Today Great Book at Amazon.com
Visit Amazon.com to see more

Wednesday, January 24, 2024

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Continue reading
  1. Hacking Tools For Windows 7
  2. Pentest Tools Free
  3. Pentest Automation Tools
  4. Hacker Tools Github
  5. Hacker Tools Linux
  6. Hacker Tool Kit
  7. Hack Tool Apk No Root
  8. Hacker Tools Online
  9. Hacker Tools 2020
  10. Pentest Tools Review
  11. Pentest Tools Review
  12. Hacker Tools Free
  13. Hacker Search Tools
  14. What Are Hacking Tools
  15. Easy Hack Tools
  16. Blackhat Hacker Tools
  17. Hack Tools Pc
  18. Pentest Tools Find Subdomains
  19. Pentest Tools Android
  20. Ethical Hacker Tools
  21. Hacking Tools Pc
  22. Best Pentesting Tools 2018
  23. Termux Hacking Tools 2019
  24. Hack Tools Mac
  25. Hacker Tools Windows
  26. Nsa Hack Tools Download
  27. Hack App
  28. Hacker Tools Mac
  29. Hacking Tools For Beginners
  30. Hacker Tools Mac
  31. Pentest Tools Bluekeep
  32. Hacking Tools For Windows 7
  33. Pentest Tools Subdomain
  34. Hack Tools
  35. Hacker Tools Online
  36. Hack App
  37. Hacking Tools Free Download
  38. Hack Tool Apk No Root
  39. Hack Tools For Ubuntu
  40. Hack Tool Apk
  41. Hacking Tools 2020
  42. Hacker Tools Mac
  43. Hack Tools 2019
  44. Usb Pentest Tools
  45. Hacking Tools 2019
  46. Pentest Tools Website
  47. Pentest Tools List
  48. Hak5 Tools
  49. Hacks And Tools
  50. Pentest Box Tools Download
  51. Hacking Tools Kit
  52. How To Hack
  53. What Is Hacking Tools
  54. Hack Apps
  55. Hacker Tools For Mac
  56. Hacker Tools Windows
  57. Pentest Box Tools Download
  58. Hacking Tools Windows 10
  59. Computer Hacker
  60. Hack Tools 2019
  61. Pentest Tools Apk
  62. Hacker Tools
  63. Best Pentesting Tools 2018
  64. Hacker Tools For Windows
  65. Hacker Tools Online
  66. Hacker Tools Apk
  67. How To Hack
  68. Bluetooth Hacking Tools Kali
  69. Pentest Reporting Tools
  70. Best Pentesting Tools 2018
  71. Hacking Tools Download
  72. Pentest Tools Find Subdomains
  73. Hacker Tools For Ios
  74. Pentest Tools For Windows
  75. Pentest Tools Nmap
  76. Hacker Techniques Tools And Incident Handling
  77. Hack Tools Mac
  78. Hacking Tools Windows 10
  79. Hackers Toolbox
  80. Hacker Tools Linux
  81. Hack Tools For Mac
  82. Tools For Hacker
  83. Hack Tools For Mac
  84. Nsa Hacker Tools
  85. Hacking Tools Free Download
  86. Pentest Box Tools Download
  87. Pentest Tools Bluekeep
  88. Hacking Tools Windows 10
  89. Hacker Tools Hardware
  90. Pentest Tools Find Subdomains
  91. Hack Tools Github
  92. Hacker Tool Kit
  93. Pentest Tools Bluekeep
  94. Pentest Tools Website
  95. Hacking Tools For Windows
  96. How To Make Hacking Tools
  97. World No 1 Hacker Software
  98. New Hacker Tools
  99. Hacking Tools For Kali Linux
  100. Hack Tools 2019
  101. Termux Hacking Tools 2019
  102. Hacker Tools 2020
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Wee Knowledge is an information of business management blog. All comments should be respect to other. If there are any unrespect comment, it will be deleted. Hope you will get somthing form this blog.
Wee Knowledge.Blogspot.com