Exploit Development

Our latest adventures in firmware exploitation

MIPS Overflow Writer

mips Jun 25, 2020

Once you’ve written a fair share of MIPS buffer overflows, you’ll have a pretty good idea of how the stack is laid out and how the math works to perfectly overwrite the return address.

It becomes less of a learning experience and more of a tedious operation. This same feeling led me to write MOW, the MIPS Overflow Writer.

This Python script requires minimal, easily retrievable arguments to generate MIPS based buffer overflows and send it to the target. This saves time and prevents you from rewriting the same lines of code over and over.

 

Installation

The project is Python3 based and is easily installable with the few commands shown below.

$ git clone https://github.com/fuzzywalls/mow $ cd mow $ python3 setup.py install

Class Overview

The next few sections will give an overview of the public classes, what arguments they accept, and what they do.

 

Overflow

This is the main class for generating a MIPS overflow. It will dynamically create class variables that...

Continue Reading...

The .text Dilemma

mips Jun 23, 2020

Lately I find myself writing a lot of code to exploit MIPS buffer overflows. Each one is different and frustrating in it’s own little way, but fun none the less.

I usually write a small ROP gadget that will call system with a command I pass on the stack, but occasionally I find the perfect function in the .text section that does everything I need.

Typically it’s a leftover debug function that has no path for a user to call, but performs an operation that would be useful.

In the case of this router, it’s named debug and starts an unauthenticated telnetd server.


debug function

In order to execute this function in the world of MIPS exploitation, the return address ($ra) needs to contain 0x0040a168 when jr $ra is executed at the end of the function containing the buffer overflow.

$ra is saved on the stack at the beginning of the function and restored from the stack at the end of the function. We gain control of it by overflowing a buffer on the stack and writing...

Continue Reading...