Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

More articles

1. Tools Used For Hacking
2. Hacking Tools Usb
3. Hacker Tools Github
4. Hacker Tool Kit
5. Hacker Tools Apk Download
6. Game Hacking
7. Pentest Tools For Android
8. Hack And Tools
9. Hacking Tools Free Download
10. Black Hat Hacker Tools
11. Hacker Tools Apk
12. Pentest Tools Subdomain
13. Free Pentest Tools For Windows
14. What Are Hacking Tools
15. World No 1 Hacker Software
16. Top Pentest Tools
17. Hack Tool Apk
18. Pentest Tools Subdomain
19. Hacker Tools Free
20. Hacker Tools Online
21. Pentest Tools For Android
22. Hacker Tools Free Download
23. What Are Hacking Tools
24. Hacking Tools And Software
25. Top Pentest Tools
26. Hacker Tools 2020
27. Hacker Tools Windows
28. Best Hacking Tools 2019
29. Hack Tools Download
30. Hacker Tools Linux
31. Pentest Tools Apk
32. Hacking Tools For Beginners
33. Hacker Search Tools
34. Hack Tools Download
35. Hacker Tools Software
36. Hacker Tools For Windows
37. Tools Used For Hacking
38. Hacking Tools 2020
39. Hacking Tools Usb
40. Hacking Tools 2020
41. Tools 4 Hack
42. Pentest Tools Kali Linux
43. Pentest Tools Open Source
44. What Are Hacking Tools
45. Hacker
46. Hack Apps
47. Pentest Tools Android
48. Hacking Tools For Kali Linux
49. Hacker Search Tools
50. Hacking Tools Software
51. Pentest Box Tools Download
52. Best Hacking Tools 2019
53. Pentest Tools Review
54. New Hacker Tools
55. Hacking Tools For Windows
56. New Hack Tools
57. New Hack Tools
58. Hacker Tools
59. Hacker Tools
60. Tools Used For Hacking
61. Hack Tool Apk
62. Nsa Hack Tools Download
63. Nsa Hack Tools
64. Nsa Hack Tools Download
65. Easy Hack Tools
66. Usb Pentest Tools
67. Hacker Techniques Tools And Incident Handling
68. Hacking Tools Windows 10
69. Hack And Tools
70. Hacker Tools Hardware
71. Hacker Tools Mac
72. Hacker Tools List
73. Best Pentesting Tools 2018
74. Pentest Box Tools Download
75. Computer Hacker
76. Pentest Tools Linux
77. Pentest Tools Android
78. Pentest Tools Subdomain
79. How To Install Pentest Tools In Ubuntu
80. Hack Tools Mac
81. Pentest Tools
82. Pentest Tools Bluekeep
83. How To Hack
84. Pentest Tools For Android
85. Hacking Tools Name
86. Hack Tools
87. Computer Hacker
88. Hacking Tools Windows 10
89. Pentest Tools Subdomain
90. Pentest Tools Tcp Port Scanner
91. Hacker
92. Hacker Tools For Windows
93. Hacker Tools Free Download
94. Tools For Hacker
95. Beginner Hacker Tools
96. World No 1 Hacker Software
97. Hacking Apps
98. Hacker Tools Linux
99. Hacking Tools Usb
100. Nsa Hack Tools
101. Hacking Tools For Pc
102. Hacking Tools Software
103. Hack Tools For Pc
104. Hacking Tools Windows 10
105. World No 1 Hacker Software
106. Pentest Tools Open Source
107. Hacker Tools Linux
108. Pentest Tools Free
109. Hack Tools
110. Bluetooth Hacking Tools Kali
111. What Is Hacking Tools
112. Pentest Tools
113. Hacking Tools 2020
114. Hacking Tools
115. Hacking Tools Kit
116. Hacking Tools Free Download
117. New Hack Tools
118. Hacking Tools Windows 10
119. Hacking Tools
120. Hackrf Tools
121. Hacking Tools Free Download
122. New Hack Tools
123. Hacker Tools Linux
124. Pentest Tools Website
125. Nsa Hack Tools
126. Pentest Tools Windows
127. Hacker Tool Kit
128. Hack And Tools
129. Hack Tools 2019
130. Hacker
131. Hacking Tools For Mac
132. Hack Tools Mac
133. Pentest Tools Online
134. World No 1 Hacker Software
135. Pentest Tools Find Subdomains
136. Hacking Tools For Games
137. Wifi Hacker Tools For Windows
138. Pentest Tools Subdomain
139. Pentest Tools Apk
140. Pentest Tools Website Vulnerability
141. Pentest Tools Website Vulnerability
142. Ethical Hacker Tools
143. Hacking Tools For Windows
144. Tools For Hacker
145. Hak5 Tools
146. Install Pentest Tools Ubuntu
147. Pentest Tools Bluekeep
148. Pentest Tools For Windows
149. Hacker Tool Kit
150. Pentest Tools Port Scanner
151. Hackers Toolbox
152. Pentest Tools Review
153. Hacking App
154. Hacking Tools 2019
155. Hacking Tools For Windows
156. Hacking Tools Github
157. Pentest Tools Find Subdomains
158. Usb Pentest Tools
159. Hacking Tools For Kali Linux
160. Hacker Tools For Pc
161. Usb Pentest Tools
162. How To Hack
163. Hacker Techniques Tools And Incident Handling
164. Hacker Tools For Windows
165. Hacker Tools For Mac
166. Hacking Tools For Pc
167. Hacker Tools Github
168. Hack Tools For Pc