Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Related links
- Hacker Tools
- Hacker Search Tools
- Pentest Automation Tools
- Hack Tools For Pc
- Hacker Search Tools
- Tools 4 Hack
- Tools For Hacker
- Nsa Hacker Tools
- How To Install Pentest Tools In Ubuntu
- Hack Tool Apk No Root
- Hack And Tools
- Beginner Hacker Tools
- Pentest Tools Github
- Pentest Tools Github
- Pentest Tools For Mac
- Hacks And Tools
- Hackers Toolbox
- New Hacker Tools
- Hack Tools For Ubuntu
- Hacks And Tools
- Pentest Tools Free
- Hack Tools For Pc
- Hak5 Tools
- Pentest Tools Online
- Nsa Hack Tools
- Github Hacking Tools
- Pentest Tools Framework
- Ethical Hacker Tools
- How To Make Hacking Tools
- Hack And Tools
- Hacking Tools For Windows 7
- Pentest Tools For Windows
- Hacking Tools Mac
- Pentest Tools Github
- Pentest Tools For Android
- Hacker Tools For Ios
- Hacking Tools Windows 10
- Hacking Tools Software
- Android Hack Tools Github
- Wifi Hacker Tools For Windows
- Hacker Tools For Mac
- Hack Tools For Windows
- Hacker
- Hacker Tools Software
- Hack Tools Pc
- Hacking Tools For Pc
- Wifi Hacker Tools For Windows
- Hacking Tools Mac
- Hacking Tools For Windows 7
- Hacking Tools For Windows 7
- Easy Hack Tools
- Nsa Hacker Tools
- Pentest Tools Find Subdomains
- Pentest Tools For Ubuntu
- Hacking Tools For Games
- Hacking Tools Software
- Pentest Tools Website
- Hacking Tools 2020
- Hacker Tools Apk Download
- Physical Pentest Tools
- Pentest Tools Bluekeep
- How To Hack
- What Are Hacking Tools
- Hacker Hardware Tools
- Pentest Tools Review
- Pentest Tools Website
- Pentest Tools Bluekeep
- Pentest Tools Apk
- Pentest Tools Apk
- Hacker Tools Mac
- Hack Tools For Windows
- Hacking Tools Kit
- Hack Tool Apk No Root
- Hacking Tools Github
- Hack Tools For Mac
- Pentest Tools Bluekeep
- Hacker Tools Mac
- Hackers Toolbox
- Termux Hacking Tools 2019
- Hacking Tools For Pc
- Hack Tools Pc
- How To Make Hacking Tools
- Best Pentesting Tools 2018
- Easy Hack Tools
- Hacking Tools For Pc
- Hack Tools Pc
- Hacker Tools
- Computer Hacker
- Hack Tools For Mac
- Nsa Hack Tools
- Hacking Tools And Software
- Android Hack Tools Github
- Hacker Tools For Ios
- Computer Hacker
- Pentest Tools Nmap
- Blackhat Hacker Tools
- Pentest Tools Kali Linux
- Hacking Tools 2019
- Hack Tools
- New Hacker Tools
- Pentest Tools Android
- Underground Hacker Sites
- Physical Pentest Tools
- Hack App
- What Is Hacking Tools
- Hacker Security Tools
- Hackrf Tools
- Pentest Tools Website Vulnerability
- Hacking Tools Kit
- Pentest Tools Kali Linux
- Hacker Tools 2019
- Hacker Tools Online
- Pentest Tools Linux
- Hack Tools Mac
- Hacker Tools List
- Hacker Tools Hardware
- Hacking Tools Kit
- Hacker Tools Free
- Pentest Tools Free
- Hacking Tools Github
- Hacker Tools
- Blackhat Hacker Tools
- Hack And Tools
- Usb Pentest Tools
- Hacking Tools Pc
- Install Pentest Tools Ubuntu
- How To Install Pentest Tools In Ubuntu
- Pentest Tools For Ubuntu
- Pentest Tools For Mac
- Hacking Tools 2020
- Hacker Tools Software
- Pentest Tools List
No comments:
Post a Comment