Looks like you have a working exploit my friend sw $a3, 4($a2)
can be effectively used to overwrite $ra
in the stack. Then when jr $ra
is called it will jump wherever. Also as you said, you can also create a j destination
instruction into $a3
(do not do it jal
, makes no sense, you're not going to return from your call to the shellcode) and store that instruction into the next one to be executed, effectively jumping to wherever you want as well.
What do you put into $a2 and $a3 to get those exceptions?