return-to-libc exploit : where to provide arguments for system() call? return-to-libc exploit : where to provide arguments for system() call? unix unix

return-to-libc exploit : where to provide arguments for system() call?


security unix calling-convention shellcode

A pointer to the argument should be found immediately above the return address. That is, after the overwrite, your stack should look something like this:

-----------shellcode: /bin/whatever ............\0-----------&shellcode    <-- str is here-----------&system       <-- return address is here-----------previous frame pointer <--- don't corrupt this-----------padding       <-- buffer

Note that this implies you must know what %esp is when you reach strcpy (to avoid corrupting the previous frame pointer). Also, none of the pointers can contain a zero byte.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last