Tuesday, May 30, 2023

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





More information


  1. Hacking Tools Online
  2. Pentest Tools Website Vulnerability
  3. Pentest Box Tools Download
  4. Hacking Tools Mac
  5. Pentest Tools Online
  6. Hacking Tools For Windows Free Download
  7. Pentest Tools For Android
  8. Hacker Tools For Windows
  9. Hacking Tools Download
  10. Pentest Tools Online
  11. Pentest Tools For Android
  12. Hack Tools For Ubuntu
  13. Hack App
  14. Pentest Tools Windows
  15. Hacker Tools Windows
  16. Hackrf Tools
  17. Hacker Tools Windows
  18. Best Pentesting Tools 2018
  19. Pentest Tools Website
  20. Hack Tools Mac
  21. Ethical Hacker Tools
  22. Hacking App
  23. Hacking Tools Download
  24. Pentest Reporting Tools
  25. Beginner Hacker Tools
  26. Pentest Tools Website Vulnerability
  27. Game Hacking
  28. Best Hacking Tools 2019
  29. Pentest Tools Nmap
  30. Hacker Search Tools
  31. New Hack Tools
  32. Pentest Tools List
  33. Kik Hack Tools
  34. Hack Tool Apk No Root
  35. Blackhat Hacker Tools
  36. Hacking Tools Software
  37. Hak5 Tools
  38. Hacking Tools Windows
  39. Hacking Tools Name
  40. Hacking Tools Github
  41. Hacking Tools Hardware
  42. Black Hat Hacker Tools
  43. Hacker Tools List
  44. Hacking Tools For Kali Linux
  45. Game Hacking
  46. Android Hack Tools Github
  47. Best Hacking Tools 2019
  48. Tools 4 Hack
  49. Hackrf Tools
  50. Hack Tools Download
  51. Physical Pentest Tools
  52. Hacking Tools Online
  53. Hacking Tools Hardware
  54. Hack Tools Github
  55. Pentest Automation Tools
  56. Easy Hack Tools
  57. Hack Rom Tools
Posted by Saiful at 10:25 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)