Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

Continue reading

1. Pentest Tools Github
2. Pentest Tools Port Scanner
3. Hacker
4. Pentest Tools Linux
5. How To Hack
6. Hacking Tools Online
7. What Is Hacking Tools
8. Hacking Tools Download
9. Hacker Tools For Windows
10. Hacker Tools For Pc
11. Hacking Tools Download
12. Hack Tool Apk
13. Best Hacking Tools 2019
14. Termux Hacking Tools 2019
15. Pentest Tools Port Scanner
16. Hacker Tools Software
17. Top Pentest Tools
18. Hack Tools For Pc
19. Hack Tool Apk
20. Hack Tools Download
21. Pentest Tools Kali Linux
22. Hack Tools For Mac
23. Hacking App
24. Hack Tools For Mac
25. Hacking Tools 2019
26. How To Hack
27. Nsa Hack Tools Download
28. Pentest Tools List
29. Computer Hacker
30. Hacker Tools 2020
31. Install Pentest Tools Ubuntu
32. Pentest Tools Alternative
33. Pentest Tools Online
34. Black Hat Hacker Tools
35. Hack Tools For Pc
36. Hacking Tools Download
37. Hack Tool Apk
38. Hacker Tools Online
39. Hacking Tools For Windows 7
40. Hack Tool Apk No Root
41. Hacking Tools Usb
42. Pentest Tools Linux
43. Github Hacking Tools
44. Top Pentest Tools
45. Hacking Tools For Games
46. Nsa Hack Tools Download
47. What Are Hacking Tools
48. Hacker Tools Apk
49. Hacking Tools Github
50. Android Hack Tools Github
51. Best Hacking Tools 2020
52. New Hack Tools
53. Hacker Tools Apk Download
54. Pentest Tools For Windows
55. Hack Tools
56. Pentest Tools Kali Linux
57. Pentest Tools Android
58. Pentest Tools For Ubuntu
59. Pentest Tools For Mac
60. New Hacker Tools
61. Hak5 Tools
62. Hackers Toolbox
63. Hack Tools Github
64. Pentest Tools Download
65. Hacking Tools For Windows
66. New Hacker Tools
67. Hack Tools For Mac
68. Pentest Tools Open Source
69. Hack And Tools
70. New Hack Tools
71. Hacking Tools Hardware
72. Pentest Tools Download
73. Termux Hacking Tools 2019
74. Pentest Tools Framework
75. Hack Tools For Mac
76. Hacker Tools Hardware
77. Hacking Apps
78. Hack App
79. Hacking Tools Software
80. Hacker Search Tools
81. Tools 4 Hack
82. Termux Hacking Tools 2019
83. Hack Tool Apk
84. Hacking Tools For Mac
85. Pentest Tools Github
86. Hack App
87. Black Hat Hacker Tools
88. Hacking Apps
89. Pentest Reporting Tools
90. Hacker Tools 2019
91. How To Hack
92. Hacking Apps
93. Hacker Tool Kit
94. Best Hacking Tools 2019