PENGUMUMAN...!!!


SOLAT HAJAT DI TUNDA KE 24HB OGOS 2008 - UST SALLEH MAN

Friday, January 19, 2024

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Continue reading
  1. Blackhat Hacker Tools
  2. Wifi Hacker Tools For Windows
  3. Tools 4 Hack
  4. Hacker Tools Free
  5. Pentest Tools Find Subdomains
  6. Computer Hacker
  7. Hack Apps
  8. Hacking Tools Kit
  9. Kik Hack Tools
  10. Pentest Tools Bluekeep
  11. Hacker Tools For Pc
  12. Usb Pentest Tools
  13. Pentest Tools Online
  14. Hack Website Online Tool
  15. Hack And Tools
  16. Pentest Tools For Ubuntu
  17. Nsa Hack Tools Download
  18. Hack Rom Tools
  19. Pentest Tools Tcp Port Scanner
  20. Android Hack Tools Github
  21. Hacks And Tools
  22. Pentest Tools Apk
  23. Hacking Tools For Windows Free Download
  24. Wifi Hacker Tools For Windows
  25. Hacking Tools
  26. Pentest Tools Website
  27. Hacker Tools For Ios
  28. Pentest Tools Framework
  29. Hacker Tools Hardware
  30. Pentest Tools Subdomain
  31. Pentest Tools
  32. Pentest Tools Nmap
  33. Pentest Tools Apk
  34. Underground Hacker Sites
  35. Github Hacking Tools
  36. Hacking Tools 2019
  37. Growth Hacker Tools
  38. Hacking Tools 2020
  39. Pentest Tools Url Fuzzer
  40. Hacking Tools Online
  41. Hacking Tools For Kali Linux
  42. Pentest Tools Apk
  43. Pentest Automation Tools
  44. Pentest Box Tools Download
  45. World No 1 Hacker Software
  46. Hacker Techniques Tools And Incident Handling
  47. Hack Tools Pc
  48. Pentest Reporting Tools
  49. Free Pentest Tools For Windows
  50. Hacker Tools
  51. Hack Apps
  52. Tools Used For Hacking
  53. Hacker Tools Online
  54. Hacker Tools Windows
  55. Hacking Tools 2020
  56. Usb Pentest Tools
  57. Install Pentest Tools Ubuntu
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)