Saturday, 3 June 2023

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Continue reading


  1. Hacking Tools Download
  2. Pentest Box Tools Download
  3. Hacking Tools Name
  4. Hacker Tools Linux
  5. Hacking Tools For Games
  6. Hack Tools
  7. Hacking Tools For Windows 7
  8. Hacking Tools
  9. How To Install Pentest Tools In Ubuntu
  10. Hack Website Online Tool
  11. Pentest Tools Github
  12. Hacker Tools Online
  13. Hacker Tools For Ios
  14. Hacking Tools For Beginners
  15. Black Hat Hacker Tools
  16. Hacking Tools Kit
  17. How To Hack
  18. Hack Tools For Ubuntu
  19. Pentest Tools Url Fuzzer
  20. Hack Tools Download
  21. Hacking Tools 2020
  22. Pentest Tools Free
  23. Hacker Tools For Ios
  24. Hacks And Tools
  25. Pentest Reporting Tools
  26. World No 1 Hacker Software
  27. Pentest Tools Kali Linux
  28. Hack Tools
  29. Hacker Tools 2019
  30. Hacker Tools Apk Download
  31. Bluetooth Hacking Tools Kali
  32. Hacker Tools Hardware
  33. Github Hacking Tools
  34. Hacking Tools Hardware
  35. Termux Hacking Tools 2019
  36. Kik Hack Tools
  37. Hack Tools Mac
  38. Nsa Hacker Tools
  39. Hacker Techniques Tools And Incident Handling
  40. Nsa Hack Tools Download
  41. Hacker Tools Apk Download
  42. Hacker Techniques Tools And Incident Handling
  43. Hacker Tools For Windows
  44. Pentest Reporting Tools
  45. Pentest Tools Free
  46. Pentest Tools For Ubuntu
  47. Pentest Tools Online
  48. Hacking Tools For Beginners
  49. Hacker Tools For Ios
  50. New Hack Tools
  51. Hacker Tools Hardware
  52. Pentest Tools List
  53. Free Pentest Tools For Windows
  54. Growth Hacker Tools
  55. Hack App
  56. Pentest Tools Nmap
  57. Hack And Tools
  58. Pentest Automation Tools
  59. Hacking Tools Software
  60. Hacking Tools Github
  61. Hacker Tools For Mac
  62. Easy Hack Tools
  63. Hack App
  64. Hacker Search Tools
  65. Bluetooth Hacking Tools Kali
  66. Termux Hacking Tools 2019
  67. Hacking Tools For Windows Free Download
  68. Wifi Hacker Tools For Windows
  69. Hack Tools
  70. Hacker Tools Free
  71. Pentest Recon Tools
  72. Pentest Tools Open Source
  73. Hacker Tools Free
  74. Pentest Tools List
  75. Pentest Tools Subdomain
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)