Defcon 2015 Coding Skillz 1 Writeup
Friday, May 26, 2023
0
comments
Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
More info
- Pentest Tools Tcp Port Scanner
- Hack Tool Apk
- Hacking App
- Pentest Tools For Mac
- Hacker Security Tools
- Hack Tool Apk
- Hacking Tools For Windows
- Hacker Tools Mac
- Hak5 Tools
- Easy Hack Tools
- Pentest Recon Tools
- Tools For Hacker
- Best Hacking Tools 2020
- Hacking Tools Software
- Hacking Tools Name
- Hack Rom Tools
- Pentest Tools For Windows
- Pentest Tools Bluekeep
- Hacker Search Tools
- Hacker Tools 2019
- Hacking Tools For Pc
- Best Pentesting Tools 2018
- Pentest Tools Download
- Hacking Tools 2019
- Hacker Tools 2020
- Pentest Recon Tools
- Hacking Tools Mac
- Hacker Search Tools
- Hacker Tools Github
- Pentest Tools Framework
- Hacks And Tools
- Hacks And Tools
- Pentest Box Tools Download
- Nsa Hack Tools
- Pentest Tools Nmap
- Hackers Toolbox
- Hack App
- Kik Hack Tools
- Hak5 Tools
- Hacker Tools Github
- Pentest Tools Bluekeep
- Hacker Tool Kit
- Hacker Tools Linux
- Pentest Tools Port Scanner
- Hack Tools
- Hack Rom Tools
- What Is Hacking Tools
- Hacker Tools Online
- Hacker Tools Mac
- Pentest Tools Free
- Hacker Tools For Pc
- Hacking Tools Windows 10
- Pentest Tools Kali Linux
- Pentest Tools Free
- Hack Tools For Games
- Hacker Tools Online
- Github Hacking Tools
- Hacker Tools Windows
- Underground Hacker Sites
- Tools For Hacker
- Hacking Tools Online
- Hacker Tools Software
- Pentest Tools Android
- Hack App
- Hack Tools Github
- Pentest Tools Port Scanner
- Pentest Tools For Mac
- Hacker Security Tools
- Blackhat Hacker Tools
- Hack Tools For Mac
- New Hack Tools
- Hacking Tools Software
- Hack Tools Pc
- Pentest Tools Nmap
- Hacking Tools Hardware
- Hacker Tools Apk
- Hacking Tools Online
- What Is Hacking Tools
- Hacking Tools Windows 10
- Hacking Tools Github
- Growth Hacker Tools
- Hacker Security Tools
- Hack Tools Download
- Hacker Tool Kit
- Hacking Tools Name
- Hacking Tools Download
- Hack Rom Tools
- Hacker Search Tools
- Install Pentest Tools Ubuntu
- Hacking Tools For Pc
- Hacker Tools For Windows
- Hacker Tools Software
- Best Hacking Tools 2020
- Hacking Tools For Windows Free Download
- Hacking Tools For Windows 7
- Pentest Tools Kali Linux
- Android Hack Tools Github
- Pentest Tools Open Source
- Physical Pentest Tools
- Best Hacking Tools 2020
- Free Pentest Tools For Windows
- Hack Tools
- Hack Tools For Pc
- Pentest Tools Online
- Hack Apps
- Hacker Tools Apk Download
- Github Hacking Tools
- How To Install Pentest Tools In Ubuntu
- Tools For Hacker
- Hacker Tools List
- Blackhat Hacker Tools
- Hackers Toolbox
- Hacking Tools
- Pentest Tools Find Subdomains
- Pentest Tools Open Source
- Hackers Toolbox
- Hacking Tools Download
- Hacking Apps
- Hacker Tools Software
- Hacker Tools List
- What Are Hacking Tools
- Hacking Tools Free Download
- Hacker Tools Free Download
- Hack Tools Mac
- Kik Hack Tools
- Hacking Tools Windows
- Pentest Tools Bluekeep
- Hacker Tools For Mac
- What Is Hacking Tools
- Hacking Tools And Software
- Easy Hack Tools
- Pentest Tools Free
- Android Hack Tools Github
- Pentest Tools Apk
- Pentest Tools Website
0 comments:
Post a Comment