unsigned long find_sp(void){
__asm__("movl %esp, %eax");
}
int main(int argc,char* argv[]){
char* buff;
int len;
long sp;
len=atoi(argv[1]);
buff=malloc(len);
sp=find_sp();
printf("sp is 0x%x\n",sp);
free(buff);
exit(0);
One of the most difficult tasks you face when trying to execute user-supplied shellcode is identifying the starting address of your shellcode. Over the years, many different methods have been contrived to solve this problem. We will cover the most popular method that was pioneered in the paper, "Smashing the Stack."
One way to discover the address of our shellcode is to guess where the shellcode is in memory. We can make a pretty educated guess, because we know that for every program, the stack begins with the same address. If we know what this address is, we can attempt to guess how far from this starting address our shellcode is.
It is fairly easy to write a simple program to tell us the location of the stack pointer (ESP). Once we know the address of ESP, we simply need to guess the distance, or offset, from this address. The offset will be the first instruction in our shellcode.
我的是red hat 9
Kernel 2.4.20-8作者: tyc611 时间: 2007-01-14 00:38