Defcon 2015 Coding Skillz 1 Writeup

Posted by Informasi Pekerjaan Friday, May 26, 2023 0 comments
Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





More info


  1. Pentest Tools Tcp Port Scanner
  2. Hack Tool Apk
  3. Hacking App
  4. Pentest Tools For Mac
  5. Hacker Security Tools
  6. Hack Tool Apk
  7. Hacking Tools For Windows
  8. Hacker Tools Mac
  9. Hak5 Tools
  10. Easy Hack Tools
  11. Pentest Recon Tools
  12. Tools For Hacker
  13. Best Hacking Tools 2020
  14. Hacking Tools Software
  15. Hacking Tools Name
  16. Hack Rom Tools
  17. Pentest Tools For Windows
  18. Pentest Tools Bluekeep
  19. Hacker Search Tools
  20. Hacker Tools 2019
  21. Hacking Tools For Pc
  22. Best Pentesting Tools 2018
  23. Pentest Tools Download
  24. Hacking Tools 2019
  25. Hacker Tools 2020
  26. Pentest Recon Tools
  27. Hacking Tools Mac
  28. Hacker Search Tools
  29. Hacker Tools Github
  30. Pentest Tools Framework
  31. Hacks And Tools
  32. Hacks And Tools
  33. Pentest Box Tools Download
  34. Nsa Hack Tools
  35. Pentest Tools Nmap
  36. Hackers Toolbox
  37. Hack App
  38. Kik Hack Tools
  39. Hak5 Tools
  40. Hacker Tools Github
  41. Pentest Tools Bluekeep
  42. Hacker Tool Kit
  43. Hacker Tools Linux
  44. Pentest Tools Port Scanner
  45. Hack Tools
  46. Hack Rom Tools
  47. What Is Hacking Tools
  48. Hacker Tools Online
  49. Hacker Tools Mac
  50. Pentest Tools Free
  51. Hacker Tools For Pc
  52. Hacking Tools Windows 10
  53. Pentest Tools Kali Linux
  54. Pentest Tools Free
  55. Hack Tools For Games
  56. Hacker Tools Online
  57. Github Hacking Tools
  58. Hacker Tools Windows
  59. Underground Hacker Sites
  60. Tools For Hacker
  61. Hacking Tools Online
  62. Hacker Tools Software
  63. Pentest Tools Android
  64. Hack App
  65. Hack Tools Github
  66. Pentest Tools Port Scanner
  67. Pentest Tools For Mac
  68. Hacker Security Tools
  69. Blackhat Hacker Tools
  70. Hack Tools For Mac
  71. New Hack Tools
  72. Hacking Tools Software
  73. Hack Tools Pc
  74. Pentest Tools Nmap
  75. Hacking Tools Hardware
  76. Hacker Tools Apk
  77. Hacking Tools Online
  78. What Is Hacking Tools
  79. Hacking Tools Windows 10
  80. Hacking Tools Github
  81. Growth Hacker Tools
  82. Hacker Security Tools
  83. Hack Tools Download
  84. Hacker Tool Kit
  85. Hacking Tools Name
  86. Hacking Tools Download
  87. Hack Rom Tools
  88. Hacker Search Tools
  89. Install Pentest Tools Ubuntu
  90. Hacking Tools For Pc
  91. Hacker Tools For Windows
  92. Hacker Tools Software
  93. Best Hacking Tools 2020
  94. Hacking Tools For Windows Free Download
  95. Hacking Tools For Windows 7
  96. Pentest Tools Kali Linux
  97. Android Hack Tools Github
  98. Pentest Tools Open Source
  99. Physical Pentest Tools
  100. Best Hacking Tools 2020
  101. Free Pentest Tools For Windows
  102. Hack Tools
  103. Hack Tools For Pc
  104. Pentest Tools Online
  105. Hack Apps
  106. Hacker Tools Apk Download
  107. Github Hacking Tools
  108. How To Install Pentest Tools In Ubuntu
  109. Tools For Hacker
  110. Hacker Tools List
  111. Blackhat Hacker Tools
  112. Hackers Toolbox
  113. Hacking Tools
  114. Pentest Tools Find Subdomains
  115. Pentest Tools Open Source
  116. Hackers Toolbox
  117. Hacking Tools Download
  118. Hacking Apps
  119. Hacker Tools Software
  120. Hacker Tools List
  121. What Are Hacking Tools
  122. Hacking Tools Free Download
  123. Hacker Tools Free Download
  124. Hack Tools Mac
  125. Kik Hack Tools
  126. Hacking Tools Windows
  127. Pentest Tools Bluekeep
  128. Hacker Tools For Mac
  129. What Is Hacking Tools
  130. Hacking Tools And Software
  131. Easy Hack Tools
  132. Pentest Tools Free
  133. Android Hack Tools Github
  134. Pentest Tools Apk
  135. Pentest Tools Website


Anda sedang membaca artikel tentang Defcon 2015 Coding Skillz 1 Writeup dan anda bisa menemukan artikel Defcon 2015 Coding Skillz 1 Writeup ini dengan url http://hobi-kesenangan.blogspot.com/2023/05/defcon-2015-coding-skillz-1-writeup.html?m=0,anda boleh menyebar luaskannya atau mengcopy paste-nya jika artikel Defcon 2015 Coding Skillz 1 Writeup ini sangat bermanfaat bagi teman-teman anda,namun jangan lupa untuk meletakkan link Defcon 2015 Coding Skillz 1 Writeup sebagai sumbernya.

Silahkan sobat tinggalkan komentar jika dirasa ada informasi yang sobat butuhkan

0 comments:

Post a Comment

vivanews.com

nines cantik