• Browse by Tags

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Continue reading
  1. Hacking Tools For Pc
  2. Pentest Tools Tcp Port Scanner
  3. Hacking Tools Online
  4. Pentest Tools Open Source
  5. Hacking Tools Name
  6. Hacking Tools Software
  7. Pentest Tools Kali Linux
  8. Hacking Tools Pc
  9. Hacker Tools Online
  10. Pentest Tools For Mac
  11. Blackhat Hacker Tools
  12. Hacker Tools Free Download
  13. Pentest Tools Download
  14. Hack Rom Tools
  15. Hacking Tools For Windows Free Download
  16. Hack Apps
  17. Hacking App
  18. Hacking Apps
  19. Github Hacking Tools
  20. Hacker Tools Windows
  21. Black Hat Hacker Tools
  22. Hacker Tools Apk Download
  23. Hacker
  24. Hacker Tools For Pc
  25. Hacker Tools
  26. Hacker Tools For Windows
  27. Hacker Search Tools
  28. Hack Tools For Pc
  29. Hacker Tools Github
  30. Hacking Tools Kit
  31. Hacker Tools For Mac
  32. Hacking App
  33. Pentest Tools Download
  34. Hack Rom Tools
  35. Hacking Tools Online
  36. Android Hack Tools Github
  37. Pentest Tools Website
  38. Hack Tools Pc
  39. Pentest Tools Bluekeep
  40. Pentest Tools Kali Linux
  41. Hacking Tools Kit
  42. What Is Hacking Tools
  43. Hacker Tools Linux
  44. New Hack Tools
  45. Pentest Tools Bluekeep
  46. Pentest Tools For Android
  47. Hack Tools Online
  48. Pentest Tools Tcp Port Scanner
  49. Usb Pentest Tools
  50. Black Hat Hacker Tools
  51. Hack Tools For Windows
  52. Pentest Tools Online
  53. Hacker Tools Linux
  54. Github Hacking Tools
  55. Wifi Hacker Tools For Windows
  56. Hacker Tools List
  57. Pentest Tools For Android
  58. Hacker Tools Free
  59. Hacking Tools For Mac
  60. Hacking Tools And Software
  61. Hack Tools
  62. Blackhat Hacker Tools
  63. Hacking Tools For Pc
  64. Hack App
  65. Pentest Tools Alternative
  66. Nsa Hacker Tools
  67. Beginner Hacker Tools
  68. Hacking Tools Online
  69. Hacker Tools For Ios
  70. Pentest Tools Website Vulnerability
  71. Github Hacking Tools
  72. Hack Tools Pc
  73. Hack Tools For Pc
  74. Tools For Hacker
  75. Hacking Tools 2020
  76. Tools For Hacker
  77. What Is Hacking Tools
  78. Hacker Tools Windows
  79. Pentest Tools For Android
  80. Hack Rom Tools
  81. Hack Tool Apk No Root
  82. Github Hacking Tools
  83. Hack Tools Download
  84. Hacker Tools Free Download
  85. Hack Tools For Games
  86. Pentest Tools Alternative
  87. Hacking Tools Software
  88. New Hacker Tools
  89. Hacker Tools For Windows
  90. Nsa Hack Tools
  91. World No 1 Hacker Software
  92. Pentest Tools Alternative
  93. Hacker Tools Apk
  94. Pentest Tools Url Fuzzer
  95. Pentest Tools Find Subdomains
  96. Pentest Tools Open Source
  97. Hack Rom Tools
  98. World No 1 Hacker Software
  99. Hacking Tools For Windows Free Download
  100. Hacking Tools For Kali Linux
  101. Tools Used For Hacking
  102. Tools For Hacker
  103. What Are Hacking Tools
  104. Hack Tools
  105. Pentest Tools Free
  106. What Is Hacking Tools
  107. What Is Hacking Tools
  108. Pentest Automation Tools
  109. Hacking App
  110. Free Pentest Tools For Windows
  111. Pentest Tools Open Source
  112. Hacking Tools For Mac
  113. Hackrf Tools
  114. Hacker Tools Hardware
  115. Pentest Tools Nmap
  116. Free Pentest Tools For Windows
  117. Hacker Hardware Tools
  118. Hacking Tools 2020
  119. Hacking Tools Name
  120. Wifi Hacker Tools For Windows
  121. Pentest Tools Bluekeep
  122. Hacker Tools For Windows
  123. Hack Tools 2019
  124. Hacker
  125. Pentest Tools List
  126. Pentest Tools Open Source
  127. Hack Tools For Mac
  128. Pentest Tools Url Fuzzer
  129. Hacker Tools For Windows
  130. Hacker Tools Windows
  131. Hack Tools Pc
  132. What Are Hacking Tools
  133. Growth Hacker Tools
  134. Hacks And Tools
  135. Pentest Reporting Tools
  136. Hack Tools For Ubuntu
  137. Pentest Tools For Windows
  138. Android Hack Tools Github
  139. Hacker Tools Online
  140. Hacking Tools Software
  141. Pentest Tools Nmap
  142. Bluetooth Hacking Tools Kali
  143. Hacker Tools For Pc
  144. Hacking Tools For Games
  145. Hacker Tools 2020
  146. Ethical Hacker Tools
  147. Termux Hacking Tools 2019
  148. Hacking Tools For Mac
  149. Hacking Tools Software
  150. Wifi Hacker Tools For Windows
  151. Pentest Tools Github
  152. Easy Hack Tools
  153. Kik Hack Tools
  154. Hacker Techniques Tools And Incident Handling
  155. Hacker Tools Windows
  156. Hacking Tools
  157. Hacking Tools Online

0 comments on "Defcon 2015 Coding Skillz 1 Writeup"



Post a Comment