bsd

         

- 3


write libc : write(1,&"*",1). &"*"  "*" . ? ! ! , ASCIIZ- (   , segmentation fault).

// thunk-

// write,

// , ..

unsigned char buf_pre[]={ 0x6A,0x2A, /* push 2Ah */

0x8B,0xDC, /* mov ebx,esp */

0x33,0xC0, /* xor eax,eax */

0x40, /* inc eax */

0x50, /* push eax */

0x53, /* push ebx */

0x50 /* push eax */

};

// write

unsigned char buf_code[]={0xE8,0x0,0x0,0x0,0x0};

// thunk-

// "*"

// ret

unsigned char buf_post[]={

0x83,0xC4,0x10,/* add esp,10 */

0xC3 /* ret */

};

// thunk- :

// buf_pre + buf_code + buf_post

unsigned char buf_dst[sizeof(buf_pre)+sizeof(buf_code)+sizeof(buf_post)];

// write

call_r("libc.so.6", "gets", "write", sizeof(buf_pre));

// thunk-

memcpy(buf_dst,buf_pre,sizeof(buf_pre));