Friday, June 02, 2023

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Read more
  1. Hacking App
  2. Hacker Security Tools
  3. Hack Website Online Tool
  4. Pentest Tools Website Vulnerability
  5. Hacker Tools 2020
  6. Underground Hacker Sites
  7. Hacker Tools 2020
  8. Hacking Tools Name
  9. Hack Tools Online
  10. Hacking Tools Windows 10
  11. Hack Tools Github
  12. Hack Tool Apk No Root
  13. Hack App
  14. Pentest Tools For Ubuntu
  15. Hacker Tool Kit
  16. Tools 4 Hack
  17. Pentest Tools For Mac
  18. World No 1 Hacker Software
  19. Ethical Hacker Tools
  20. Hack Tools For Games
  21. Pentest Tools Framework
  22. Hacking Tools For Games
  23. Pentest Tools Framework
  24. Hacker
  25. Best Hacking Tools 2020
  26. Pentest Tools Tcp Port Scanner
  27. Pentest Tools Github
  28. Pentest Tools Github
  29. Hack Tools Mac
  30. Hacker Tools For Pc
  31. Hack Tools For Pc
  32. Hacker Tools Free Download
  33. Pentest Tools Review
  34. Hacking App
  35. Pentest Tools Download
  36. Computer Hacker
  37. Hacking Tools For Windows
  38. Hacks And Tools
  39. Usb Pentest Tools
  40. Underground Hacker Sites
  41. Pentest Tools Linux
  42. Hack App
  43. Hacking Tools Free Download
  44. Hack App
  45. How To Make Hacking Tools
  46. Hacking Tools
  47. Hacking Tools For Kali Linux
  48. Hacker Tools Windows
  49. Hack Rom Tools
  50. Termux Hacking Tools 2019
  51. Hacker Tools For Windows
  52. Pentest Tools Url Fuzzer
  53. Hacker Techniques Tools And Incident Handling
  54. How To Make Hacking Tools
  55. Hacking Tools For Pc
  56. Pentest Tools Kali Linux
  57. Blackhat Hacker Tools
  58. Pentest Tools Apk
  59. Bluetooth Hacking Tools Kali
  60. Hacking Tools Free Download
  61. World No 1 Hacker Software
  62. Pentest Tools Nmap
  63. Hak5 Tools
  64. Hacker Security Tools
  65. Growth Hacker Tools
  66. Hacker Tools For Ios
  67. Hacker Tools Apk Download
  68. Top Pentest Tools
  69. Hacker Tools Online
  70. Hack Tools
  71. Hacking Tools For Games
  72. Physical Pentest Tools
  73. Pentest Tools Tcp Port Scanner
  74. Hack Tools 2019
  75. Hacker Tools Hardware
  76. Hacking Tools Kit
  77. Easy Hack Tools
  78. Pentest Automation Tools
  79. Pentest Tools Android
  80. Top Pentest Tools
  81. Hacker Tools 2019
  82. Hacking Tools For Windows Free Download
  83. New Hack Tools
  84. Pentest Tools Free
  85. Beginner Hacker Tools
  86. Hack Tools For Windows
  87. Free Pentest Tools For Windows
  88. Hacker Tools Apk Download
  89. Hack Tools For Ubuntu
  90. Hacking Tools 2020
  91. Tools For Hacker
  92. Ethical Hacker Tools
  93. Underground Hacker Sites
  94. Hacks And Tools
  95. Hack Tools
  96. Easy Hack Tools
  97. Pentest Tools Online
  98. Hacker Tools Online
  99. Hack Tools For Ubuntu
  100. Pentest Tools Framework
  101. Hack And Tools
  102. Hacking Tools Github
  103. Hack Tools For Windows
  104. Hackers Toolbox
  105. Hacker Tools
  106. Hacking Tools Kit
  107. Easy Hack Tools
  108. Hacking Apps
  109. Install Pentest Tools Ubuntu
  110. How To Make Hacking Tools
  111. Hacking Tools And Software
  112. Hacker Tools Apk Download
  113. Usb Pentest Tools
  114. Nsa Hack Tools Download
  115. Hack Tools Github
  116. Usb Pentest Tools
  117. Hacker
  118. Tools Used For Hacking
  119. Hack Tools For Windows
  120. Hacker Tools Mac
  121. World No 1 Hacker Software
  122. Hak5 Tools
  123. Hacker Tools Free
  124. Pentest Tools Android
  125. Hack Website Online Tool
  126. Pentest Tools Tcp Port Scanner
  127. Hacking Tools Online
  128. Pentest Tools Windows
  129. Hacker Hardware Tools
  130. Hack Tools For Mac
  131. Kik Hack Tools
  132. Pentest Tools For Windows
  133. Hacking Tools For Windows Free Download
  134. Hacker Tools For Pc
  135. Pentest Tools
  136. Hacking Tools And Software
  137. Hacker Techniques Tools And Incident Handling
  138. Hack Rom Tools
  139. Hack Tools 2019
  140. Hack Tools Mac
  141. Hacking App
  142. Hack Tools Github
  143. Beginner Hacker Tools
  144. Hacking Tools 2020
  145. Hacking Tools Name
  146. How To Hack
  147. Pentest Automation Tools
  148. Hacker Tools Github
  149. Hacking Tools For Windows Free Download
  150. Hacking Tools Hardware
  151. Black Hat Hacker Tools

No comments: