.

.

Defcon 2015 Coding Skillz 1 Writeup

By on 9:47
Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Related word

  1. Pentest Tools Online
  2. Hacker Tools Windows
  3. Hacking Tools Windows 10
  4. Pentest Tools For Android
  5. Hacker Tools Github
  6. Hacker Tools Hardware
  7. Hacker Tools Free
  8. Hacking App
  9. Hacker Tools Free
  10. Hack Apps
  11. Pentest Tools Port Scanner
  12. Pentest Tools Find Subdomains
  13. Hack Tools Mac
  14. Pentest Automation Tools
  15. Pentest Reporting Tools
  16. Hak5 Tools
  17. Hacker Tools Hardware
  18. Pentest Tools Port Scanner
  19. Hack Tools For Mac
  20. Hacking Tools Github
  21. Pentest Tools Tcp Port Scanner
  22. Android Hack Tools Github
  23. Hacking Tools Pc
  24. Hacking Tools For Windows 7
  25. Pentest Tools
  26. Hacking Tools Download
  27. Hacker Tools Apk Download
  28. Hack Tools Online
  29. Computer Hacker
  30. Pentest Tools Nmap
  31. Kik Hack Tools
  32. Hacking Tools
  33. Pentest Tools Website
  34. Pentest Tools Free
  35. Pentest Tools Github
  36. Hacking Tools For Beginners
  37. Hacker Tools Free Download
  38. Underground Hacker Sites
  39. Physical Pentest Tools
  40. Hacker Tools Github
  41. Hacker Security Tools
  42. Pentest Tools For Ubuntu
  43. Pentest Tools Website
  44. Hacking Tools Windows 10
  45. Hacking Tools For Windows Free Download
  46. Hacking Tools For Pc
  47. How To Make Hacking Tools
  48. Game Hacking
  49. Hack Tool Apk No Root
  50. Hacking Tools
  51. Hacker Tools
  52. Hack Apps
  53. Wifi Hacker Tools For Windows
  54. Pentest Tools Review
  55. Hacking Tools Online
  56. Hacker Tools 2020
  57. Hacker Techniques Tools And Incident Handling
  58. Pentest Tools Subdomain
  59. Pentest Tools List
  60. Hacking Tools Name
  61. Hacking Tools For Windows 7
  62. Hacker Tools Mac
  63. Hacking Tools For Kali Linux
  64. Hacker Tools Free

0 comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)