Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Related articles
- Hacks And Tools
- Hak5 Tools
- Hacker Tools Software
- Hacking Tools Windows
- Hacking Tools Pc
- Pentest Tools Online
- Pentest Tools Download
- World No 1 Hacker Software
- Hacker Tools Free
- Hacker Tools Apk
- Hack Tools 2019
- How To Make Hacking Tools
- Hacking Tools Pc
- Pentest Tools Framework
- Tools Used For Hacking
- Pentest Tools Kali Linux
- Best Hacking Tools 2020
- Hacking Tools 2020
- Wifi Hacker Tools For Windows
- Hacking Tools 2019
- Hacking Tools And Software
- Top Pentest Tools
- Hack Tools Mac
- Pentest Tools Nmap
- Hacker Tool Kit
- Github Hacking Tools
- Hacking Tools Windows
- What Are Hacking Tools
- Pentest Tools Free
- Hacking Tools Usb
- Hacker Tools 2019
- Pentest Tools Find Subdomains
- Hacker Tools Free Download
- New Hacker Tools
- Nsa Hack Tools Download
- Pentest Automation Tools
- Pentest Tools Tcp Port Scanner
- Hack Tools Download
- Hack Tools For Windows
- Hacking Tools For Pc
- Pentest Tools Windows
- Pentest Tools Tcp Port Scanner
- Hacker Tools Hardware
- Pentest Tools Free
- What Is Hacking Tools
- Hacking Tools And Software
- Hackers Toolbox
- Pentest Tools Find Subdomains
- Hacking Tools Kit
- Pentest Tools Kali Linux
- Hack Tools
- Ethical Hacker Tools
- Hacking Tools For Windows
- Hacks And Tools
- Hack Tools For Mac
- Tools Used For Hacking
- Hak5 Tools
- Free Pentest Tools For Windows
- Pentest Reporting Tools
- Hacking Tools For Beginners
- Hacking Tools 2019
- Hacker Tools Free
- Hack App
- Game Hacking
- Hackrf Tools
- Wifi Hacker Tools For Windows
- Hacker Tools Apk
- Pentest Tools Bluekeep
- Hacking Tools Pc
- Hacking Tools Windows 10
- Pentest Tools For Ubuntu
- Hacker Tools 2019
- Best Pentesting Tools 2018
- Hack Tools Mac
- Tools For Hacker
- Free Pentest Tools For Windows
- Hack Tools For Windows
- Pentest Box Tools Download
- Tools For Hacker
- Hack Apps
- Hacking Tools Hardware
- Hacker Tools For Pc
- Hack Apps
- Hacker Tools For Mac
- Top Pentest Tools
- Pentest Tools Online
- What Is Hacking Tools
- Hacker Tools 2019
- Hacker Tools Apk Download
- Hacking Tools For Mac
- How To Install Pentest Tools In Ubuntu
- Hacker Hardware Tools
- Android Hack Tools Github
- Hack Tools Github
- Hacker Tools For Ios
- Hacking Tools For Mac
- Pentest Tools Apk
- Hak5 Tools
- Pentest Tools Kali Linux
- Hacking Tools Windows
- Github Hacking Tools
- Hack Tools For Mac
- Pentest Tools Port Scanner
- Hacker Tools Apk
- Kik Hack Tools
- Pentest Tools Tcp Port Scanner
- Hacker Tools Github
- Pentest Tools Online
- Hack Tool Apk No Root
- Bluetooth Hacking Tools Kali
- Pentest Box Tools Download
- Pentest Tools Apk
No comments:
Post a Comment