- 论坛徽章:
- 0
|
回复 #34 bobozhang 的帖子
http://www.milw0rm.com/exploits/9479
milw0rm上的一个exploit中有一段解释,来支持这个观点:
/*
** By calling iret after pushing a register into kernel stack,
** We don't have to go back to ring3(user mode) privilege level. dont worry. :-}
**
** kernel_code() function will return to its previous status which means before sendfile() system call,
** after operating upon a ring0(kernel mode) privilege level.
** This will enhance the viablity of the attack code even though each kernel can have different CS and DS address.
*/ |
|