воскресенье, 28 января 2024 г.

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





More info
  1. Hacking Tools Kit
  2. Hacker Tools Linux
  3. Best Hacking Tools 2019
  4. Pentest Tools For Mac
  5. Android Hack Tools Github
  6. Usb Pentest Tools
  7. Hacking Tools Software
  8. Hack Tools Github
  9. Hacker Tools Free
  10. World No 1 Hacker Software
  11. Hackrf Tools
  12. What Are Hacking Tools
  13. Install Pentest Tools Ubuntu
  14. Pentest Tools Android
  15. Hack Tool Apk No Root
  16. Hack Tools For Ubuntu
  17. Pentest Tools List
  18. Hackers Toolbox
  19. Wifi Hacker Tools For Windows
  20. Hak5 Tools
  21. Hack Tools For Mac
  22. Pentest Tools Bluekeep
  23. Hacker Tools Github
  24. New Hacker Tools
  25. Pentest Tools Linux
  26. Hacking Tools For Kali Linux
  27. Pentest Tools Apk
  28. Hacking Tools Windows 10
  29. Hacker Tools Software
  30. Pentest Automation Tools
  31. Hacking Tools Windows
  32. Hack Tools Download
  33. Hacker Tools For Mac
  34. New Hacker Tools
  35. Best Pentesting Tools 2018
  36. Hacker Tools Github
  37. Pentest Tools Website Vulnerability
  38. Hacker
  39. Hack Tools
  40. Pentest Tools Nmap
  41. Hacking Tools Pc
  42. Kik Hack Tools
  43. Black Hat Hacker Tools
  44. Hacker Tools Online
  45. Hackrf Tools
  46. Hacker Tools For Windows
  47. Pentest Tools Free
  48. Pentest Tools Url Fuzzer
  49. Hacking Tools
  50. Nsa Hacker Tools
  51. Hacker Tools List
  52. Hacking Tools Mac
  53. Hacking Tools Pc
  54. Nsa Hack Tools Download
  55. Hak5 Tools
  56. Hacking Tools For Windows
  57. Hacking Tools Windows 10
  58. Hacking Tools Windows 10
  59. Hacking Tools Kit
  60. Pentest Tools Find Subdomains
  61. Hack And Tools
  62. Hack Tools Github
  63. Pentest Reporting Tools
  64. Hacker Tools Free
  65. Pentest Tools For Windows
  66. Tools For Hacker
  67. Nsa Hack Tools Download
  68. Pentest Tools Port Scanner
  69. Hacker Tools For Pc
  70. Hacking Tools For Mac
  71. Blackhat Hacker Tools
  72. Hack Tools Github
  73. Pentest Automation Tools
  74. Hacker Tools Free
  75. Hacking Tools For Windows 7
  76. Game Hacking
  77. Hacker Hardware Tools
  78. Hacking Tools For Windows 7
  79. Pentest Tools For Android
  80. New Hack Tools
  81. Tools 4 Hack
  82. Hacking Tools Online
  83. Hacking Tools For Games
  84. Pentest Tools Linux
  85. Hack Tools Download
  86. Pentest Tools Kali Linux
  87. Hacking Tools For Beginners
  88. Hacker Tools 2019
  89. Nsa Hack Tools
  90. Hack Apps
  91. Github Hacking Tools
  92. Hack Tools 2019
  93. Hack Apps
  94. Hak5 Tools
  95. Hacker Tool Kit
  96. Hacking Tools 2019
  97. Hackrf Tools
  98. Hacker Tools 2020
  99. Hacks And Tools
  100. Pentest Box Tools Download
  101. Tools For Hacker
  102. Hacking Tools Pc
  103. Hacker Tools
  104. Pentest Tools Framework
  105. Hacking Tools Github
  106. Tools 4 Hack

Комментариев нет:

Отправить комментарий