: In some documentation, it says we always 
> should include setreuid() because /bin/sh always check for this, but, i 
> have seen some exploit code with a simple /bin/sh execve call.

Not all /bin/sh bother checking.  If you're low on space to fit an exploit,
the setreuid() call *may* be one you can trim out and save some bytes.  It's
system-dependent anyhow, and if you don't know how to check if you need it on
the system you're targeting the exploit, you don't have any business trying to
write an exploit. ;)

> 3. What is exactly the term 'padding' in exploit coding? My english is 
> very basic and the translation to my language doesnt help much.

Let's say you're shipping something valuable that's 30cm wide, and your box is
35cm wide.  So you put 5 cm of something nice and soft (padding) around the
valuable so there's no wasted space.

Similarly, if you have an 87-byte long exploit, and you also need to overlay
something that's 96 bytes away in memory (a pointer, perhaps), you will need
to stick in 9 bytes that don't do anything except keep the thing that needs
to be 96 bytes away from crowding right up against that 87-byte exploit and
ending up 9 bytes too low in memory....
> I think that is more than enough, thanks for your kind help to any of 
> these questions,

Attachment: _bin
Description: