Defcon 2015 Coding Skillz 1 Writeup
Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:
The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.
The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.
In python we created two structures for the initial state and the ending state.
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
We inject at the beginning several movs for setting the initial state:
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
And use GDB to execute the code until the sigtrap, and then get the registers
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
...
We just parse the registers and send the to the server in the same format, and got the key.
The code:
from libcookie import *
from asm import *
import os
import sys
host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999
cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15
s = Sock(TCP)
s.timeout = 999
s.connect(host,port)
data = s.readUntil('bytes:')
#data = s.read(sz)
#data = s.readAll()
sz = 0
for r in data.split('\n'):
for rk in cpuRegs.keys():
if r.startswith(rk):
cpuRegs[rk] = r.split('=')[1]
if 'bytes' in r:
sz = int(r.split(' ')[3])
binary = data[-sz:]
code = []
print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)
print cpuRegs
for r in cpuRegs.keys():
code.append('mov %s, %s' % (r, cpuRegs[r]))
#print code
fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')
print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')
print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
for x in finalRegs.keys():
if x in l:
l = l.replace('\t',' ')
try:
i = 12
spl = l.split(' ')
if spl[i] == '':
i+=1
print 'reg: ',x
finalRegs[x] = l.split(' ')[i].split('\t')[0]
except:
print 'err: '+l
fregs -= 1
if fregs == 0:
#print 'sending regs ...'
#print finalRegs
buff = []
for k in finalRegs.keys():
buff.append('%s=%s' % (k,finalRegs[k]))
print '\n'.join(buff)+'\n'
print s.readAll()
s.write('\n'.join(buff)+'\n\n\n')
print 'waiting flag ....'
print s.readAll()
print '----- yeah? -----'
s.close()
fd.close()
s.close()
More info
- Hacker Tools Software
- Nsa Hack Tools
- Hacking Tools
- Hacking Tools Name
- Hack Website Online Tool
- Wifi Hacker Tools For Windows
- Hacking Tools Download
- Hack Website Online Tool
- Easy Hack Tools
- Pentest Tools Online
- Hack Tools For Windows
- New Hacker Tools
- Pentest Tools Linux
- Physical Pentest Tools
- Hacker Tools Hardware
- Hacking Tools Pc
- Best Pentesting Tools 2018
- Black Hat Hacker Tools
- Pentest Tools Find Subdomains
- Github Hacking Tools
- Hacker Tools
- Hacking Tools Windows
- Hacker Tools Mac
- Tools 4 Hack
- Nsa Hacker Tools
- Hack Tools Download
- Pentest Tools Android
- Hacking Tools Free Download
- What Are Hacking Tools
- Hacking Tools Name
- Pentest Tools Linux
- Pentest Tools Android
- Hacker Tools For Windows
- Best Pentesting Tools 2018
- Pentest Tools Windows
- Hacking Tools
- Hack Tool Apk No Root
- Hacker Tool Kit
- Hacker
- Hacker Tools 2020
- Hack Tools For Mac
- Hacker Techniques Tools And Incident Handling
- Pentest Tools Free
- Hacker Tools Apk
- Hacker Hardware Tools
- Hacking Tools Free Download
- Pentest Tools Website Vulnerability
- Pentest Tools Website Vulnerability
- Hack Tools Mac
- Blackhat Hacker Tools
- Hacker Tools Software
- How To Hack
- Hacking Tools For Games
- New Hack Tools
- Hacker Search Tools
- Hacker Tools Online
- What Are Hacking Tools
- Hacker Tools Software
- Hacker Tools For Ios
- Pentest Tools Github
- Hacker Tools List
- Hacking Tools For Pc
- Wifi Hacker Tools For Windows
- Hacking Tools Online
- Pentest Tools Nmap
- Hacker Tools Github
- Hacking Tools For Beginners
- Pentest Tools Linux
- New Hacker Tools
- Pentest Box Tools Download
- Pentest Tools Android
- Hackers Toolbox
- Tools Used For Hacking
- Hacking Tools Online
- Hacking Tools For Games
- How To Install Pentest Tools In Ubuntu
- Hacking Tools 2020
- Hacks And Tools
- Termux Hacking Tools 2019
- Hack Website Online Tool
- Hack App
- Pentest Tools Free
- Best Hacking Tools 2020
- Hacking Tools For Kali Linux
- Hacking Tools For Mac
- Pentest Tools Kali Linux
- Bluetooth Hacking Tools Kali
- Hacker Tools
- Hacking Tools Usb
- Hacking Tools For Windows Free Download
- Hacker Techniques Tools And Incident Handling
- Black Hat Hacker Tools
- Pentest Tools Tcp Port Scanner
- Hack Tools Pc
- Bluetooth Hacking Tools Kali
- Hacker Tools For Mac
- Hacking Tools Windows 10
- Wifi Hacker Tools For Windows
- Pentest Tools Subdomain
- Hack Tools Download
- Hacking Tools For Kali Linux
- Pentest Tools Subdomain
- Hack And Tools
- Hack Tools For Windows
- Best Hacking Tools 2020
- Tools For Hacker
- Best Hacking Tools 2020
- Hacking Tools For Mac
0 comentarios:
Publicar un comentario