Home Uncategorized Being Awesome Pt. 11

Being Awesome Pt. 11

Posted on Posted in Uncategorized No Comments

No this is really a comparison of Stack space between Solaris 10 and Solaris 8.. at least the machines in question..

Solaris 10 box:
without one-million argV[1]:
0xffbfe000 0xffbfffff 0x2000 0 -s–rwx
with it:
0xffb0a000 0xffbfffff 0xf6000 0 -s–rwx

Solaris 8 box:
Without:
0xffbee000 0xffbeffff 0x2000 0 -s–rwx
With:
0xffaf8000 0xffbeffff 0xf8000 0xffffe000 -s–rwx

Actually wat happens is :
TOP OF STACK
———–
init stuffz??
HUGE
STRING
ARGV[1]
Program stuffz..
————-
So it’s actually better to shoot near the top of stack ish lower.
something like 0xffbee008

But how does argv[1] get mapped?? Beats me.. I think I can just go with the flow on this one.. and the shellcode NOP sled will be right where it should.. 

(gdb) r
Starting program: /home/bazz/blade72/w_32
(no debugging symbols found)
warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1"
(no debugging symbols found)
(no debugging symbols found)

Breakpoint 1, 0x00010ec8 in main ()
(gdb) info proc map
process 2222 flags:
PR_STOPPED Process (LWP) is stopped
PR_ISTOP Stopped on an event of interest
PR_RLC Run-on-last-close is in effect
PR_MSACCT Microstate accounting enabled
PR_PCOMPAT Micro-state accounting inherited on fork
PR_FAULTED : Incurred a traced hardware fault FLTBPT: Breakpoint trap

Mapped address spaces:

        Start Addr   End Addr       Size     Offset   Flags
           0x10000    0x13fff     0x4000          0 ----r-x
           0x22000    0x23fff     0x2000     0x2000 ----rwx
           0x24000    0x2ffff     0xc000          0 --b-rwx
        0xff280000 0xff357fff    0xd8000          0 ----r-x
        0xff368000 0xff36ffff     0x8000    0xd8000 ----rwx
        0xff370000 0xff371fff     0x2000          0 ----rwx
        0xff3a0000 0xff3a5fff     0x6000          0 ----rwx
        0xff3b0000 0xff3ddfff    0x2e000          0 ----r-x
        0xff3ee000 0xff3effff     0x2000    0x2e000 ----rwx
        0xff3f0000 0xff3f1fff     0x2000          0 ----rwx
        0xffbfe000 0xffbfffff     0x2000          0 -s--rwx

(gdb) r `perl -e 'print "A"x1000000'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/bazz/blade72/w_32 `perl -e 'print "A"x1000000'`
(no debugging symbols found)
warning: Temporarily disabling breakpoints for unloaded shared library "/usr/lib/ld.so.1"
(no debugging symbols found)
(no debugging symbols found)

Breakpoint 1, 0x00010ec8 in main ()
(gdb) info proc map
process 2223 flags:
PR_STOPPED Process (LWP) is stopped
PR_ISTOP Stopped on an event of interest
PR_RLC Run-on-last-close is in effect
PR_MSACCT Microstate accounting enabled
PR_PCOMPAT Micro-state accounting inherited on fork
PR_FAULTED : Incurred a traced hardware fault FLTBPT: Breakpoint trap

Mapped address spaces:

        Start Addr   End Addr       Size     Offset   Flags
           0x10000    0x13fff     0x4000          0 ----r-x
           0x22000    0x23fff     0x2000     0x2000 ----rwx
           0x24000    0x2ffff     0xc000          0 --b-rwx
        0xff280000 0xff357fff    0xd8000          0 ----r-x
        0xff368000 0xff36ffff     0x8000    0xd8000 ----rwx
        0xff370000 0xff371fff     0x2000          0 ----rwx
        0xff3a0000 0xff3a5fff     0x6000          0 ----rwx
        0xff3b0000 0xff3ddfff    0x2e000          0 ----r-x
        0xff3ee000 0xff3effff     0x2000    0x2e000 ----rwx
        0xff3f0000 0xff3f1fff     0x2000          0 ----rwx
        0xffb0a000 0xffbfffff    0xf6000          0 -s--rwx

(gdb)

Leave a Reply

Your email address will not be published. Required fields are marked *

*