Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
- Hacker Tools 2020
- Hack Tools
- Blackhat Hacker Tools
- Hack And Tools
- Usb Pentest Tools
- Hack Tools Mac
- Hacker Tools Free Download
- Install Pentest Tools Ubuntu
- Hacker Tools List
- Hack Tools For Mac
- Nsa Hack Tools Download
- World No 1 Hacker Software
- Kik Hack Tools
- Bluetooth Hacking Tools Kali
- Hack Tools Pc
- Hacking Tools Software
- Best Hacking Tools 2020
- Pentest Tools Kali Linux
- Hacker Tools For Pc
- Beginner Hacker Tools
- Pentest Tools For Mac
- Black Hat Hacker Tools
- Pentest Automation Tools
- Hacker Tools Mac
- Hacker Tools Free Download
- Hack Tools For Windows
- Growth Hacker Tools
- Pentest Tools Tcp Port Scanner
- Hacking Tools Github
- Pentest Tools Open Source
- Pentest Tools Online
- Pentest Tools Find Subdomains
- Pentest Tools Android
- Pentest Tools For Android
- Hack Tools For Windows
- Hacking Tools Windows
- Hacking Apps
- Install Pentest Tools Ubuntu
- Hacker Tools Linux
- Pentest Tools Subdomain
- Nsa Hack Tools Download
- Hack Tools Online
- Github Hacking Tools
- Hackers Toolbox
- Pentest Tools Website
- Beginner Hacker Tools
- Nsa Hacker Tools
- Pentest Tools Android
- Hacker Tools For Mac
- Hacking Tools Online
- Termux Hacking Tools 2019
- Pentest Tools For Windows
- Hacking Tools Windows
- Hack Tools For Games
- Hacking Tools Software
- Hack Tools For Mac
- Pentest Tools Android
- Best Pentesting Tools 2018
- Hacker Tools Github
- Hacker Tools Free
- Hacker Tool Kit
- Hacking Tools For Kali Linux
- Pentest Tools Alternative
- Nsa Hack Tools Download
- Hacking Tools For Mac
- Beginner Hacker Tools
- Hackrf Tools
- Bluetooth Hacking Tools Kali
- Hacking Tools Hardware
- How To Hack
- Pentest Tools Download
- Hacker Tools Mac
- Hacking Tools Kit
- Pentest Tools Github
- Usb Pentest Tools
- Github Hacking Tools
- Pentest Tools Kali Linux
- Hack Tools Online
- Hacker Tools Software
- Android Hack Tools Github
- Pentest Box Tools Download
- Hak5 Tools
- World No 1 Hacker Software
- Hacker Tools Apk
- Hacker Hardware Tools
- Hacker Tools Apk Download
- Pentest Tools Review
- Hacking Tools
- Pentest Tools Free
- Hacking Tools For Games
- Hack Tools Download
- Hacker Tools Mac
- Hack Rom Tools
- Pentest Tools Windows
- Hacking App
- Pentest Tools Apk
- Pentest Tools Windows
- Hacker Tools Free Download
- World No 1 Hacker Software
- Free Pentest Tools For Windows
- Pentest Tools Review
- Hacking Tools Software
- Hack And Tools
- Wifi Hacker Tools For Windows
- Nsa Hacker Tools
- Hacking Tools For Games
- Beginner Hacker Tools
- Pentest Tools Online
- Hacking Tools Usb
No hay comentarios:
Publicar un comentario