I added another target, Solaris 11 11/11 11.0 Sun_SSH_2.0 x86, to my PoC and discovered the execve() call has been replaced with a new execvex() that breaks all other shellcodes on 11.0 & up. It's relatively easy to fix as execvex() takes a flags argument now which can be set to NULL and it will work as before, this breaks all known public x86 shellcodes for Solaris 11 though so I will have to write a bind shell, put a basic execve() to demonstrate in the PoC.

· · Web · 1 · 1 · 2

@hackerfantastic think you can detect which function is appropriate in the shellcode and have a universal payload (so you don't need to know what version you are throwing against a priori)?

@adam unsure, its just an extra push NULL required, will write some shellcodes for 11 and see if they are backwards compatible, probably they are since it just adds an extra var to the stack

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!