mips environment is simulated by qemu or real device？

[QingyangChen]

your mips environment is simulated by qemu or real device?
If it is simulated by qemu, can you tell me the way?
In addition，when do you release mips rop?

Thanks
(Translated from Google，If I use the wrong words, please forgive me)

[BigNerd95]

I finished the mips exploit yesterday
I used a real device
I think i'll release it today

[QingyangChen]

Great!!!
I learned a lot of skills from the exploit，Thank you very much!

[BigNerd95]

Oh good! You are welcome
On mips the stack is executable so i used a combination of ROP + shellcode.
The mips exploit is a bit more complicated, because there isn't "/bin/sh", so "system" function can't be used and I need to use execve directly.

[BigNerd95]

Look at "sleep 50" ;-)

[QingyangChen]

yeah, I see the result.
I'm very looking forward to this code, and going to learn more skills
I guess we need to locate the address on the stack ;-)

[QingyangChen]

Now my time is 23:00, I'm going to sleep. See you tomorrow ;-)

[BigNerd95]

I guess we need to locate the address on the stack

yes, i made stack pivot

i'm going to release it in a few minutes
good night!

[BigNerd95]

here you are!
StackClashMIPS.py

[QingyangChen]

I'm sorry, I just saw it.

I has something to do and didn't log in to GitHub at the weekend, please forgive me.

Tomorrow is Monday, and I'm going to learn the exploit.

Thank you!

[QingyangChen]

Well done, it's delicious.
I have understood the code, Thank you!

[BigNerd95]

Perfect 🔝

[kiritowch]

How do you put gdb-server into a real MIPS device? Thank you! Is it by repacking?

[BigNerd95]

I have a 0day to write on the filesystem
But i think you can use this as well https://github.com/0ki/mikrotik-tools/tree/master/exploit-backup

[kiritowch]

That's great! I'll try it. Thank you very much.