Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
More info
- Hacking Tools 2019
- Hack Tools Pc
- Tools Used For Hacking
- How To Install Pentest Tools In Ubuntu
- Hacking Tools Name
- Hacking Tools Windows
- Pentest Tools Open Source
- Hack Tools For Ubuntu
- Hack Tools For Games
- What Are Hacking Tools
- Hack Tool Apk No Root
- Hacking Tools Usb
- Hacker Tools Mac
- Pentest Tools Github
- Hack Tool Apk No Root
- Hacker Tools Free
- Hacker Tools
- Termux Hacking Tools 2019
- Hacker Tools Apk Download
- Hack Tools For Ubuntu
- Nsa Hack Tools Download
- Underground Hacker Sites
- Hacking Tools Mac
- Nsa Hack Tools
- Hack Tools Github
- Nsa Hack Tools
- Pentest Tools Download
- Hacker Tools Linux
- Hacker Hardware Tools
- What Is Hacking Tools
- Pentest Tools Port Scanner
- Hacker Tool Kit
- Hacker Tools Windows
- Pentest Tools Subdomain
- Hacker Search Tools
- Hacking Tools Windows 10
- Hack Tool Apk No Root
- Pentest Reporting Tools
- Hack Website Online Tool
- What Is Hacking Tools
- Bluetooth Hacking Tools Kali
- Hack Tools Download
- Bluetooth Hacking Tools Kali
- Hack Tools Pc
- Pentest Reporting Tools
- New Hacker Tools
- Hacking Tools For Beginners
- Hack Tools Mac
- Hack And Tools
- Hack Apps
- Hackrf Tools
- Hack Tools For Games
- Hack Tools For Windows
- Tools For Hacker
- Hack Website Online Tool
- Best Hacking Tools 2020
- New Hack Tools
- Pentest Tools Website
- Hacker Hardware Tools
- Hacker Tools For Mac
- Hak5 Tools
- Pentest Tools For Mac
- Hacking Tools For Windows
- Hack Tools
- Pentest Tools For Windows
- Hack Tools
- Hacker Tools Free Download
- Hacker Tools 2019
- Hacker Search Tools
- Pentest Tools For Windows
- Hacker Tools 2020
- Hack Tools For Games
- Tools 4 Hack
- Pentest Tools Free
- What Is Hacking Tools
- Pentest Tools Kali Linux
- Install Pentest Tools Ubuntu
- Hack Tools Pc
- Hacker Tools Online
- Wifi Hacker Tools For Windows
- Hackrf Tools
- Hack Tool Apk No Root
- Hacking Tools For Mac
- Pentest Tools Subdomain
- New Hacker Tools
- Pentest Recon Tools
- Hacking Tools Free Download
- Hacker Tools For Windows
- Hack Tool Apk No Root
- Hackrf Tools
- Hacking Tools Free Download
- Hacker Tool Kit
- Best Hacking Tools 2019
- Hack Tools
- Hack Tools Mac
- Hak5 Tools
- Hacking Tools Pc
- Hacking Tools For Windows
- What Is Hacking Tools
- Hacker Tools For Windows
- Tools 4 Hack
- How To Install Pentest Tools In Ubuntu
- Android Hack Tools Github
- Best Hacking Tools 2019
No comments:
Post a Comment