Skip to main content

Defcon 2015 Coding Skillz 1 Writeup

By admin
Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





More info


  1. Hacking Tools Github
  2. Hack Tool Apk No Root
  3. Hacking Tools For Pc
  4. Hack And Tools
  5. Hacker
  6. Pentest Tools Free
  7. Hacker Tools Github
  8. Hacking Tools For Mac
  9. Pentest Tools Apk
  10. Pentest Tools Subdomain
  11. Hacker Tools Linux
  12. Pentest Tools Subdomain
  13. Hack Tools For Mac
  14. Pentest Automation Tools
  15. Pentest Tools Find Subdomains
  16. Pentest Tools For Android
  17. Hackers Toolbox
  18. Pentest Tools Nmap
  19. Hack Tools For Mac
  20. Hack Tools
  21. New Hack Tools
  22. World No 1 Hacker Software
  23. Hacker Tools Hardware
  24. How To Install Pentest Tools In Ubuntu
  25. Hacker Tools For Ios
  26. Github Hacking Tools
  27. Pentest Box Tools Download
  28. Pentest Tools Linux
  29. Hacking Tools Windows 10
  30. Pentest Tools List
  31. Hack Apps
  32. Hacker Search Tools
  33. Computer Hacker
  34. Hacking Tools For Windows
  35. Blackhat Hacker Tools
  36. Hacker Tools For Pc
  37. Underground Hacker Sites
  38. Pentest Tools Website
  39. Hacking Tools Download
  40. Hack Tools For Pc
  41. Pentest Tools Linux
  42. Pentest Tools Nmap
  43. Pentest Tools Review
  44. Hacker Tools For Ios
  45. Hacking App
  46. Best Hacking Tools 2019
  47. Pentest Tools Url Fuzzer
  48. Hackers Toolbox
  49. Hacking App
  50. Pentest Tools Website Vulnerability
  51. Hacking Tools For Beginners
  52. Pentest Tools Download
  53. Pentest Reporting Tools
  54. Hacking Tools Mac
  55. Hacking Tools Download
  56. How To Hack
  57. Kik Hack Tools
  58. Hacking Tools Github
  59. Hacking Tools For Games
  60. Game Hacking
  61. Hacker Tools Windows
  62. Tools For Hacker
  63. Pentest Tools Open Source
  64. Hack Tools Online
  65. Pentest Recon Tools
  66. How To Install Pentest Tools In Ubuntu
  67. Hacking Tools Free Download
  68. Pentest Tools List
  69. Physical Pentest Tools
  70. Hack Tools Github
  71. Hacking Apps
  72. Pentest Tools For Android
  73. Pentest Box Tools Download
  74. Hackrf Tools
  75. Hacks And Tools
  76. Hacker Tools Free
  77. Hacking Apps
  78. Pentest Tools List
  79. Hacking Tools For Games
  80. Best Pentesting Tools 2018
  81. Hackers Toolbox
  82. Hacker Tools Windows
  83. New Hack Tools
  84. Hak5 Tools
  85. Hacker Tools Hardware
  86. Pentest Tools Port Scanner
  87. Pentest Tools Subdomain
  88. Hacking Tools Windows 10
  89. Hacker Tools Hardware
  90. Hacking Tools Usb
  91. Hacker Tools Github
  92. Hacking Tools For Kali Linux
  93. Hack Tool Apk No Root
  94. Hacker Tools Free Download
  95. Hack Apps
  96. Hack Tools For Pc
  97. Hacking Tools Software
  98. Hacking Tools For Pc
  99. How To Hack
  100. Best Pentesting Tools 2018
  101. Pentest Recon Tools
  102. Pentest Tools Website Vulnerability
  103. Hacking Tools For Kali Linux
  104. Bluetooth Hacking Tools Kali
  105. Hacker Tools Apk
  106. Hack And Tools
  107. Pentest Tools Apk
  108. Hacker Hardware Tools
  109. Pentest Tools Tcp Port Scanner
  110. Pentest Tools Kali Linux
  111. Pentest Tools Free
  112. Hacker Tools Online
  113. Hacker Tools Apk Download
  114. Hack Tools For Mac
  115. Pentest Tools Free
  116. Hacker Tools Github
  117. Hack Tools For Mac
  118. Nsa Hack Tools Download
  119. Pentest Tools Android
  120. Pentest Tools Port Scanner
  121. Pentest Tools For Windows
  122. Pentest Tools Windows
  123. Hacking Tools For Pc
  124. Hacking Tools 2019
  125. Pentest Tools Port Scanner
  126. Pentest Tools Kali Linux
  127. Tools 4 Hack
  128. Hacking Tools Kit
  129. New Hack Tools
  130. Pentest Tools Review
  131. Tools For Hacker
  132. Pentest Tools Free
  133. Hack Tools For Pc
  134. Best Pentesting Tools 2018
  135. Pentest Tools For Ubuntu
  136. Pentest Tools Url Fuzzer
  137. Hack Tools For Pc
  138. Bluetooth Hacking Tools Kali
  139. Hacking Tools For Beginners
  140. What Are Hacking Tools
  141. Black Hat Hacker Tools
  142. Hacking Tools Hardware
  143. Hacking Tools Mac
  144. How To Hack
  145. Hacking Tools Software
  146. Hack Tools For Windows
  147. Pentest Tools Subdomain
  148. Hacking Tools Name
  149. Hacking App
  150. Easy Hack Tools
  151. Pentest Tools For Mac
  152. Pentest Tools Website
  153. New Hack Tools
  154. Hacking Tools For Beginners
  155. Hacking Tools
  156. Hacker Tools Github
  157. Hacking Tools Name
  158. Hacking Tools For Games
  159. Pentest Tools Url Fuzzer

