0x01 analysis This vulnerability analysis and how to build a test environment k0 chef in seebug and mrh God in the drops of the articles are written very in detail, in the following reference to Annex A of the original address. I was standing on the shoulders of Giants to write some of your own in the 7 5 4 7 analysis on some of the links. The focus of this article is a follow-up how to write a column with exp, in order to prepare the exp in debugging need to figure out a lot of things, including the hijacking of the eip location, the stack space layout, etc. Here we have one. 1. Looking for a vulnerability trigger point Google gives POC a long running POC after a gdb debug, tracing the vulnerability of the city. According to the vulnerability trigger the process, after reading the source code, we are of the following function under off $b _nss_dns_gethostbyname4_r (/opt/glibc-2.20/resolv/res_dns/dns-host. c) $b __libc_res_nsearch (in/opt/glibc-2.20/resolv/res_query. c) $b __libc_res_nquery (in/opt/glibc-2,20/resolv/res_query. c) $b __libc_res_nsend (in/opt/glibc-2,20/resolv/res_send. c) $b send_vc (/opt/glibc-2,20/resolv/res_send. c) The back is a source code location, easy for everyone to read. In send_vc stop, we use bt to see the call stack: ! Everything is OK, finish this function, find the poc window to send the request, and then look at the stack segment found ! ! In send_vc the source code, The main problem appears here ! ! The end of the send_vc, by stepping through n, is locked in the nquery in this few lines of ! We know the second POC data transmission is caused by the overflow of the key, and google's validation of the POC in the second transmission of the data plus 2 3 0 0 A B, that is, we follow-up the preparation use of the exp big Shi fist place ! 2. Looking for can be hijacked EIPEIP location We know, want to hijack the program flow will go to the hijacking of the EIP, the hijacking of the EIP're looking for ret. So we first have to understand the entire stack layout. We gethostbyname4_r function has run to completion and distribution space this line after the code ! Direct Print this variable ! This is what we 2 3 0 0 A B where a starting position, we overflow subsequently look at ! This is our top of the stack, then return address? As long as the gethostbyname4_r in the distribution of this 2 0 4 8 print under the esp will know. ! Cut the head point is we need to hijack the EIP. Presently known stack space as follows ! The middle of that pile???? Whether you want to find out, let's do a test, send less than to 2 0 4 8 + 1 0 8 to 2 1 5 6 B, does not cover the Ret of the case, the program will continue to perform? Modify the poc,send 2 1 5 0 B, run ! Hairstyle program did not continue to interrupt this description of stack space“????” The region still has to use the parameters, this pit will need to take your time to fill out......... Here it is important to note that we are above this figure the stack is the address of the gdb debugging environment and real environment are not the same, but the stack layout and the real environment is the same, so we only need to in a real environment to see the next dump down the core file to find the stack head to the start address, and then according to the difference value calculated by other you can. ! Find the real environment under the top of the stack is 0xbfffe240 with gdb under 0xbfffe220 difference of 0x20. Continue to probe the stack space 3. Find out the stack space We can see the stop in this line ! See nquery source code can be found !