Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
- Hacking Tools Kit
- Hacker Tools Linux
- Best Hacking Tools 2019
- Pentest Tools For Mac
- Android Hack Tools Github
- Usb Pentest Tools
- Hacking Tools Software
- Hack Tools Github
- Hacker Tools Free
- World No 1 Hacker Software
- Hackrf Tools
- What Are Hacking Tools
- Install Pentest Tools Ubuntu
- Pentest Tools Android
- Hack Tool Apk No Root
- Hack Tools For Ubuntu
- Pentest Tools List
- Hackers Toolbox
- Wifi Hacker Tools For Windows
- Hak5 Tools
- Hack Tools For Mac
- Pentest Tools Bluekeep
- Hacker Tools Github
- New Hacker Tools
- Pentest Tools Linux
- Hacking Tools For Kali Linux
- Pentest Tools Apk
- Hacking Tools Windows 10
- Hacker Tools Software
- Pentest Automation Tools
- Hacking Tools Windows
- Hack Tools Download
- Hacker Tools For Mac
- New Hacker Tools
- Best Pentesting Tools 2018
- Hacker Tools Github
- Pentest Tools Website Vulnerability
- Hacker
- Hack Tools
- Pentest Tools Nmap
- Hacking Tools Pc
- Kik Hack Tools
- Black Hat Hacker Tools
- Hacker Tools Online
- Hackrf Tools
- Hacker Tools For Windows
- Pentest Tools Free
- Pentest Tools Url Fuzzer
- Hacking Tools
- Nsa Hacker Tools
- Hacker Tools List
- Hacking Tools Mac
- Hacking Tools Pc
- Nsa Hack Tools Download
- Hak5 Tools
- Hacking Tools For Windows
- Hacking Tools Windows 10
- Hacking Tools Windows 10
- Hacking Tools Kit
- Pentest Tools Find Subdomains
- Hack And Tools
- Hack Tools Github
- Pentest Reporting Tools
- Hacker Tools Free
- Pentest Tools For Windows
- Tools For Hacker
- Nsa Hack Tools Download
- Pentest Tools Port Scanner
- Hacker Tools For Pc
- Hacking Tools For Mac
- Blackhat Hacker Tools
- Hack Tools Github
- Pentest Automation Tools
- Hacker Tools Free
- Hacking Tools For Windows 7
- Game Hacking
- Hacker Hardware Tools
- Hacking Tools For Windows 7
- Pentest Tools For Android
- New Hack Tools
- Tools 4 Hack
- Hacking Tools Online
- Hacking Tools For Games
- Pentest Tools Linux
- Hack Tools Download
- Pentest Tools Kali Linux
- Hacking Tools For Beginners
- Hacker Tools 2019
- Nsa Hack Tools
- Hack Apps
- Github Hacking Tools
- Hack Tools 2019
- Hack Apps
- Hak5 Tools
- Hacker Tool Kit
- Hacking Tools 2019
- Hackrf Tools
- Hacker Tools 2020
- Hacks And Tools
- Pentest Box Tools Download
- Tools For Hacker
- Hacking Tools Pc
- Hacker Tools
- Pentest Tools Framework
- Hacking Tools Github
- Tools 4 Hack
Комментариев нет:
Отправить комментарий