Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Continue reading
- Hacking Tools For Kali Linux
- Pentest Tools Nmap
- Usb Pentest Tools
- Hacker Tools Apk Download
- Hack Tools For Pc
- New Hack Tools
- Pentest Tools Bluekeep
- Hack Tools Github
- Hacking Tools Pc
- Hack Tools Mac
- Usb Pentest Tools
- Hack Tools Online
- Game Hacking
- Hacker Tool Kit
- Pentest Tools For Mac
- Pentest Tools Online
- Hack Rom Tools
- Pentest Tools Website
- Hacker Tools 2020
- Free Pentest Tools For Windows
- Pentest Tools Kali Linux
- Hack Website Online Tool
- Hacker Tools Free Download
- Pentest Tools Website Vulnerability
- Hack Tools For Windows
- Hacking Tools Pc
- Pentest Tools Bluekeep
- Hacker Tools Software
- Best Pentesting Tools 2018
- Pentest Tools
- Pentest Tools For Ubuntu
- Bluetooth Hacking Tools Kali
- Hack Tool Apk No Root
- Pentest Tools For Ubuntu
- Hack Apps
- Hack Tools Online
- Hacker Tools For Mac
- Hacking Tools For Games
- How To Hack
- New Hack Tools
- New Hacker Tools
- Hacker
- Hack Website Online Tool
- Pentest Tools Website
- Top Pentest Tools
- Hacking Tools
- Hacking App
- Pentest Tools For Windows
- Pentest Tools Subdomain
- Tools 4 Hack
- Nsa Hack Tools Download
- Hacker
- Kik Hack Tools
- Hacking Tools Github
- Pentest Tools Website
- Pentest Tools For Ubuntu
- Hack Tools For Mac
- New Hacker Tools
- Hack Website Online Tool
- Hacking Tools Usb
- Hacking Tools Download
- Hacking Tools For Kali Linux
- Hacking Tools For Windows
- Hak5 Tools
- Pentest Tools Subdomain
- Hack Tool Apk No Root
- Easy Hack Tools
- Nsa Hack Tools Download
- Hack Tools Pc
- Hacker Tools Mac
- Hacker Tools For Ios
- Hack App
- Wifi Hacker Tools For Windows
- Pentest Tools Port Scanner
- Hacker Tools Online
- Hacker Tool Kit
- How To Install Pentest Tools In Ubuntu
- Hacker Tools Hardware
- Hack Tools Pc
- Hacking Tools
- Game Hacking
- Hack Tools Github
- Hacking Tools Free Download
- Hacking Tools Usb
- Hack And Tools
- Easy Hack Tools
- Hack Tool Apk
- Best Hacking Tools 2020
- Hacking Tools Name
- Pentest Tools Free
- Hack Rom Tools
- Tools For Hacker
- Hacker Hardware Tools
- Hack Tools Pc
- Growth Hacker Tools
- Hacking Tools Pc
- Pentest Tools Framework
- Hacker Tools Free Download
- Tools For Hacker
- Hacker Tools Free
- Hacking Tools Windows
- Hacking Tools For Pc
- World No 1 Hacker Software
- Hack Tools Mac
- Hacker Tools Free Download
- What Is Hacking Tools
- Hack Tools Github
- Hacking Tools Hardware
- Best Hacking Tools 2019
- Pentest Tools Online
- Hacker Tools For Windows
- Usb Pentest Tools
- Pentest Recon Tools
- Hack Tools Online
- Pentest Tools Review
- Hacker Tools Apk Download
No comments:
Post a Comment