2023. május 29., hétfő

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Continue reading


  1. Hacker Tools
  2. Nsa Hack Tools
  3. Pentest Tools Review
  4. Hacking Tools 2019
  5. Hack Tools Mac
  6. Beginner Hacker Tools
  7. Github Hacking Tools
  8. Hacking Tools For Windows
  9. Hack Tools Online
  10. Pentest Tools Apk
  11. Hack Tools 2019
  12. Hack Tools Pc
  13. World No 1 Hacker Software
  14. Hacker Tools Mac
  15. Pentest Tools For Ubuntu
  16. Hacker Tools Mac
  17. Hacker Security Tools
  18. What Are Hacking Tools
  19. Best Hacking Tools 2020
  20. Hack Tools For Pc
  21. Pentest Tools For Windows
  22. New Hacker Tools
  23. Top Pentest Tools
  24. Hacking Tools For Pc
  25. Hacker Tools 2020
  26. Hack Tools
  27. Hacker Tools Online
  28. Hacker Tools Linux
  29. Hacking Tools For Pc
  30. Hacker Tools For Windows
  31. Pentest Tools
  32. Best Hacking Tools 2020
  33. Hacking Tools Windows
  34. Hacking Tools Usb
  35. How To Make Hacking Tools
  36. Hacker Tools Hardware
  37. Hacker Tools Free
  38. Hacker Tools
  39. Hack Tools 2019
  40. Nsa Hack Tools Download
  41. Game Hacking
  42. Pentest Tools Open Source
  43. Hack Tools For Games
  44. Pentest Tools For Android
  45. Pentest Tools Find Subdomains
  46. Hack Rom Tools
  47. Hacker Tools
  48. Nsa Hack Tools Download
  49. Hacker Security Tools
  50. Hack Tools Pc
  51. Hack Tools For Pc
  52. Android Hack Tools Github
  53. Best Hacking Tools 2019
  54. Hacker Tools Github
  55. Pentest Recon Tools
  56. Hack Tools
  57. Pentest Tools Free
  58. Pentest Tools List
  59. Hacker
  60. Hacking Tools Windows 10
  61. Hacker Tools For Mac
  62. Hackrf Tools
  63. Github Hacking Tools
  64. Hacker Tools Free
  65. Pentest Tools Download
  66. What Is Hacking Tools
  67. Pentest Tools Free
  68. Hack Tools Download
Bejegyezte: dátum:

Nincsenek megjegyzések:

Megjegyzés küldése

Feliratkozás: Megjegyzések küldése (Atom)