Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Related links
- Hacker Security Tools
- Pentest Tools Kali Linux
- Pentest Tools Android
- Wifi Hacker Tools For Windows
- Pentest Tools List
- Pentest Tools Alternative
- Hacker Tools Github
- Tools 4 Hack
- Best Pentesting Tools 2018
- Pentest Tools Alternative
- Pentest Tools Url Fuzzer
- Pentest Tools Review
- Pentest Tools Website
- Hacker Tools 2019
- Hacking Tools Mac
- Hack Tools
- Pentest Tools Windows
- Hacking Tools And Software
- Pentest Tools Nmap
- Hacking Tools For Windows 7
- Nsa Hack Tools
- World No 1 Hacker Software
- Hack Tools For Pc
- Nsa Hack Tools
- Hacker Tools Github
- Hacker Tools Linux
- New Hack Tools
- Hack Tools Online
- Hacker Tools Free
- Hacker Tools Free
- Pentest Recon Tools
- Hacker Tools For Mac
- Hack Website Online Tool
- Hack Tools 2019
- How To Hack
- Pentest Tools For Mac
- Hacking Tools Pc
- Github Hacking Tools
- Hack Apps
- Pentest Reporting Tools
- Pentest Tools
- Pentest Tools Review
- Pentest Automation Tools
- Hacking Tools Mac
- Hacking Tools Kit
- Blackhat Hacker Tools
- Pentest Tools List
- Hacker Tools Hardware
- Hacking Tools Download
- Android Hack Tools Github
- Tools 4 Hack
- Ethical Hacker Tools
- Computer Hacker
- Hack Tools Download
- Hacker Tools Apk Download
- Hacks And Tools
- Wifi Hacker Tools For Windows
- Hacking Tools Hardware
- Hack And Tools
- Hacker Tools Apk
- Install Pentest Tools Ubuntu
- Hacking Tools For Games
- Pentest Tools For Ubuntu
- Pentest Tools Url Fuzzer
- Pentest Tools
- Tools 4 Hack
- Pentest Tools List
- Hacking Tools For Kali Linux
- Hack Tool Apk
- Ethical Hacker Tools
- Hacking Tools And Software
- Hacking Tools And Software
- Hacking Tools Download
- Install Pentest Tools Ubuntu
- Termux Hacking Tools 2019
- Hacker Tools Mac
- Hacking Tools For Windows 7
- Hack App
- Install Pentest Tools Ubuntu
- Hacking Tools Pc
- Best Hacking Tools 2020
- Hacker Tools Mac
- Pentest Tools Framework
- Hack Tool Apk
- Pentest Tools Framework
- Hacker Tools Windows
- Hacker Tools
- Hackrf Tools
- Game Hacking
- Hack Tools
- Pentest Tools Website
- Black Hat Hacker Tools
- Pentest Reporting Tools
- Hacker Tools For Ios
- Hacking Tools For Windows
- Wifi Hacker Tools For Windows
- Hacker Tools For Ios
- Hacker Tools Linux
- Hacker Tool Kit
- Pentest Tools For Android
- Hack Tools For Pc
- Bluetooth Hacking Tools Kali
- Hack Tools Github
- New Hack Tools
- Best Pentesting Tools 2018
- Hack Apps
- How To Hack
- Best Hacking Tools 2020
- How To Make Hacking Tools
- Android Hack Tools Github
- New Hacker Tools
- How To Make Hacking Tools
- Hacker Tools 2019
- Hacking Tools 2019
- How To Hack
- Pentest Tools Framework
- Hacker Tools Windows
- Hack Tools For Ubuntu
- Pentest Tools Alternative
- Hack Tools For Pc
- Pentest Tools Kali Linux
- Hacking Tools
- Nsa Hack Tools
- Hack App
- Hacker Tools Github
- Hacker Tools Free
- Hacking Tools For Windows
- Hack Tool Apk No Root
- Wifi Hacker Tools For Windows
- Hack Tools For Pc
- Pentest Tools Tcp Port Scanner
- Hacks And Tools
- Pentest Tools Download
- Hacker Tools List
- Hack Tools
- How To Hack
- Pentest Tools Url Fuzzer
- How To Make Hacking Tools
- Hackers Toolbox
- Physical Pentest Tools
- Nsa Hack Tools
- Hack Tools
- Hacking Tools Name
- Game Hacking
- Pentest Tools Bluekeep
- Hacking Apps
- Pentest Tools Android
- Pentest Tools Github
- New Hacker Tools
- Blackhat Hacker Tools
- Hack Tools Pc
- Hacking Tools Hardware
- Hacking Tools Usb
- Pentest Tools Windows
- Hacking Tools Windows
- Hacker Hardware Tools
- Hacker Tools Windows
- Physical Pentest Tools
- Hak5 Tools
- Pentest Reporting Tools
- Easy Hack Tools
- Hacker Tools Software
- Pentest Tools List
- Hacking Tools 2019
- Pentest Tools Website Vulnerability
No comments:
Post a Comment