Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Related news
- Growth Hacker Tools
- Pentest Tools For Android
- Hacking Tools 2019
- Easy Hack Tools
- Pentest Tools Alternative
- Hack Apps
- Hacker Tools
- Hack Rom Tools
- Hacking Tools Download
- Hacker Search Tools
- Hacker Tools Github
- Hacker Tools For Ios
- Hacker Tools Github
- Hacking Tools For Mac
- Pentest Tools Find Subdomains
- Hacking Tools 2019
- Ethical Hacker Tools
- Hacker Tools For Windows
- Hacker Tools Online
- Pentest Tools Free
- Github Hacking Tools
- Nsa Hack Tools
- Underground Hacker Sites
- Hacking Tools And Software
- Hack Tools
- Nsa Hack Tools
- Hacker Tools 2019
- Hacking Tools Free Download
- Pentest Tools Nmap
- Hacker Tools For Pc
- Hacking Tools Windows
- Hacker Tools Linux
- Underground Hacker Sites
- Hacking Tools For Mac
- Hacking Tools 2020
- Hacking Tools Usb
- Kik Hack Tools
- Pentest Tools List
- How To Install Pentest Tools In Ubuntu
- Hack Tools For Windows
- Hacking Tools Windows 10
- Physical Pentest Tools
- Pentest Tools Website Vulnerability
- Beginner Hacker Tools
- Hacker
- Pentest Tools Github
- Pentest Tools Review
- Termux Hacking Tools 2019
- Hacking Tools Github
- Hacker Tools Apk Download
- Hacking Tools For Beginners
- Hacker Tools Linux
- Hacking Tools For Mac
- Blackhat Hacker Tools
- Hacker Tools Hardware
- Hacking Tools Usb
- Easy Hack Tools
- Pentest Tools For Android
- What Is Hacking Tools
- Pentest Reporting Tools
- Growth Hacker Tools
- Underground Hacker Sites
- Physical Pentest Tools
- Hack Tool Apk No Root
- Hacking Tools For Beginners
- Hack Tools
- Hacker Tools Apk
- Pentest Box Tools Download
- How To Make Hacking Tools
- Pentest Tools For Windows
- Hacker Tools 2019
- Pentest Tools For Ubuntu
No hay comentarios:
Publicar un comentario