Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Related posts
- Ethical Hacker Tools
- Hacking Tools
- Pentest Tools Url Fuzzer
- Hacking Tools For Games
- Physical Pentest Tools
- Hacker Tools
- Pentest Tools
- Hacker Tool Kit
- Pentest Tools Linux
- Pentest Tools Kali Linux
- Hacking Tools 2019
- Pentest Tools Open Source
- Hacker Tools Online
- World No 1 Hacker Software
- Black Hat Hacker Tools
- Hack Tools For Pc
- Tools Used For Hacking
- Kik Hack Tools
- Pentest Tools Github
- Hacks And Tools
- Hacking Tools For Mac
- Pentest Reporting Tools
- Hacker Tools Apk
- Hacker Tools Hardware
- Hacking Tools For Windows Free Download
- Hacking Tools For Kali Linux
- Hacker Tools Github
- What Is Hacking Tools
- Pentest Tools Website
- Hacking Tools For Kali Linux
- Hacking Tools 2020
- Hack Rom Tools
- Hack App
- Pentest Tools Port Scanner
- Pentest Tools Android
- Pentest Tools Framework
- Hack Website Online Tool
- Hacker Search Tools
- Hack Tools Online
- Hack Tool Apk
- Hacker Tools Software
- Pentest Tools Download
- Hacker Tools For Pc
- Hack Apps
- Hacking Tools Name
- Hacking Tools For Windows Free Download
- Hacker Tools Linux
- Hacker Tools For Mac
- Pentest Tools Port Scanner
- Pentest Tools Port Scanner
- Hack Rom Tools
- Pentest Tools For Mac
- Hack Tools Github
- Pentest Tools For Windows
- Hacking Tools Pc
- Hack Website Online Tool
- Pentest Tools Find Subdomains
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Github
- Pentest Tools Review
- Best Hacking Tools 2020
- World No 1 Hacker Software
- Pentest Automation Tools
- Pentest Tools Bluekeep
- Hacker Tools Apk
- Pentest Tools Github
- Hacker Security Tools
- Hacker Tools Software
- Hacking App
- Pentest Tools Download
- Pentest Tools Alternative
- Hacking Tools For Windows 7
- Hacking Tools Online
- Hacking Tools For Kali Linux
- Hack Tools For Games
- Free Pentest Tools For Windows
- Install Pentest Tools Ubuntu
- Pentest Automation Tools
- Hacker Tools Mac
- Pentest Tools Free
- New Hacker Tools
- Tools For Hacker
- Pentest Tools
- Pentest Automation Tools
- New Hack Tools
- Hack Tools Download
- Pentest Tools For Windows
- How To Install Pentest Tools In Ubuntu
- Hacker Tools Apk
- Beginner Hacker Tools
- Hacking Tools Online
- Hack Website Online Tool
- World No 1 Hacker Software
- Hacking Tools For Mac
- Hackrf Tools
- Pentest Tools Github
- Pentest Tools Framework
- Hacking Tools For Kali Linux
- Bluetooth Hacking Tools Kali
- Pentest Tools Kali Linux
- Physical Pentest Tools
- Hacking Tools Name
- Hacker Tools Github
- Hack Tools For Games
- Pentest Tools Open Source
- Pentest Tools Review
- Pentest Tools Nmap
- Install Pentest Tools Ubuntu
- Pentest Reporting Tools
- Hacker Tools List
- Pentest Tools Website
- Pentest Tools For Mac
- Hacking Tools Windows 10
- Physical Pentest Tools
- Hacker Search Tools
- Pentest Automation Tools
- What Is Hacking Tools
- World No 1 Hacker Software
- Hacker Tools Online
- Pentest Tools Download
- Pentest Tools Windows
- Hacker Tools Apk Download
- Hacking Tools 2019
- Pentest Tools Website Vulnerability
- Hacker Tools Apk
- Pentest Tools Port Scanner
- Best Hacking Tools 2019
- Hak5 Tools
- Pentest Tools For Mac
- Tools For Hacker
- Hack Tools Github
- Tools Used For Hacking
- New Hacker Tools
- Hack And Tools
- Hack Tools
- Wifi Hacker Tools For Windows
- How To Install Pentest Tools In Ubuntu
- Hacks And Tools
- Hacker Search Tools
- Pentest Tools For Android
- Pentest Tools Nmap
- Hacking Tools For Windows 7
- Pentest Tools Port Scanner
- Game Hacking
- Game Hacking
- Bluetooth Hacking Tools Kali
- Hacking Tools Kit
- Hacking Tools For Games
- Hacking Apps
- Pentest Tools Url Fuzzer
- Hacking Tools Windows 10
- Hacking Tools For Kali Linux
- Hacker Tools Apk Download
- What Are Hacking Tools
- Pentest Tools Subdomain
- Hack Tools For Games
- Beginner Hacker Tools
- Hacking Tools For Games
- Hack Tools For Mac
- Hacker Tools
- New Hack Tools
- Hacking Tools And Software
- Hacker Tools Online
- Hack Tools Download
- Pentest Tools Open Source
- Blackhat Hacker Tools
- Hack Tools For Pc
- Hack Tools For Windows
- New Hack Tools
- Hacking Tools For Beginners
- Computer Hacker
- Hackrf Tools
- Free Pentest Tools For Windows
- Growth Hacker Tools
- Hacking Tools Kit
No comments:
Post a Comment