Summary

This is a project which allows us to run Rust "shellcode" in a MIPS environment on NT 4.0.

TL;DR

Setup NT

Install NT 4.0 MIPS in QEMU using the command you see in qemu/run.sh.

Create disk and run system

qemu-img create –f qcow2 nt4.disk 2G
./qemu/run.sh

Setup system so you can access CD

Run Setup > Initialize system > Set default configuration > (choose your res)
    > Floppy 3.5
    > Second floppy: No
    > SCSI host ID 7

Setup ethernet address so network works in Windows

Run Setup > Initialize system > Set ethernet address
    > Pick an address (MUST BE A UNICAST MAC ADDRESS OR WINDOWS GETS MAD)
    > I used be2d08345673 with great success

Boot partition

You must configure a small boot partition for the bootloader

Go to run program:

cd:\mips\arcinst

A 5 MiB partition will do

Install Windows

cd:\mips\setupldr

Configure time

The time in Windows doesn't persist, set it inside Windows to something reasonable otherwise you'll get weird errors and cl.exe will not work so you won't be able to compile anything.

Use the tool

Deploy server.exe and client.exe to the system, then run server.exe inside QEMU.

Install felfserv to your path cd felfserv && cargo install --path .

Run felfserv (supplies code to guest over network and stdout prints from Rust running in guest) felfserv 0.0.0.0:1234 ./out.felf

Run make to build and deploy to MIPS!

Optionally run cargo watch -- make to get your code to re-deploy and run every time you change the Rust project.

Toolchain

To use this you need to copy the shellcode_client into a MIPS guest build and run server.exe (included without any backdoors).

The server binds to 0.0.0.0:42069 and waits for a TCP connection. Upon a TCP connection the server inside the guest will launch client.exe in the same directory in a new process, which will then connect to the host via 192.168.1.2:1234 to download the payload.

The reason we have client.exe in a separate process is so that we can crash it without problems on the server. This provides a seamless development experience when you use something like cargo watch -- make which will automatically use nc to tickle the server, causing the client to connect to the hosted felfserv which then causes the payload to execute in the guest.

The comms from the guest are sent to the felfserv over the socket that was used to download the shellcode.

Felfserv

felfserv is a server for FELF files. You can find the FELF converter at elfloader. You need to install this to your path as the Makefile invokes elfloader to convert the MIPS ELF into MIPS shellcode in the FELF file format.

felfserv simply runs like felfserv 0.0.0.0:1234 ./out.felf. It will listen to connections on IP and port you specified, and when connected to will serve up the specific felf over a very basic protocol. This is what the client.exe in the guest communicates with to download the Rust shellcode.