Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

Related articles

• Hacker Search Tools
• Pentest Tools For Ubuntu
• Tools 4 Hack
• Hacking Tools Usb
• Hacker Tools For Windows
• Hack App
• Growth Hacker Tools
• Termux Hacking Tools 2019
• Hack Tools
• Hacking Tools For Games
• Kik Hack Tools
• Pentest Tools Bluekeep
• Termux Hacking Tools 2019
• How To Hack
• Pentest Tools Online
• Black Hat Hacker Tools
• Pentest Tools Alternative
• Wifi Hacker Tools For Windows
• Hack Tools Pc
• Hack Tools For Pc
• Game Hacking
• Free Pentest Tools For Windows
• Hacking Tools Windows
• Hacker Tools Apk Download
• Hacker Tool Kit
• Pentest Tools Download
• Hacking Tools For Windows Free Download
• Hacking Tools Online
• Tools 4 Hack
• Pentest Tools Framework
• Hacker Tools 2020
• Pentest Tools Tcp Port Scanner
• Hacking Tools For Windows
• Hacking Tools For Mac
• Hacking Tools For Pc
• Easy Hack Tools
• Pentest Tools List
• New Hack Tools
• Beginner Hacker Tools
• Pentest Tools Download
• Nsa Hack Tools
• Kik Hack Tools
• Bluetooth Hacking Tools Kali
• Hacker Tools Apk Download
• Pentest Tools Framework
• World No 1 Hacker Software
• Pentest Tools Website
• Hack Tools Github
• Hacking Tools Name
• Easy Hack Tools
• Hacker Tools Online
• Pentest Tools Website Vulnerability
• Hacking Tools And Software
• Hacker Tools Apk Download
• Hack Tools
• Pentest Tools Kali Linux
• Pentest Tools Download
• Hack Tools For Ubuntu
• Hacking App
• Pentest Tools Website
• Tools 4 Hack
• Hacking Tools Pc
• Best Hacking Tools 2019
• Hacking Tools For Mac
• Computer Hacker
• Hacking Tools For Windows Free Download
• Hacker Tools Linux
• Ethical Hacker Tools
• Hack Tool Apk No Root
• Hack Apps
• Hacker Tools Apk
• Install Pentest Tools Ubuntu
• Hacking Tools
• Ethical Hacker Tools
• Hak5 Tools
• Nsa Hack Tools Download
• Hacker Tools List
• Hacking Tools For Windows
• Pentest Tools Kali Linux
• Hack Website Online Tool
• Pentest Tools List
• Pentest Tools Free
• Best Hacking Tools 2020
• Growth Hacker Tools
• Hacking Tools Mac
• Hacking Tools For Games
• How To Install Pentest Tools In Ubuntu
• Hack Tools
• Pentest Recon Tools
• Pentest Tools Bluekeep
• Hack Tools For Pc
• Hacking Tools 2020
• Hacking App
• Pentest Tools For Windows
• Pentest Tools Free
• Hacker Tools Mac
• New Hacker Tools
• Hacking Tools Pc
• Hacking Tools Windows
• Hacking Tools For Windows
• Underground Hacker Sites
• Hack Tools Download
• Hack Tools For Pc
• Ethical Hacker Tools
• Pentest Tools Alternative
• Hackrf Tools
• Pentest Tools Linux
• Hacking Tools Hardware
• Hack Tools Pc
• Hak5 Tools
• Pentest Automation Tools
• Blackhat Hacker Tools
• How To Hack
• Hacking Tools Usb
• Best Pentesting Tools 2018
• Wifi Hacker Tools For Windows
• Beginner Hacker Tools
• Hacking Tools For Windows 7
• Hackrf Tools
• Hacker Tools Linux
• Termux Hacking Tools 2019
• Hacker Hardware Tools
• Hacking Tools Pc
• Hacker Tools Github
• Tools 4 Hack
• Pentest Tools Windows
• Hacker Tools 2019
• Hacking Tools For Kali Linux
• Pentest Tools Port Scanner
• Hack Tool Apk
• Ethical Hacker Tools
• Hacker Tools Online
• Best Hacking Tools 2020
• Hacking Tools For Kali Linux
• Hack Apps
• Hacker Tools List
• Hack Tools
• Blackhat Hacker Tools
• Pentest Tools Open Source
• Hack Tools
• World No 1 Hacker Software
• Computer Hacker
• Hack Tools For Windows
• World No 1 Hacker Software
• Hacking Tools For Mac
• Android Hack Tools Github
• Pentest Tools Download
• Hack Tools For Windows
• Hack Tools Mac
• How To Install Pentest Tools In Ubuntu
• Hack Tools For Pc
• Pentest Box Tools Download
• Blackhat Hacker Tools
• Hacker Hardware Tools
• Hacker Tools List
• Pentest Tools For Mac
• Kik Hack Tools
• How To Make Hacking Tools
• Hacker Tools
• Hacking Apps
• Hacker Search Tools
• Hacker
• Hacker Tools Apk
• Hack Tools For Pc
• Pentest Recon Tools
• Hack Tools For Mac
• Hacking Tools 2019
• Tools For Hacker
• Hack Tools For Windows
• Tools For Hacker
• Hacking Tools 2019
• Hack Website Online Tool
• Pentest Tools For Mac
• How To Make Hacking Tools
• Hack And Tools
• Nsa Hacker Tools
• Pentest Tools Framework
• Hack Tool Apk