Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
- Hack Tools Mac
- Hacking Tools 2020
- Computer Hacker
- Hacking Tools For Games
- Tools 4 Hack
- Pentest Tools Website Vulnerability
- Pentest Reporting Tools
- Hacking Tools For Pc
- Hacking Tools Software
- Physical Pentest Tools
- Hack Rom Tools
- Hacking Tools For Games
- Hack Tools 2019
- New Hacker Tools
- Hack Tools Mac
- Easy Hack Tools
- Best Hacking Tools 2019
- Pentest Tools Url Fuzzer
- Kik Hack Tools
- Pentest Tools Apk
- Pentest Automation Tools
- Hacker Techniques Tools And Incident Handling
- Computer Hacker
- Hacking Tools Windows
- Pentest Tools Free
- Hack Tools Download
- Pentest Tools Linux
- Game Hacking
- Hacking App
- Hack Tools For Windows
- Hacker Tools Apk
- Hack Tool Apk
- Physical Pentest Tools
- Hacker Tools
- Hacker Tools Apk
- Hacker Tool Kit
- Hacking Tools Hardware
- Tools For Hacker
- Pentest Tools For Android
- Pentest Tools Free
- Pentest Tools Android
- Pentest Tools Port Scanner
- New Hacker Tools
- Pentest Tools Tcp Port Scanner
- World No 1 Hacker Software
- Nsa Hacker Tools
- Hacking Tools For Mac
- Hack And Tools
- Hacker Tools 2019
- Hacking Tools Windows 10
- Pentest Tools For Windows
- Hacker
- Hacker Tools 2020
- Hacking Tools
- Pentest Recon Tools
- Termux Hacking Tools 2019
- Hacker Tools Github
- Nsa Hacker Tools
- What Is Hacking Tools
- Pentest Tools Port Scanner
- Pentest Tools Tcp Port Scanner
- Pentest Box Tools Download
- Hack Tools For Mac
- Hacking Tools For Kali Linux
- Hacking App
- Install Pentest Tools Ubuntu
- Hacker Tools Mac
- Hacker Search Tools
- Hacking Tools For Beginners
- Pentest Tools Online
- Pentest Tools Port Scanner
- Hacker Tools Free
- Pentest Tools Open Source
- Pentest Tools Port Scanner
- Pentest Tools
- Pentest Tools For Ubuntu
- How To Install Pentest Tools In Ubuntu
- Growth Hacker Tools
- Hack Tools Pc
- Hack App
- Pentest Tools Website
- Github Hacking Tools
- Hacker Tools List
- Pentest Tools
- Hak5 Tools
- Pentest Tools For Ubuntu
- Github Hacking Tools
- Hacker Tools Free Download
- Pentest Tools Subdomain
- Pentest Tools Linux
- Pentest Tools Find Subdomains
- Hacker Tools Mac
- Hacker Tools List
- Computer Hacker
- Easy Hack Tools
- World No 1 Hacker Software
- Hack Rom Tools
- Hacker Tools List
- Hack Tools
- Pentest Tools Open Source
- Hacker Tools For Windows
- Hack Tools
- Hacker Tools For Pc
- Hacking Tools Usb
- Pentest Tools Github
- Termux Hacking Tools 2019
- Growth Hacker Tools
- Hacking Tools For Windows 7
- Pentest Tools Review
- Game Hacking
- Hacking Tools Download
- Hacking Tools For Mac
- How To Hack
- Pentest Tools
- Hack Tool Apk No Root
- What Is Hacking Tools
- Hack Tools Pc
- Hack Tools For Games
- Hack Tools Online
- Android Hack Tools Github
- Hack Tools
- Physical Pentest Tools
- Hacks And Tools
- Pentest Reporting Tools
- Install Pentest Tools Ubuntu
- Hack Website Online Tool
- New Hacker Tools
- Kik Hack Tools
- Hacker Search Tools
- Pentest Tools Subdomain
- Free Pentest Tools For Windows
- Hacker Tools 2020
- Hacker Tools Online
- Growth Hacker Tools
No comments:
Post a Comment