Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Related articles
- Hacking Tools Software
- Hacker Tools List
- Hack Tools Online
- Game Hacking
- Hack Apps
- Hack Tools For Games
- How To Hack
- Free Pentest Tools For Windows
- Hacker Hardware Tools
- Hack Rom Tools
- Wifi Hacker Tools For Windows
- Pentest Tools Review
- Pentest Tools Apk
- Hacking Tools And Software
- Hackrf Tools
- Pentest Tools Online
- Hacker Search Tools
- Hacking Tools Github
- Hacker Search Tools
- Hacker Tools List
- How To Install Pentest Tools In Ubuntu
- Termux Hacking Tools 2019
- Pentest Automation Tools
- Hack Tools For Windows
- Blackhat Hacker Tools
- Pentest Tools Android
- Pentest Tools Subdomain
- Hackrf Tools
- Game Hacking
- Hack App
- Hacking Tools And Software
- Hacker Tools Online
- Physical Pentest Tools
- Hacking Tools Pc
- Pentest Tools Review
- Hacking Tools Github
- Hack Tools For Mac
- Hacker Tools Github
- Game Hacking
- Pentest Box Tools Download
- Nsa Hacker Tools
- Free Pentest Tools For Windows
- Pentest Tools Find Subdomains
- Hack Tool Apk
- Termux Hacking Tools 2019
- Hacker Tools Free Download
- Pentest Tools Alternative
- Hacking App
- Hacker Tools Free
- Hacker Tools For Mac
- Hacker Tools For Pc
- Hack Tools Github
- Hacker Tools Linux
- Hacker Tools Github
- Nsa Hack Tools Download
- Hak5 Tools
- Hacking Tools Kit
- New Hacker Tools
- Hack Tools Mac
- Hacking Tools For Windows
- Pentest Tools Bluekeep
- Pentest Tools Website
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Usb
- Hacking Tools Name
- Hacker Tools Hardware
- Hack Rom Tools
- Game Hacking
- Pentest Tools Find Subdomains
- Pentest Tools Subdomain
- Hack Tools 2019
- Hack Tools For Ubuntu
- Hacking Tools Windows 10
- Hack Tool Apk
- Hacker Tools For Pc
- Termux Hacking Tools 2019
- Tools 4 Hack
- Pentest Tools For Mac
- Hack Tools Mac
- Easy Hack Tools
- What Is Hacking Tools
- Pentest Recon Tools
- Tools For Hacker
- Pentest Tools Bluekeep
- Pentest Tools Url Fuzzer
- Hacking Tools Software
- Pentest Tools For Windows
- Pentest Tools Bluekeep
- How To Hack
- Pentest Tools Online
- Hacker Tools Apk Download
- Hacker Tools Linux
- Pentest Tools Linux
- How To Make Hacking Tools
- Hacking Tools For Windows Free Download
- Pentest Tools Android
- Pentest Tools Nmap
- Hack Tools Pc
- Hack Tools
- Beginner Hacker Tools
- Pentest Tools Apk
- World No 1 Hacker Software
- How To Hack
- Hack Tools For Ubuntu
- Hack Tools For Pc
- What Is Hacking Tools
- Hacker Search Tools
- Pentest Tools Website
- Hacking Tools Usb
- Pentest Tools Subdomain
- Hacker Tools For Mac
- Pentest Tools Port Scanner
- Tools For Hacker
- Pentest Tools Find Subdomains
- Hacking Tools For Windows 7
- Bluetooth Hacking Tools Kali
- Pentest Reporting Tools
- Pentest Tools Website Vulnerability
- How To Hack
- Pentest Tools Online
- Hack Tools For Mac
- Pentest Automation Tools
No comments:
Post a Comment