Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
More info
- Hack Tool Apk
- Install Pentest Tools Ubuntu
- Pentest Recon Tools
- Hak5 Tools
- Hacker Tools Hardware
- Hacker Tools For Windows
- Top Pentest Tools
- Pentest Recon Tools
- Pentest Tools Website
- Hacker Tools Linux
- Pentest Tools Website
- Pentest Tools Apk
- Hacker Tools 2019
- Hack Tool Apk No Root
- Hacker Tools For Windows
- Hacker Tools Free Download
- Termux Hacking Tools 2019
- Hack Tools Download
- Hacking Tools Windows 10
- Hacking Tools
- Ethical Hacker Tools
- Free Pentest Tools For Windows
- Hacker Tools Apk
- Hak5 Tools
- Pentest Tools Framework
- Hacker Tools Free
- Pentest Tools Review
- Hacking Tools Github
- Pentest Tools Tcp Port Scanner
- Hacker Tools 2020
- New Hacker Tools
- Pentest Tools Windows
- Hack Tools For Ubuntu
- Nsa Hack Tools
- Hacker Hardware Tools
- Tools Used For Hacking
- Hacker Tools Linux
- Hacker Tools List
- Pentest Tools Website Vulnerability
- Pentest Tools
- Pentest Box Tools Download
- Hack Tool Apk No Root
- Pentest Tools
- Hackrf Tools
- Hacking Tools 2020
- Pentest Tools Nmap
- Hacking App
- Pentest Tools Windows
- Hack Tools For Games
- Hacking Tools Windows 10
- Hack Apps
- Hacker Tools For Pc
- Hacker Tools Windows
- World No 1 Hacker Software
- Hacker Techniques Tools And Incident Handling
- Hacker Tools For Mac
- Tools 4 Hack
- Pentest Tools For Windows
- Hacking Tools For Beginners
- Best Hacking Tools 2019
- Hacker Tools List
- How To Make Hacking Tools
- Hack Tools Online
- Pentest Tools Tcp Port Scanner
- Top Pentest Tools
- Pentest Tools Subdomain
- Hacking Tools For Pc
- Pentest Tools Download
- Hacking Tools Windows 10
- Pentest Tools Free
- Pentest Tools
- Hack Tools For Windows
- Pentest Tools Linux
- Hack Tools 2019
- Tools 4 Hack
No comments:
Post a Comment