Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Related articles
- Best Hacking Tools 2019
- Hacker Tools
- How To Install Pentest Tools In Ubuntu
- Hacking Tools 2019
- Pentest Tools Kali Linux
- Pentest Tools Free
- Hack Tools For Pc
- Growth Hacker Tools
- Pentest Tools Kali Linux
- Hacker Hardware Tools
- Hack Tools
- Top Pentest Tools
- Hacking App
- Hacking Tools Name
- Hack Tools Github
- Hack Tool Apk No Root
- Hacker Tools 2020
- Hacker
- Hack Tools Mac
- Pentest Reporting Tools
- Pentest Tools List
- New Hack Tools
- Android Hack Tools Github
- Hacker Tools Apk Download
- Hacker
- Hacker Tools For Pc
- Hacker Tools Windows
- Pentest Box Tools Download
- Hacker Tools List
- Hacking Tools 2020
- Hacking Tools For Mac
- Pentest Recon Tools
- Hacker Tools Free
- Hackers Toolbox
- Hack Tools For Pc
- Pentest Tools Github
- What Are Hacking Tools
- Pentest Tools Subdomain
- Pentest Box Tools Download
- Hack Tools Pc
- Pentest Tools Android
- Pentest Tools Port Scanner
- Hacker Tools Free Download
- Hack Tools Online
- Pentest Tools Online
- Underground Hacker Sites
- Hack Tools 2019
- Hacking Tools Windows 10
- Best Hacking Tools 2020
- Hacking Tools Pc
- Hacking Tools Free Download
- Hacker Tools For Ios
- Hacking Tools Free Download
- Hacker Tool Kit
- Github Hacking Tools
- Game Hacking
- Hacking Apps
- Hack Tools For Pc
- Bluetooth Hacking Tools Kali
- Github Hacking Tools
- Pentest Tools List
- Hacker Tool Kit
- Hacker Tool Kit
- Pentest Tools Bluekeep
- New Hacker Tools
- Pentest Tools Alternative
- Hacking Tools Usb
- Hacker Tools Windows
No comments:
Post a Comment