Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

Read more

1. Hacking App
2. Hacker Security Tools
3. Hack Website Online Tool
4. Pentest Tools Website Vulnerability
5. Hacker Tools 2020
6. Underground Hacker Sites
7. Hacker Tools 2020
8. Hacking Tools Name
9. Hack Tools Online
10. Hacking Tools Windows 10
11. Hack Tools Github
12. Hack Tool Apk No Root
13. Hack App
14. Pentest Tools For Ubuntu
15. Hacker Tool Kit
16. Tools 4 Hack
17. Pentest Tools For Mac
18. World No 1 Hacker Software
19. Ethical Hacker Tools
20. Hack Tools For Games
21. Pentest Tools Framework
22. Hacking Tools For Games
23. Pentest Tools Framework
24. Hacker
25. Best Hacking Tools 2020
26. Pentest Tools Tcp Port Scanner
27. Pentest Tools Github
28. Pentest Tools Github
29. Hack Tools Mac
30. Hacker Tools For Pc
31. Hack Tools For Pc
32. Hacker Tools Free Download
33. Pentest Tools Review
34. Hacking App
35. Pentest Tools Download
36. Computer Hacker
37. Hacking Tools For Windows
38. Hacks And Tools
39. Usb Pentest Tools
40. Underground Hacker Sites
41. Pentest Tools Linux
42. Hack App
43. Hacking Tools Free Download
44. Hack App
45. How To Make Hacking Tools
46. Hacking Tools
47. Hacking Tools For Kali Linux
48. Hacker Tools Windows
49. Hack Rom Tools
50. Termux Hacking Tools 2019
51. Hacker Tools For Windows
52. Pentest Tools Url Fuzzer
53. Hacker Techniques Tools And Incident Handling
54. How To Make Hacking Tools
55. Hacking Tools For Pc
56. Pentest Tools Kali Linux
57. Blackhat Hacker Tools
58. Pentest Tools Apk
59. Bluetooth Hacking Tools Kali
60. Hacking Tools Free Download
61. World No 1 Hacker Software
62. Pentest Tools Nmap
63. Hak5 Tools
64. Hacker Security Tools
65. Growth Hacker Tools
66. Hacker Tools For Ios
67. Hacker Tools Apk Download
68. Top Pentest Tools
69. Hacker Tools Online
70. Hack Tools
71. Hacking Tools For Games
72. Physical Pentest Tools
73. Pentest Tools Tcp Port Scanner
74. Hack Tools 2019
75. Hacker Tools Hardware
76. Hacking Tools Kit
77. Easy Hack Tools
78. Pentest Automation Tools
79. Pentest Tools Android
80. Top Pentest Tools
81. Hacker Tools 2019
82. Hacking Tools For Windows Free Download
83. New Hack Tools
84. Pentest Tools Free
85. Beginner Hacker Tools
86. Hack Tools For Windows
87. Free Pentest Tools For Windows
88. Hacker Tools Apk Download
89. Hack Tools For Ubuntu
90. Hacking Tools 2020
91. Tools For Hacker
92. Ethical Hacker Tools
93. Underground Hacker Sites
94. Hacks And Tools
95. Hack Tools
96. Easy Hack Tools
97. Pentest Tools Online
98. Hacker Tools Online
99. Hack Tools For Ubuntu
100. Pentest Tools Framework
101. Hack And Tools
102. Hacking Tools Github
103. Hack Tools For Windows
104. Hackers Toolbox
105. Hacker Tools
106. Hacking Tools Kit
107. Easy Hack Tools
108. Hacking Apps
109. Install Pentest Tools Ubuntu
110. How To Make Hacking Tools
111. Hacking Tools And Software
112. Hacker Tools Apk Download
113. Usb Pentest Tools
114. Nsa Hack Tools Download
115. Hack Tools Github
116. Usb Pentest Tools
117. Hacker
118. Tools Used For Hacking
119. Hack Tools For Windows
120. Hacker Tools Mac
121. World No 1 Hacker Software
122. Hak5 Tools
123. Hacker Tools Free
124. Pentest Tools Android
125. Hack Website Online Tool
126. Pentest Tools Tcp Port Scanner
127. Hacking Tools Online
128. Pentest Tools Windows
129. Hacker Hardware Tools
130. Hack Tools For Mac
131. Kik Hack Tools
132. Pentest Tools For Windows
133. Hacking Tools For Windows Free Download
134. Hacker Tools For Pc
135. Pentest Tools
136. Hacking Tools And Software
137. Hacker Techniques Tools And Incident Handling
138. Hack Rom Tools
139. Hack Tools 2019
140. Hack Tools Mac
141. Hacking App
142. Hack Tools Github
143. Beginner Hacker Tools
144. Hacking Tools 2020
145. Hacking Tools Name
146. How To Hack
147. Pentest Automation Tools
148. Hacker Tools Github
149. Hacking Tools For Windows Free Download
150. Hacking Tools Hardware
151. Black Hat Hacker Tools