Sunday, August 23, 2020

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





More information


  1. Hack Tools For Ubuntu
  2. Hack Tools For Windows
  3. Pentest Tools Online
  4. Hacking Tools
  5. Hacker Tools For Ios
  6. Pentest Tools Linux
  7. Hacking Tools For Windows
  8. Best Hacking Tools 2019
  9. Pentest Tools Linux
  10. Pentest Tools For Mac
  11. Hacking Tools 2019
  12. Pentest Tools For Mac
  13. Hacker Tools Online
  14. Hacking Tools Mac
  15. Hackrf Tools
  16. Hack Apps
  17. Hacking Tools For Windows Free Download
  18. Pentest Tools Open Source
  19. Hack Tools
  20. Hacking Tools For Kali Linux
  21. Growth Hacker Tools
  22. Tools Used For Hacking
  23. Best Hacking Tools 2020
  24. Beginner Hacker Tools
  25. Hacking Tools Pc
  26. Hacker Techniques Tools And Incident Handling
  27. Hack Tools Download
  28. Hacking Tools Download
  29. World No 1 Hacker Software
  30. Pentest Tools Website Vulnerability
  31. Hacker Tools 2019
  32. Hacker Tools List
  33. Hacker Tools Windows
  34. Pentest Tools Subdomain
  35. Hacking Tools Software
  36. Nsa Hack Tools Download
  37. Hacker Tools Free Download
  38. Hacker Tools List
  39. Hack Tools
  40. Physical Pentest Tools
  41. Hacking Tools For Beginners
  42. Beginner Hacker Tools
  43. Hacker Tools Apk Download
  44. Hacks And Tools
  45. Hacker Tools List
  46. Hack Tools
  47. How To Install Pentest Tools In Ubuntu
  48. Hackrf Tools
  49. How To Install Pentest Tools In Ubuntu
  50. Beginner Hacker Tools
  51. Pentest Tools Linux
  52. Hacking Tools Name
  53. Hack Apps
  54. Pentest Tools Find Subdomains
  55. Pentest Tools Github
  56. Hacking Tools Mac
  57. Pentest Tools Subdomain
  58. Beginner Hacker Tools
  59. Hacking Tools For Beginners
  60. Pentest Tools Windows
  61. Pentest Recon Tools
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)