Tuesday, May 30, 2023

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Related articles


  1. Best Hacking Tools 2019
  2. Hacker Tools
  3. How To Install Pentest Tools In Ubuntu
  4. Hacking Tools 2019
  5. Pentest Tools Kali Linux
  6. Pentest Tools Free
  7. Hack Tools For Pc
  8. Growth Hacker Tools
  9. Pentest Tools Kali Linux
  10. Hacker Hardware Tools
  11. Hack Tools
  12. Top Pentest Tools
  13. Hacking App
  14. Hacking Tools Name
  15. Hack Tools Github
  16. Hack Tool Apk No Root
  17. Hacker Tools 2020
  18. Hacker
  19. Hack Tools Mac
  20. Pentest Reporting Tools
  21. Pentest Tools List
  22. New Hack Tools
  23. Android Hack Tools Github
  24. Hacker Tools Apk Download
  25. Hacker
  26. Hacker Tools For Pc
  27. Hacker Tools Windows
  28. Pentest Box Tools Download
  29. Hacker Tools List
  30. Hacking Tools 2020
  31. Hacking Tools For Mac
  32. Pentest Recon Tools
  33. Hacker Tools Free
  34. Hackers Toolbox
  35. Hack Tools For Pc
  36. Pentest Tools Github
  37. What Are Hacking Tools
  38. Pentest Tools Subdomain
  39. Pentest Box Tools Download
  40. Hack Tools Pc
  41. Pentest Tools Android
  42. Pentest Tools Port Scanner
  43. Hacker Tools Free Download
  44. Hack Tools Online
  45. Pentest Tools Online
  46. Underground Hacker Sites
  47. Hack Tools 2019
  48. Hacking Tools Windows 10
  49. Best Hacking Tools 2020
  50. Hacking Tools Pc
  51. Hacking Tools Free Download
  52. Hacker Tools For Ios
  53. Hacking Tools Free Download
  54. Hacker Tool Kit
  55. Github Hacking Tools
  56. Game Hacking
  57. Hacking Apps
  58. Hack Tools For Pc
  59. Bluetooth Hacking Tools Kali
  60. Github Hacking Tools
  61. Pentest Tools List
  62. Hacker Tool Kit
  63. Hacker Tool Kit
  64. Pentest Tools Bluekeep
  65. New Hacker Tools
  66. Pentest Tools Alternative
  67. Hacking Tools Usb
  68. Hacker Tools Windows
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)