Chimay-Red
Chimay-Red copied to clipboard
BigNerd95
How did you know the stack frame size per thread ?
I wirte a sample program to test it on my ubuntu 32 bit, but i seem size > 8mb
my test code
#include <pthread.h>
#include <stdio.h>
#include <sys/time.h>
#include <string.h>
#define MAX 10
pthread_t thread[2];
pthread_mutex_t mut;
int number=0, i;
void *thread1()
{
int a;
printf("thread1 %p\n", &a);
}
void *thread2()
{
int a;
printf("thread2 %p\n", &a);
}
void thread_create(void)
{
int temp;
memset(&thread, 0, sizeof(thread)); //comment1
/*创建线程*/
if((temp = pthread_create(&thread[0], NULL, thread1, NULL)) != 0) //comment2
printf("线程1创建失败!\n");
else
printf("线程1被创建\n");
if((temp = pthread_create(&thread[1], NULL, thread2, NULL)) != 0) //comment3
printf("线程2创建失败");
else
printf("线程2被创建\n");
}
void thread_wait(void)
{
/*等待线程结束*/
if(thread[0] !=0) { //comment4
pthread_join(thread[0],NULL);
printf("线程1已经结束\n");
}
if(thread[1] !=0) { //comment5
pthread_join(thread[1],NULL);
printf("线程2已经结束\n");
}
}
int main()
{
/*用默认属性初始化互斥锁*/
pthread_mutex_init(&mut,NULL);
printf("我是主函数哦,我正在创建线程,呵呵\n");
thread_create();
printf("我是主函数哦,我正在等待线程完成任务阿,呵呵\n");
thread_wait();
return 0;
}
I dump the local value's address .
I did it some months ago. From what I can remember I just put a breakpoint near the end of ReadPostData function. Then I opened 2 socket and I sent a Content-Length of (for example) 500 bytes. Then I sent 100 byte ti socket 1. When the debugger stopped the execution I resumed it. So i sent the same 100 data to socket 2 and when the debugger stopped the execution I just looked for the 100 bytes I sent inside the stack of thread 1 and thread 2. Then I made the difference of the two addresses where the two 100 bytes payload start.
It would be cool to calculate the stack size from the binary statically, but I think the size is calculated at runtime by the os.
Ohh thank you very much! I did'n notice it. Maybe I'll update the StackClash exploit reading that value.
You are welcome :)