Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

More information

1. Pentest Tools Linux
2. Hacker Techniques Tools And Incident Handling
3. Pentest Tools Review
4. Hacker Tools Free
5. Hacking Tools For Kali Linux
6. Hack Tools Mac
7. Physical Pentest Tools
8. Nsa Hack Tools Download
9. Pentest Tools Kali Linux
10. Hack Tools For Pc
11. Tools For Hacker
12. Pentest Tools List
13. World No 1 Hacker Software
14. Game Hacking
15. Hacking Tools Kit
16. Blackhat Hacker Tools
17. Computer Hacker
18. Hacker Tools 2019
19. What Are Hacking Tools
20. Pentest Tools Review
21. Hacking Tools Software
22. Hacker Tools Windows
23. Pentest Tools Android
24. Pentest Tools Download
25. Hacker Tools Windows
26. Pentest Tools Linux
27. Hack And Tools
28. Hak5 Tools
29. Hacker Tools Apk
30. Pentest Tools For Ubuntu
31. Easy Hack Tools
32. Hacking Tools Online
33. Hacks And Tools
34. Pentest Tools For Windows
35. Hacking Tools Pc
36. Hacker Tools List
37. Hacks And Tools
38. What Is Hacking Tools
39. Hack Tool Apk No Root
40. World No 1 Hacker Software
41. Hack Rom Tools
42. Hacker Tools
43. Hack Apps
44. Hacking Tools For Pc
45. Hacker Tool Kit
46. Hacking Tools Free Download
47. Hacking Tools For Kali Linux
48. Hacking Tools Windows 10
49. Hacking Tools Github
50. Pentest Tools Subdomain
51. Hacker Tools List
52. Hacking Tools Name
53. Hack Website Online Tool
54. Hacker Tools Online
55. Hacker Tools Free
56. Hack Tools
57. Hacking Tools For Games
58. Game Hacking
59. Hacking Tools For Kali Linux
60. Pentest Tools Download
61. Pentest Tools Kali Linux
62. Hacking Tools Usb
63. Hacker Tools Mac
64. Hack App
65. Hacking Tools Download
66. Hacker Tools Apk Download
67. Blackhat Hacker Tools
68. Hacker Tools Online
69. Hack Tools Github
70. Hacking Tools Pc
71. Nsa Hacker Tools
72. Hacking Tools
73. Hacker
74. Hacker Tools For Pc
75. Hacker Tools For Windows
76. Pentest Tools Online
77. Termux Hacking Tools 2019
78. Pentest Tools Tcp Port Scanner
79. Hackrf Tools
80. New Hack Tools
81. Hack Tools Pc
82. Hack Tools For Windows
83. Hacking Tools
84. Hacking Tools 2019
85. Pentest Tools Download
86. Blackhat Hacker Tools
87. Pentest Tools Windows
88. Best Hacking Tools 2019
89. Pentest Tools Framework
90. Hack Apps
91. Hacking Tools For Kali Linux
92. Hacking App
93. Pentest Tools Online
94. Free Pentest Tools For Windows
95. Blackhat Hacker Tools
96. Pentest Tools Windows
97. Pentest Tools Github
98. Github Hacking Tools
99. Tools For Hacker
100. Hacker Tools Apk Download
101. Hacker Tools Online
102. Pentest Automation Tools
103. Hacker Tools Free Download
104. Hacker Tools List
105. Hack Tools Pc
106. Hacking Tools For Kali Linux
107. Best Hacking Tools 2020
108. Pentest Tools Android
109. Hack Apps
110. Hacking Tools Github
111. Hacking Tools For Windows 7
112. Hack Website Online Tool
113. Hacking Tools Github
114. How To Install Pentest Tools In Ubuntu
115. Hack Tools Online
116. Hack Tools For Mac
117. Pentest Automation Tools
118. Bluetooth Hacking Tools Kali
119. Blackhat Hacker Tools
120. Pentest Tools Find Subdomains
121. Pentest Tools Free
122. Pentest Tools Framework
123. Hack Rom Tools
124. Beginner Hacker Tools
125. Hack Tool Apk No Root
126. Hacking Tools Name
127. Nsa Hack Tools
128. Hacker Tools For Mac
129. Hacker Search Tools
130. Hacking Tools Free Download
131. Pentest Tools Open Source
132. Hacking Tools Usb
133. Hacking Tools 2019
134. Hacking Tools And Software
135. Hacks And Tools
136. Usb Pentest Tools
137. Hack Tools Download
138. Hack Tools Github