67 bytes small write(1,"radare rocks!"); + exit() for SPARC 32-bit.
#include <stdio.h>
/*
write(1,"radare rocks!"); + _exit()
works on Solaris 2.6
--srm
*/
static char rocks[] =
"\x82\x10\x20\x04" // mov 4, %g1
"\x90\x10\x20\x01" // mov 1, %o0
"\x21\x1c\x98\x59" // sethi %hi(0x72616400), %l0
"\xa0\x14\x20\x61" // or %l0, 0x61, %l0 ! 0x72616461
"\x23\x1c\x99\x48" // sethi %hi(0x72652000), %l1
"\xa2\x14\x60\x72" // or %l1, 0x72, %l1 ! 0x72652072
"\x25\x1b\xd8\xda" // sethi %hi(0x6f636800), %l2
"\xa4\x14\xa3\x73" // or %l2, 0x373, %l2 ! 0x6f636b73
"\x27\x08\x48\x40" // sethi %hi(0x21210000), %l3
"\xa6\x14\xe0\x0a" // or %l3, _PROCEDURE_LINKAGE_TABLE_, %l3 ! 0x21210000
"\x92\x23\xa0\x10" // sub %sp, 16, %o1
"\xe0\x3b\xbf\xf0" // std %l0, [%sp - 16]
"\xe4\x3b\xbf\xf8" // std %l2, [%sp - 8]
"\x94\x10\x20\x10" // mov 16, %o2
"\x91\xd0\x20\x08" // ta 0x8
"\x82\x10\x20\x01" // mov 1, %g1
"\x90\x10\x20\x00" // clr %o0
"\x91\xd0\x20\x08"; // ta 0x8
int
main ()
{
int (*ret)(); /* ret is a function pointer */
ret = (int(*)())rocks; /* ret points to our shellcode */
/* shellcode is type caste as a function */
(int)(*ret)(); /* execute, as a function, shellcode[] */
}
0 comments "Radare Rocks Shellcode", Baca atau Masukkan Komentar
Post a Comment