Defcon 2015 Coding Skillz 1 Writeup

Posted by iNoticiero on martes, 25 de agosto de 2020 0

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Related word


  1. Install Pentest Tools Ubuntu
  2. New Hacker Tools
  3. Hack Tool Apk
  4. Hacker Hardware Tools
  5. Hack Apps
  6. Hacker Tools List
  7. Hacker Tools Linux
  8. Underground Hacker Sites
  9. Pentest Tools Github
  10. Pentest Tools Port Scanner
  11. Computer Hacker
  12. Tools For Hacker
  13. Black Hat Hacker Tools
  14. How To Install Pentest Tools In Ubuntu
  15. Hacker
  16. Hacker Techniques Tools And Incident Handling
  17. What Is Hacking Tools
  18. Pentest Tools Alternative
  19. Hacking Tools Hardware
  20. Tools Used For Hacking
  21. Free Pentest Tools For Windows
  22. Hacking Tools Windows 10
  23. Hacking Tools For Mac
  24. Hack Tools Pc
  25. Hack Tools For Mac
  26. New Hack Tools
  27. Hack Tools
  28. Hack Tools Download
  29. Hacker Hardware Tools
  30. Hacking Tools For Kali Linux
  31. Github Hacking Tools
  32. Hack Tool Apk No Root
  33. Hacking Tools Mac
  34. Pentest Tools Website
  35. Hack Tools For Mac
  36. Pentest Tools Tcp Port Scanner
  37. Hacking Tools Online
  38. Hacking Tools Download
  39. Hack Apps
  40. Hacking Tools Pc
  41. Pentest Tools Nmap
  42. Hack Rom Tools
  43. Pentest Tools Open Source
  44. Ethical Hacker Tools
  45. Pentest Tools Online
  46. Pentest Tools Nmap
  47. Bluetooth Hacking Tools Kali
  48. Hacking Tools Software
  49. Easy Hack Tools
  50. Termux Hacking Tools 2019
  51. Hacker Tools List
  52. Usb Pentest Tools
  53. Hacker Tools Hardware
  54. Hacker Tools 2019
  55. Github Hacking Tools
  56. Hacker Security Tools
  57. Hacker Search Tools
  58. Pentest Tools Open Source
  59. Hacking Tools Mac
  60. Hacker Tools Apk Download
  61. Hacking Tools And Software
  62. Hacking Tools For Games
  63. Hack Tools Mac
  64. Hacking Tools For Beginners
  65. Pentest Tools Nmap
  66. Hacker Tools For Mac
  67. Hackrf Tools
  68. Pentest Tools Review
  69. Hacker Hardware Tools
  70. Hacking Tools
  71. Termux Hacking Tools 2019
  72. Hack Tools For Windows
  73. Pentest Tools List
  74. Pentest Tools Find Subdomains
  75. Pentest Tools Bluekeep
  76. Github Hacking Tools
  77. Hacker Tools Free
  78. Pentest Tools Download
  79. Wifi Hacker Tools For Windows
  80. Hacking Tools Windows
  81. Best Pentesting Tools 2018
  82. Hack Tools Download
  83. Hacking Tools For Windows Free Download
  84. Hack Tools Pc
  85. Hacker Tools Apk Download
  86. Hack Tools For Mac
  87. Hacking Tools Download
  88. Hacker Tools Free
  89. Hacking Tools
  90. Hacking Tools Pc
  91. Hacking Tools Hardware
  92. Pentest Tools Port Scanner
  93. Usb Pentest Tools
  94. World No 1 Hacker Software
  95. Pentest Tools Download
  96. Pentest Box Tools Download
  97. Hack Tools For Pc
  98. Pentest Tools Open Source
  99. Hacking App
  100. Hacking Tools 2019
  101. Hacking Tools Kit
  102. Pentest Automation Tools
  103. Hacking Tools Download
  104. Hacking Tools For Beginners
  105. Pentest Box Tools Download
  106. Best Hacking Tools 2020
  107. Hacking Tools Github
  108. Pentest Tools Bluekeep
  109. Nsa Hacker Tools
  110. Pentest Tools Port Scanner
  111. Pentest Tools Website Vulnerability
  112. Pentest Tools
  113. Pentest Tools Apk
  114. Underground Hacker Sites
  115. Hacker Tools Apk Download
  116. Pentest Tools For Windows
  117. Hacking Tools Windows 10
  118. Game Hacking
  119. Pentest Tools Framework
  120. Hacking Tools For Windows 7
  121. Hacking Tools 2020
  122. Tools 4 Hack
  123. Pentest Tools
  124. Android Hack Tools Github
  125. Hacking Tools Software
  126. Hacker Tools Software
  127. World No 1 Hacker Software
  128. Computer Hacker

Tagged as:
About the Author

Write admin description here..

Get Updates

Subscribe to our e-mail newsletter to receive updates.

Share This Post

Related posts

0 comentarios:

What they says

© 2013 ECOLOGÍA. WP Theme-junkie converted by BloggerTheme9
Blogger templates. Proudly Powered by Blogger.
back to top