viernes, 21 de agosto de 2020

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Continue reading


  1. Hack App
  2. Easy Hack Tools
  3. Pentest Tools Open Source
  4. Physical Pentest Tools
  5. Pentest Tools Open Source
  6. Best Pentesting Tools 2018
  7. Hacker Tools
  8. Pentest Automation Tools
  9. Hack Tools
  10. Hacker
  11. Hack Tools Github
  12. Hacking Tools Kit
  13. Hack Rom Tools
  14. Hacking Tools Windows
  15. Pentest Recon Tools
  16. Black Hat Hacker Tools
  17. Pentest Tools Review
  18. Hack Tool Apk
  19. Nsa Hack Tools
  20. Hacker Tools
  21. Hacking Tools Download
  22. Blackhat Hacker Tools
  23. Hacker Tools 2020
  24. Pentest Tools Review
  25. Hack Tool Apk
  26. Android Hack Tools Github
  27. Hacking Tools Github
  28. Wifi Hacker Tools For Windows
  29. Hacker Tools Apk
  30. Pentest Tools List
  31. Hacker Tools Free
  32. Nsa Hack Tools Download
  33. World No 1 Hacker Software
  34. Best Hacking Tools 2020
  35. Free Pentest Tools For Windows
  36. Pentest Tools Alternative
  37. Hack Tools Mac
  38. Hacker Tools
  39. Blackhat Hacker Tools
  40. Hacking Tools And Software
  41. Hacker Tools For Ios
  42. Install Pentest Tools Ubuntu
  43. Pentest Tools Framework
  44. Hacking Tools For Windows
  45. Hack Website Online Tool
  46. Hack Tools Online
  47. Hack And Tools
  48. Free Pentest Tools For Windows
  49. Hack Tool Apk No Root
  50. Pentest Tools
  51. Pentest Box Tools Download
  52. Hacking Tools Github
  53. Pentest Tools Free
  54. What Is Hacking Tools
  55. Hacks And Tools
  56. Blackhat Hacker Tools
  57. Hack Tools Download
  58. Hacker Tools Software
  59. Hacker Tools For Windows
  60. Hack Tools 2019
  61. Blackhat Hacker Tools
  62. Hackrf Tools
  63. Free Pentest Tools For Windows
  64. Hacker Security Tools
  65. Hacker Tools Mac
  66. Hacker Tools Linux
  67. Hack Tools For Windows
  68. Hacker Security Tools
  69. Android Hack Tools Github
  70. New Hacker Tools
  71. World No 1 Hacker Software
  72. Hackers Toolbox
Publicado por en

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)