Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

Related links

1. Pentest Tools Kali Linux
2. Hack Tool Apk
3. Hak5 Tools
4. Hacker Tools Apk Download
5. Hacking Tools For Kali Linux
6. Hacker Tools Apk Download
7. Hack Tools For Windows
8. Pentest Tools For Windows
9. Hacker Tools Free
10. Computer Hacker
11. Hackrf Tools
12. Hack Tools 2019
13. Usb Pentest Tools
14. Free Pentest Tools For Windows
15. Hacking Tools Online
16. Pentest Tools List
17. Hack Tool Apk
18. Pentest Tools For Ubuntu
19. Black Hat Hacker Tools
20. Hack Tools For Windows
21. Install Pentest Tools Ubuntu
22. Pentest Tools Alternative
23. Hack Tools
24. Pentest Tools Github
25. Hack Tools Github
26. World No 1 Hacker Software
27. Hackrf Tools
28. Pentest Tools Download
29. Beginner Hacker Tools
30. Hack Tools For Windows
31. Pentest Tools Nmap
32. Hak5 Tools
33. Hacker Tools Windows
34. Pentest Tools Url Fuzzer
35. World No 1 Hacker Software
36. Hacking Tools For Mac
37. Hacking App
38. Tools For Hacker
39. Hacker Security Tools
40. Hacking Tools Software
41. Pentest Tools Open Source
42. Hacker Tools 2020
43. Pentest Tools Windows
44. Hacking Tools Kit
45. How To Make Hacking Tools
46. Hack Rom Tools
47. Pentest Tools For Windows
48. Pentest Tools Url Fuzzer
49. Hacker Tools 2019
50. How To Hack
51. Pentest Tools Kali Linux
52. Hacking Tools Mac
53. Top Pentest Tools
54. Hacking Tools For Games
55. Hacker Tools 2019
56. Pentest Tools Tcp Port Scanner
57. Pentest Box Tools Download
58. Hacking Tools Windows
59. Bluetooth Hacking Tools Kali
60. Hackers Toolbox
61. Pentest Tools Review
62. What Are Hacking Tools
63. Hacker Tools 2020
64. Hacker Tools Free
65. Pentest Box Tools Download
66. Black Hat Hacker Tools
67. Hacker Tools List
68. Black Hat Hacker Tools
69. Pentest Recon Tools
70. Pentest Tools For Windows
71. Hacking Tools For Windows 7
72. Hacking Tools Pc
73. Hacker Tools Free
74. Wifi Hacker Tools For Windows
75. Hack Tools Download
76. Hacking Tools For Windows Free Download
77. Hacker Techniques Tools And Incident Handling
78. Hacker Tool Kit
79. Hack Apps
80. Hacker Tools 2020
81. Beginner Hacker Tools
82. Pentest Tools Android
83. Hacker Tool Kit
84. Tools For Hacker
85. Hack Tools
86. Underground Hacker Sites
87. Hacker Tools Software
88. Hacker Tools For Ios
89. Best Pentesting Tools 2018
90. Hack Tools For Ubuntu
91. Hacking Tools For Kali Linux