Comments

Post a Comment

Popular posts from this blog

דף הבית | הטכניון - מכון טכנולוגי לישראל

By admin
https://technion.ac.il http://library.technion.ac.il/he https://www.technion.ac.il/%D7%A8%D7%A9%D7%99%D7%9E%D7%AA-%D7%94%D7%A4%D7%A7%D7%95%D7%9C%D7%98%D7%95%D7%AA-2/ http://www.admin.technion.ac.il/dpcalendar/ https://www.technion.ac.il/%D7%94%D7%A0%D7%94%D7%9C%D7%94-%D7%91%D7%9B%D7%99%D7%A8%D7%94/ https://www.technion.ac.il/%D7%A1%D7%9E%D7%99%D7%A0%D7%A8%D7%99%D7%9D/ https://dean.web.technion.ac.il/%D7%A7%D7%9E%D7%A4%D7%95%D7%A1-%D7%AA%D7%95%D7%A1%D7%A1/ http://www.dmag.co.il/pub/technion/tmag.html http://moodle.technion.ac.il/ https://tender-logistics.web3.technion.ac.il http://cis.technion.ac.il/ http://video.technion.ac.il/ https://portal.technion.ac.il/irj/portal https://www.technion.ac.il/ https://www.technion.ac.il/en/home-2/ http://arabic.net.technion.ac.il https://www.technion.ac.il/%d7%97%d7%96%d7%95%d7%9f-%d7%94%d7%98%d7%9b%d7%a0%d7%99%d7%95%d7%9f/ https://www.technion.ac.il/%d7%94%d7%99%d7%a1%d7%98%d7%95%d7%a8%d7%99%d7%99%d7%aa-%d7%94%d7%98%d7%9b%d7%a0%d7%99%d7%95%d7%9f/ ht...
Post a Comment
Read more

Gu Energy Gel for Sale

By admin
Get Gu Energy Gel Here - https://bit.ly/3f97Wvz _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Post a Comment
Read more

To Kilinochchi or Mankulam?- The Nation- 2008/09/07

By admin
This week saw one of the most ferocious battles since the security forces started their campaign to regain the Wanni around mid last year. The LTTE’s much anticipated counter strike was launched along their newly built trench line from the western coastal town Nachchikudah to the deep interior region Akkarayankulam, a fair distance of 18-20 km in length. This trench line, which is mainly an earth bund of around 7-15 feet at certain places, was built in recent times with heavy machinery cutting across shrub jungles. In a series of waves, the LTTE attacked personnel of the Army’s 58 and 57 Divisions last Wednesday in a battle that lasted 36 hours. The LTTE claimed to have killed up to 100 military personnel, while the military initially claimed that only nine soldiers were killed. However, with the LTTE claiming that they had recovered the bodies of 29 soldiers and posted pictures of the dead on pro-LTTE websites, the Army said that ...
3 comments
Read more