Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
- Hacker Tools Hardware
- Hacker Tools Linux
- Hacking Tools Windows 10
- Hacker Tools Software
- Pentest Tools Open Source
- Hacking Tools 2020
- World No 1 Hacker Software
- Hacking Tools And Software
- Install Pentest Tools Ubuntu
- Pentest Tools Linux
- Pentest Tools Android
- Pentest Tools Subdomain
- Hacking Tools For Beginners
- Pentest Tools Apk
- Hacker Tools Apk
- Pentest Tools Website Vulnerability
- Termux Hacking Tools 2019
- Hack Tools For Windows
- Hack Tool Apk No Root
- Pentest Tools Linux
- Pentest Tools
- Hacking Tools Software
- Termux Hacking Tools 2019
- Hacking Tools Software
- Hacking Tools Hardware
- Growth Hacker Tools
- Tools 4 Hack
- Hacker Tools Github
- Pentest Tools Windows
- Pentest Tools For Windows
- Tools For Hacker
- Pentest Tools Nmap
- Hacking Tools Software
- New Hack Tools
- Pentest Tools Alternative
- Hack Apps
- Hack Rom Tools
- Pentest Tools Online
- Hack Tools Github
- Pentest Tools Url Fuzzer
- Hack Tools For Windows
- Hacker Tools 2020
- Pentest Tools For Ubuntu
- Hacking Tools For Windows
- Hacking Tools Free Download
- Hacker Tools Online
- Game Hacking
- Hackrf Tools
- How To Install Pentest Tools In Ubuntu
- Hacking Tools Free Download
- Computer Hacker
- Hack Tools For Games
- Pentest Reporting Tools
- Hacking Tools Name
- Hacker Search Tools
- Hacking Tools For Beginners
- Pentest Tools Apk
- How To Make Hacking Tools
- Android Hack Tools Github
- Hacker Tools Apk Download
- Growth Hacker Tools
- Hacking Tools Windows
- Hacker Tools Apk
- Pentest Tools Alternative
- Nsa Hack Tools Download
- Nsa Hack Tools
- Hack Tools For Windows
- Hacker Tools For Pc
- Hacking Tools Name
- Pentest Box Tools Download
- Game Hacking
- Ethical Hacker Tools
- Pentest Tools Framework
- Nsa Hack Tools Download
- Hack Tools Github
- Hacking Tools For Mac
- Pentest Tools Find Subdomains
- Hacking Tools 2019
- Pentest Tools Tcp Port Scanner
- Hack Tools Mac
- Hack Tool Apk No Root
- Hacker Tools 2020
- Easy Hack Tools
- Hacking Tools For Kali Linux
- Pentest Automation Tools
- Hack Tools Online
- Pentest Tools Nmap
- Hacking Tools Free Download
- Wifi Hacker Tools For Windows
- Hack Tools
- How To Make Hacking Tools
- Pentest Tools Android
- Black Hat Hacker Tools
- Hack Tools For Mac
- Hack Apps
- Hacking Tools Hardware
- Hacking Tools Software
- Hacking Tools Download
- Pentest Tools Kali Linux
- Pentest Tools Nmap
- Pentest Tools Framework
- Blackhat Hacker Tools
- Easy Hack Tools
- Hack Apps
- Pentest Tools Website
- Hacking Tools Name
- Hacking Tools Mac
- Hack Tools 2019
- Hacker Tools For Mac
- Pentest Tools Free
- Hack Apps
- Hacking Tools
- Hack Tool Apk No Root
- Pentest Tools For Windows
- Pentest Reporting Tools
- Hacking Apps
- Ethical Hacker Tools
- Pentest Reporting Tools
- Usb Pentest Tools
- Pentest Tools List
- Nsa Hacker Tools
- Pentest Tools For Mac
- Hacking Tools For Kali Linux
- Hacking Tools For Windows
- Free Pentest Tools For Windows
- Hacker Tools Software
- Hack Tools 2019
- Hacking Tools Windows
- Hacker Tools Apk Download
- Pentest Reporting Tools
- Hacker Search Tools
- Computer Hacker
- Hacking Tools And Software
- Hack Tool Apk No Root
- Hacking App
- Kik Hack Tools
- Hacker Tools For Mac
- Free Pentest Tools For Windows
- Pentest Tools Nmap
- Pentest Tools Android
- Hacking Tools Online
- Hacker Tools Apk
- Hacking Tools For Windows Free Download
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου