segunda-feira, 24 de agosto de 2020

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





Related word

  1. Hacker Hardware Tools
  2. Hacker Tool Kit
  3. Hacking Tools Windows 10
  4. Hacking Tools For Pc
  5. Pentest Tools Apk
  6. Game Hacking
  7. Top Pentest Tools
  8. Top Pentest Tools
  9. Hacker Search Tools
  10. Android Hack Tools Github
  11. Hacking Tools For Windows Free Download
  12. Hacking Tools 2019
  13. Hacker Tools Linux
  14. Ethical Hacker Tools
  15. Hacker Tools Mac
  16. Hacking Tools Github
  17. Hack App
  18. Hack App
  19. Hacking Tools 2020
  20. Hacker Tools Windows
  21. Pentest Tools Tcp Port Scanner
  22. Pentest Reporting Tools
  23. Growth Hacker Tools
  24. Hack Tools Online
  25. Pentest Recon Tools
  26. Pentest Automation Tools
  27. Pentest Tools For Ubuntu
  28. Hacker Tool Kit
  29. How To Make Hacking Tools
  30. Bluetooth Hacking Tools Kali
  31. Hacker Tool Kit
  32. Hacker Tools 2020
  33. Hacker Tools For Windows
  34. Pentest Tools For Mac
  35. Hacker Tools Apk Download
  36. How To Make Hacking Tools
  37. Hack Tools 2019
  38. Pentest Tools Nmap
  39. Pentest Tools Alternative
  40. Free Pentest Tools For Windows
  41. Tools Used For Hacking
  42. Tools Used For Hacking
  43. Hack Tools For Ubuntu
  44. Best Pentesting Tools 2018
  45. Hacker Tools For Windows
  46. Hacker Tools 2019
  47. Pentest Tools Online
  48. Hack Tools For Ubuntu
  49. Hacking Tools Windows 10
  50. Top Pentest Tools
  51. Hacking Tools Hardware
  52. Hacker Tools Linux
  53. Pentest Tools Android
  54. Hacker Tools For Pc
  55. Pentest Box Tools Download
  56. Hacker Techniques Tools And Incident Handling
  57. Pentest Tools
  58. Hack Tools Mac
  59. Pentest Tools Website Vulnerability
  60. Hacker Tools Mac
  61. Hacking Tools And Software
  62. Hacking Tools For Kali Linux
  63. Hacking Tools
  64. Pentest Tools Nmap
  65. Hack Tool Apk No Root
  66. Pentest Reporting Tools
  67. Tools 4 Hack
  68. Hacking Tools Usb
  69. Hacker Tools Hardware
Postado por às

Nenhum comentário:

Postar um comentário

Assinar: Postar comentários (Atom)