Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
Related links
- Hack Website Online Tool
- Hacker
- New Hack Tools
- Hack Website Online Tool
- Hacker Tools For Windows
- Android Hack Tools Github
- Pentest Tools Website
- Hacker Tools 2020
- Hacking Tools For Mac
- Pentest Tools Open Source
- Easy Hack Tools
- Nsa Hacker Tools
- Hacking Tools For Beginners
- Hacks And Tools
- Hack Tool Apk
- Pentest Tools Alternative
- Hacking Tools For Games
- Ethical Hacker Tools
- Hack Tools Mac
- Pentest Tools Linux
- Hacker Tools For Mac
- Hacking Tools Github
- Hack Tools
- Nsa Hack Tools
- Pentest Tools Open Source
- Hacking Tools Windows 10
- Hacker Tools 2020
- What Is Hacking Tools
- Hacker Tools Mac
- Android Hack Tools Github
- Hacker Tools For Pc
- Best Hacking Tools 2020
- Free Pentest Tools For Windows
- Game Hacking
- Pentest Tools Website
- Hack Tools Github
- What Are Hacking Tools
- Pentest Tools Github
- Best Hacking Tools 2019
- Pentest Tools Github
- Hak5 Tools
- Hack Tools Download
- Hacking Tools 2019
- Hacking Tools Software
- Hacking Tools Download
- Hack Tools Github
- Hack And Tools
- Hack Tools Online
- Hacking Tools Name
- Hacking Tools Kit
- Hack Tools Download
- Hacking Tools Windows
- Hacking Tools Name
- Hacking Tools For Windows 7
- Best Hacking Tools 2019
- Wifi Hacker Tools For Windows
- Hack Tools For Windows
- How To Install Pentest Tools In Ubuntu
- Hacking Tools Kit
- Hack Tools Online
- Hacker Tools For Mac
- Hacking Tools Online
- Ethical Hacker Tools
- Hacking Tools For Kali Linux
- Hacking Tools 2020
- Hacks And Tools
- Tools 4 Hack
- Hacker Tool Kit
- Wifi Hacker Tools For Windows
- Pentest Tools Tcp Port Scanner
- Hackrf Tools
- Hacker Tools Software
- How To Install Pentest Tools In Ubuntu
- Pentest Tools Tcp Port Scanner
- Pentest Tools Nmap
- Hacker Tools For Pc
- Hacking Apps
- Pentest Tools Tcp Port Scanner
- Hack Tools Github
- Pentest Tools Find Subdomains
- Install Pentest Tools Ubuntu
- What Is Hacking Tools
- Hacking Tools Windows 10
- Hacking Tools Free Download
- Android Hack Tools Github
- Hacker Tools Hardware
- Pentest Tools For Windows
- Hack Tools For Pc
- Android Hack Tools Github
- Hack Tools
- Hack Tool Apk No Root
- Pentest Tools Find Subdomains
- Hacking Tools For Windows Free Download
- Hack App
- Github Hacking Tools
- Pentest Tools Linux
- Hacker Tools Linux
- Hack Tools Download
- Pentest Tools Nmap
- Pentest Tools Linux
- Pentest Tools Android
- Best Hacking Tools 2020
- Hacking Tools For Pc
- Hacker Tools List
- Hack Apps
- How To Hack
- What Is Hacking Tools
- Ethical Hacker Tools
- Hacking Apps
- Nsa Hack Tools Download
- Best Hacking Tools 2019
- How To Hack
- Hack Rom Tools
- Pentest Tools Online
- Pentest Tools Url Fuzzer
- Hacker Tools List
- Game Hacking
- Hacker Tools For Mac
- Hack Tools For Games
- Hacker Tools Windows
- Install Pentest Tools Ubuntu
- Hacking Tools Software
- Pentest Tools For Mac
- Pentest Tools Tcp Port Scanner
- Blackhat Hacker Tools
- Kik Hack Tools
- Pentest Tools Port Scanner
- Hacker Tools Mac
- Hacker Tools For Windows
- New Hack Tools
- Pentest Tools Windows
- Hacker Search Tools
- Hacking Tools For Games
- Hack Apps
- Hacking Apps
- Hacks And Tools
- Hacking Tools For Windows 7
- Hacking Tools For Mac
- Hacking Tools And Software
- Computer Hacker
- Hacker Tools For Mac
- Hack Tools Mac
- Install Pentest Tools Ubuntu
- Bluetooth Hacking Tools Kali
- Hack Tools Pc
- Hacker Tools Hardware
- Hacking Tools Kit
- Hack Tools Mac
- Hacker Search Tools
- How To Install Pentest Tools In Ubuntu
- Hacker Hardware Tools