Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Related articles
- Pentest Tools For Ubuntu
- Pentest Tools Nmap
- Pentest Tools Apk
- Hacking Tools Windows
- Hacking Tools For Mac
- Pentest Tools Github
- Hack Tool Apk No Root
- Hacking Tools Windows
- Pentest Tools For Ubuntu
- Usb Pentest Tools
- What Is Hacking Tools
- Hacking Tools
- Hacker Tools Mac
- Hacker Tools Mac
- Hacking Tools Name
- Hack Apps
- Usb Pentest Tools
- Hacker Tools Github
- Pentest Tools Apk
- Pentest Tools Windows
- Hack Tools For Pc
- Hacker Tools For Ios
- Hacking Tools And Software
- Kik Hack Tools
- Pentest Tools List
- Hacker Tools
- Tools 4 Hack
- Hacker Tools Mac
- Hack Tools
- Hacking Tools 2019
- Hack Tools Github
- How To Hack
- Hacking Tools Hardware
- Hack Tools 2019
- Pentest Tools Kali Linux
- Hacker Tool Kit
- World No 1 Hacker Software
- Underground Hacker Sites
- Hacking Tools For Windows Free Download
- Hack Apps
- Hacker Tools Linux
- Hackers Toolbox
- Hacking Tools
- Pentest Tools Download
- Pentest Tools Url Fuzzer
- Hacker Tools
- Hacker Tools 2020
- Hacker Tools For Windows
- Computer Hacker
- Hacker Tools List
- Hacking Tools Pc
- Pentest Tools Github
- Hacking App
- Hacking Tools Hardware
- Termux Hacking Tools 2019
- Pentest Tools Linux
- Hack Tools Pc
- Pentest Recon Tools
- Hack Tools
- Hacker Tools For Pc
- Hacking Tools 2020
- Hacker Search Tools
- Pentest Tools Framework
- Best Hacking Tools 2020
- Pentest Box Tools Download
- Free Pentest Tools For Windows
- Hack Website Online Tool
- Github Hacking Tools
- Hack Tool Apk
- Hacking Tools For Windows Free Download
- Best Hacking Tools 2020
- Hacker Hardware Tools
- Hack Tools For Mac
- New Hacker Tools
- Hacking Tools Hardware
- Hack Tools For Windows
- Pentest Tools Download
- Tools 4 Hack
- Pentest Tools Find Subdomains
- Kik Hack Tools
- Hacking Tools Name
- Hacking Tools Name
- Hacker Tools For Pc
- Hacker Tools 2019
- Hacker Tools For Windows
- Computer Hacker
- Pentest Tools For Ubuntu
- Pentest Tools Website Vulnerability
- Pentest Tools Apk
- Hackers Toolbox
- Hacking Tools Kit
- Hackrf Tools
- Hacking Tools For Kali Linux
- Hack Tools Mac
- Nsa Hack Tools
- Pentest Tools Download
- Pentest Tools Kali Linux
- Hacker Tools Windows
- Pentest Recon Tools
- Hacker Tools Apk
- Hacking Apps
- Wifi Hacker Tools For Windows
- Physical Pentest Tools
- Pentest Tools Free
- Hack Tools For Games
- Hack Tool Apk No Root
- Hack Tools Github
- Hack Apps
- Hacking Tools And Software
- Best Hacking Tools 2019
- Hacking Tools Usb
- Hacking Tools Free Download
- Blackhat Hacker Tools
- Kik Hack Tools
- Hacking Tools Usb
- Hack Tools
- Ethical Hacker Tools
- Hacker Tools Linux
- Nsa Hack Tools Download
- Termux Hacking Tools 2019
- Best Hacking Tools 2019
- Nsa Hack Tools
- Hacker Tools Hardware
- Pentest Tools Port Scanner
- Hacker Hardware Tools
- Nsa Hack Tools
- Bluetooth Hacking Tools Kali
- Hacker Tools List
- Hacking Tools For Windows
- Pentest Tools Android
- Hacking Tools 2019
- Hack Website Online Tool
- Hacking Tools Free Download
- Hacking Tools Mac
- Pentest Tools For Ubuntu
- Hacking Tools Name
Tidak ada komentar:
Posting Komentar