Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

Read more

1. Hacker Search Tools
2. Hacker Tools For Mac
3. Pentest Tools
4. Hack App
5. Pentest Tools Bluekeep
6. Hack And Tools
7. Hacker Tools Linux
8. Hack Tools For Ubuntu
9. Hacker Tools Hardware
10. Hack Tools For Windows
11. Github Hacking Tools
12. Hacker Tools Windows
13. Hacking Tools 2020
14. Tools 4 Hack
15. Hacking Tools Online
16. New Hack Tools
17. Hack Rom Tools
18. Pentest Tools Windows
19. Hacking Tools For Pc
20. Pentest Tools Android
21. Pentest Tools Linux
22. Hacker Hardware Tools
23. Hack Tools Mac
24. Pentest Tools
25. Top Pentest Tools
26. Pentest Tools Open Source
27. Pentest Tools Github
28. Hack Tool Apk No Root
29. Hack Tool Apk
30. Tools Used For Hacking
31. Physical Pentest Tools
32. Pentest Tools Nmap
33. Pentest Box Tools Download
34. Underground Hacker Sites
35. Hacking Tools For Mac
36. Hacking Apps
37. Hacking Tools Pc
38. Pentest Tools Subdomain
39. Underground Hacker Sites
40. Hack Tools For Pc
41. Hacker Tools Linux
42. How To Install Pentest Tools In Ubuntu
43. New Hacker Tools
44. Pentest Tools Android
45. Hacking Tools Hardware
46. Pentest Tools Bluekeep
47. Hacker Tools
48. Game Hacking
49. Pentest Tools Website Vulnerability
50. Hacker Tools Free Download
51. Hacker
52. Hacking Tools 2019
53. Hack Website Online Tool
54. Hacking Tools Github
55. Pentest Tools Find Subdomains
56. Hacker Tools Free Download
57. Pentest Tools Bluekeep
58. Termux Hacking Tools 2019
59. Nsa Hacker Tools
60. New Hack Tools
61. Pentest Tools Nmap
62. Hacker Tools For Ios
63. Pentest Recon Tools
64. Hacking Tools Free Download
65. Hack Tools
66. Growth Hacker Tools
67. Hacking Tools For Kali Linux
68. Pentest Tools Framework
69. Hak5 Tools
70. New Hacker Tools
71. Hacking Tools Github
72. Hacking Tools Github
73. Computer Hacker
74. Pentest Tools Download
75. Hack Tools For Ubuntu
76. Usb Pentest Tools
77. Hack Rom Tools
78. Growth Hacker Tools
79. Hacker Tools
80. Hack Apps
81. Pentest Tools Online
82. Hackrf Tools
83. Pentest Tools Find Subdomains
84. Hacking Tools 2019
85. Hacking Tools Mac
86. Wifi Hacker Tools For Windows
87. Hacker Tools For Mac
88. Hacker Tools
89. Hacking Tools Windows 10
90. Hacking Tools Download
91. Hacker Tools Github
92. Hacker Tools Free
93. Hacker Tools For Windows
94. Pentest Tools
95. Pentest Tools Android
96. Hacking Tools For Kali Linux
97. Hacker Security Tools
98. Hack Tools Online
99. How To Make Hacking Tools
100. Pentest Box Tools Download
101. Hacker Techniques Tools And Incident Handling
102. Hacking Tools For Windows Free Download
103. Hacking Apps
104. Hacking Tools Usb
105. Nsa Hacker Tools
106. How To Hack
107. Black Hat Hacker Tools
108. Termux Hacking Tools 2019
109. Growth Hacker Tools
110. Install Pentest Tools Ubuntu
111. Termux Hacking Tools 2019
112. Hacking Tools Pc
113. Hacking Tools Windows 10
114. Pentest Tools Apk
115. Hacker Tools Free
116. Bluetooth Hacking Tools Kali
117. Pentest Tools Subdomain
118. Pentest Tools Subdomain
119. Nsa Hacker Tools
120. Nsa Hack Tools Download
121. Blackhat Hacker Tools
122. Physical Pentest Tools
123. Hack Website Online Tool
124. Hack Tools For Mac
125. Pentest Tools For Android
126. Hacking Tools For Windows 7
127. Pentest Tools Apk
128. Hack And Tools
129. Pentest Tools Tcp Port Scanner
130. Pentest Tools Github
131. Hacking Tools Online
132. Tools Used For Hacking
133. Hack Rom Tools
134. Best Pentesting Tools 2018
135. Black Hat Hacker Tools
136. Pentest Tools Download
137. Pentest Tools Kali Linux
138. Hack Tools For Pc
139. Pentest Tools Tcp Port Scanner
140. How To Install Pentest Tools In Ubuntu
141. Hack Tools For Pc
142. Hacker Tools Github
143. Pentest Tools Github
144. Termux Hacking Tools 2019
145. Ethical Hacker Tools
146. Hacks And Tools
147. Hacking Tools Usb
148. Hacking Tools For Mac
149. Pentest Tools Bluekeep
150. Best Hacking Tools 2019
151. Hacking Tools Windows 10
152. Pentest Tools Free
153. Hacker Tools For Mac
154. Hacking Tools Pc
155. Hacking Tools For Windows
156. Nsa Hacker Tools
157. Hacking Tools For Windows
158. Pentest Tools Review
159. Hacking Tools For Windows Free Download
160. Hacking Tools For Pc
161. Hacking Tools For Windows 7
162. Pentest Tools Free
163. Blackhat Hacker Tools
164. Hacking Tools Online