Saturday, January 27, 2024

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





More information
  1. Hacking App
  2. Hack Tools For Games
  3. Hacking Tools Online
  4. Pentest Tools Android
  5. Free Pentest Tools For Windows
  6. Hacker Tools Github
  7. Hacker Tools For Ios
  8. Nsa Hacker Tools
  9. Hack Tools For Windows
  10. Hacker Tools Apk
  11. Hack Tools Pc
  12. Hacking Tools For Mac
  13. Pentest Tools Linux
  14. Hacker Tools Apk
  15. Tools Used For Hacking
  16. Hacker Tools 2019
  17. Pentest Box Tools Download
  18. Pentest Tools For Android
  19. Hacking Tools 2020
  20. Hack Rom Tools
  21. Hacker Tools 2019
  22. Hack Tools Download
  23. Free Pentest Tools For Windows
  24. Hacking Tools Free Download
  25. Physical Pentest Tools
  26. Hak5 Tools
  27. Hacker Tools Free Download
  28. Hacker Hardware Tools
  29. Pentest Tools
  30. Pentest Tools
  31. Bluetooth Hacking Tools Kali
  32. Hacks And Tools
  33. Ethical Hacker Tools
  34. Hacker Tools Windows
  35. New Hack Tools
  36. Hacking Tools Online
  37. Hacking Tools
  38. Hack Tools For Mac
  39. Hacker Tools 2020
  40. Hacking Tools For Beginners
  41. New Hack Tools
  42. Github Hacking Tools
  43. Hacking Tools Windows
  44. Pentest Tools Alternative
  45. Hack Tools
  46. Hack Tools
  47. New Hack Tools
  48. Hacker Tools Github
  49. Android Hack Tools Github
  50. Pentest Tools Alternative
  51. Best Pentesting Tools 2018
  52. Hacker Tools For Pc
  53. Hacker Tools Mac
  54. Free Pentest Tools For Windows
  55. Pentest Tools
  56. How To Hack
  57. Hacking Tools For Windows Free Download
  58. Pentest Tools Free
  59. Hacker Tools Linux
  60. Pentest Tools For Mac
  61. Hack Tools For Games
  62. Hacking Tools And Software
  63. How To Hack
  64. Hacking Tools Windows 10
  65. Hack Tools For Pc
  66. Hacking Tools Free Download
  67. Tools For Hacker
  68. Hacking Tools Free Download
  69. Install Pentest Tools Ubuntu
  70. Hacker Tools Hardware
  71. Pentest Tools Github
  72. Ethical Hacker Tools
  73. Hacker Tools Online
  74. How To Make Hacking Tools
  75. Best Pentesting Tools 2018
  76. Hack App
  77. Hacker Tools
  78. Hacking Tools
  79. Pentest Tools Apk
  80. Hacking Tools For Games
  81. Hacking Tools Download
  82. Hacker Hardware Tools
  83. Hack Website Online Tool
  84. Best Hacking Tools 2020
  85. Free Pentest Tools For Windows
  86. How To Make Hacking Tools
  87. Hack Apps
  88. Hacks And Tools
  89. Tools 4 Hack
  90. Best Hacking Tools 2020
  91. Hacking Tools Free Download
  92. Hacking Tools Online
  93. Hack Tools
  94. Pentest Tools Linux
  95. Hacking Tools Hardware
  96. Hacking Tools Hardware
  97. Pentest Tools For Mac
  98. Best Hacking Tools 2020
  99. Hacking Tools For Kali Linux
  100. Pentest Tools Apk
  101. Pentest Tools For Windows
  102. Hack Tools 2019
  103. Hacker Tools For Pc
  104. Hack Tools Pc
  105. Hacking Tools 2020
  106. Hackers Toolbox
  107. Pentest Tools
  108. Hackrf Tools
  109. Ethical Hacker Tools
  110. What Are Hacking Tools
  111. New Hack Tools
  112. Hacking Tools Name
  113. Hacking Tools For Beginners
  114. Hack Tool Apk

No comments:

Post a Comment