Last active
August 29, 2015 14:21
-
-
Save emyei/828f8fa231b82bc2925e to your computer and use it in GitHub Desktop.
Catwestern
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# DEFCON 2015 : catwestern 1 | |
# author: NULL Life | |
# https://twitter.com/marceloje | |
# https://twitter.com/NullLifeTeam | |
import socket, os, subprocess | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect(("catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me", 9999)) | |
# Init regs (mov r?, value) | |
data = s.recv(1024) | |
registros = data[data.find("State****") + 10:] | |
regs = registros.replace("=", ", ").replace("r", "mov r"); | |
# Get opcodes | |
data = s.recv(1024) | |
opcodes = data[data.find(" bytes:") + 9:] | |
f = open('p.asm', 'w') | |
# ASM file header and main function | |
header = ''' | |
extern printf | |
SECTION .data | |
fmt: db "rsi=0x%llx", 0x0a,"rdx=0x%llx", 0x0a, "rcx=0x%llx", 0x0a, "r8=0x%llx", 0x0a, "r9=0x%llx", 0x0a, "rbx=0x%llx", 0x0a, "r10=0x%llx | |
", 0x0a, "r11=0x%llx", 0x0a, "r12=0x%llx", 0x0a, "r13=0x%llx", 0x0a, "r14=0x%llx", 0x0a, "r15=0x%llx", 0x0a, 0x00 | |
fmt2: db "rdi=0x%llx", 0x0a,"rax=0x%llx", 0x0a, 0x00 | |
section .text | |
global main | |
main: | |
call code | |
push rax | |
push rdi | |
push fmt | |
pop rdi | |
mov rax, 0 | |
push r15 | |
push r14 | |
push r13 | |
push r12 | |
push r11 | |
push r10 | |
push rbx | |
call printf | |
add rsp, 56 | |
pop rsi | |
pop rdx | |
push fmt2 | |
pop rdi | |
mov rax, 0 | |
call printf | |
ret | |
code: | |
''' | |
# Create ASM file | |
f.write(header) | |
f.write(regs) | |
for i in range(0, len(opcodes)): | |
f.write("db 0x" + opcodes[i].encode("hex") + "\n") | |
f.close() | |
# Compile and execute | |
os.system('nasm -f elf64 -o p.o p.asm') | |
os.system('gcc -o p p.o') | |
p = subprocess.Popen(['./p'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) | |
out, err = p.communicate() | |
# Send output and get flag | |
s.send(out + "\n") | |
print s.recv(1024) | |
s.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment