Defcon 2015 Coding Skillz 1 Writeup
Posted
by Frames
on 2:25 PM
Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
- Hacking Tools For Pc
- Pentest Tools Tcp Port Scanner
- Hacking Tools Online
- Pentest Tools Open Source
- Hacking Tools Name
- Hacking Tools Software
- Pentest Tools Kali Linux
- Hacking Tools Pc
- Hacker Tools Online
- Pentest Tools For Mac
- Blackhat Hacker Tools
- Hacker Tools Free Download
- Pentest Tools Download
- Hack Rom Tools
- Hacking Tools For Windows Free Download
- Hack Apps
- Hacking App
- Hacking Apps
- Github Hacking Tools
- Hacker Tools Windows
- Black Hat Hacker Tools
- Hacker Tools Apk Download
- Hacker
- Hacker Tools For Pc
- Hacker Tools
- Hacker Tools For Windows
- Hacker Search Tools
- Hack Tools For Pc
- Hacker Tools Github
- Hacking Tools Kit
- Hacker Tools For Mac
- Hacking App
- Pentest Tools Download
- Hack Rom Tools
- Hacking Tools Online
- Android Hack Tools Github
- Pentest Tools Website
- Hack Tools Pc
- Pentest Tools Bluekeep
- Pentest Tools Kali Linux
- Hacking Tools Kit
- What Is Hacking Tools
- Hacker Tools Linux
- New Hack Tools
- Pentest Tools Bluekeep
- Pentest Tools For Android
- Hack Tools Online
- Pentest Tools Tcp Port Scanner
- Usb Pentest Tools
- Black Hat Hacker Tools
- Hack Tools For Windows
- Pentest Tools Online
- Hacker Tools Linux
- Github Hacking Tools
- Wifi Hacker Tools For Windows
- Hacker Tools List
- Pentest Tools For Android
- Hacker Tools Free
- Hacking Tools For Mac
- Hacking Tools And Software
- Hack Tools
- Blackhat Hacker Tools
- Hacking Tools For Pc
- Hack App
- Pentest Tools Alternative
- Nsa Hacker Tools
- Beginner Hacker Tools
- Hacking Tools Online
- Hacker Tools For Ios
- Pentest Tools Website Vulnerability
- Github Hacking Tools
- Hack Tools Pc
- Hack Tools For Pc
- Tools For Hacker
- Hacking Tools 2020
- Tools For Hacker
- What Is Hacking Tools
- Hacker Tools Windows
- Pentest Tools For Android
- Hack Rom Tools
- Hack Tool Apk No Root
- Github Hacking Tools
- Hack Tools Download
- Hacker Tools Free Download
- Hack Tools For Games
- Pentest Tools Alternative
- Hacking Tools Software
- New Hacker Tools
- Hacker Tools For Windows
- Nsa Hack Tools
- World No 1 Hacker Software
- Pentest Tools Alternative
- Hacker Tools Apk
- Pentest Tools Url Fuzzer
- Pentest Tools Find Subdomains
- Pentest Tools Open Source
- Hack Rom Tools
- World No 1 Hacker Software
- Hacking Tools For Windows Free Download
- Hacking Tools For Kali Linux
- Tools Used For Hacking
- Tools For Hacker
- What Are Hacking Tools
- Hack Tools
- Pentest Tools Free
- What Is Hacking Tools
- What Is Hacking Tools
- Pentest Automation Tools
- Hacking App
- Free Pentest Tools For Windows
- Pentest Tools Open Source
- Hacking Tools For Mac
- Hackrf Tools
- Hacker Tools Hardware
- Pentest Tools Nmap
- Free Pentest Tools For Windows
- Hacker Hardware Tools
- Hacking Tools 2020
- Hacking Tools Name
- Wifi Hacker Tools For Windows
- Pentest Tools Bluekeep
- Hacker Tools For Windows
- Hack Tools 2019
- Hacker
- Pentest Tools List
- Pentest Tools Open Source
- Hack Tools For Mac
- Pentest Tools Url Fuzzer
- Hacker Tools For Windows
- Hacker Tools Windows
- Hack Tools Pc
- What Are Hacking Tools
- Growth Hacker Tools
- Hacks And Tools
- Pentest Reporting Tools
- Hack Tools For Ubuntu
- Pentest Tools For Windows
- Android Hack Tools Github
- Hacker Tools Online
- Hacking Tools Software
- Pentest Tools Nmap
- Bluetooth Hacking Tools Kali
- Hacker Tools For Pc
- Hacking Tools For Games
- Hacker Tools 2020
- Ethical Hacker Tools
- Termux Hacking Tools 2019
- Hacking Tools For Mac
- Hacking Tools Software
- Wifi Hacker Tools For Windows
- Pentest Tools Github
- Easy Hack Tools
- Kik Hack Tools
- Hacker Techniques Tools And Incident Handling
- Hacker Tools Windows
- Hacking Tools
- Hacking Tools Online
0 comments on "Defcon 2015 Coding Skillz 1 Writeup"