Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:

The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"

We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

           ...

We just parse the registers and send the to the server in the same format, and got the key.

The code:

from libcookie import *

from asm import *

import os

import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'

port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

fregs = 15

s = Sock(TCP)

s.timeout = 999

s.connect(host,port)

data = s.readUntil('bytes:')

#data = s.read(sz)

#data = s.readAll()

sz = 0

for r in data.split('\n'):

    for rk in cpuRegs.keys():

        if r.startswith(rk):

            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:

        sz = int(r.split(' ')[3])

binary = data[-sz:]

code = []

print '[',binary,']'

print 'given size:',sz,'bin size:',len(binary)        

print cpuRegs

for r in cpuRegs.keys():

    code.append('mov %s, %s' % (r, cpuRegs[r]))

#print code

fd = open('code.asm','w')

fd.write('\n'.join(code)+'\n')

fd.close()

Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'

os.popen('nasm -f elf64 code.asm')

os.popen('ld -o code code.o ')

print 'Ejecutando ...'

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')

for l in fd.readlines():

    for x in finalRegs.keys():

        if x in l:

            l = l.replace('\t',' ')

            try:

                i = 12

                spl = l.split(' ')

                if spl[i] == '':

                    i+=1

                print 'reg: ',x

                finalRegs[x] = l.split(' ')[i].split('\t')[0]

            except:

                print 'err: '+l

            fregs -= 1

            if fregs == 0:

                #print 'sending regs ...'

                #print finalRegs

                

                buff = []

                for k in finalRegs.keys():

                    buff.append('%s=%s' % (k,finalRegs[k]))

                print '\n'.join(buff)+'\n'

                print s.readAll()

                s.write('\n'.join(buff)+'\n\n\n')

                print 'waiting flag ....'

                print s.readAll()

                print '----- yeah? -----'

                s.close()

                

fd.close()

s.close()

More info

1. Pentest Tools Open Source
2. Hacking App
3. Hacking Tools
4. Hacker Tools
5. Hacker Tools Windows
6. Hacker Tools 2019
7. Wifi Hacker Tools For Windows
8. What Are Hacking Tools
9. Hacks And Tools
10. Hacker Tools Windows
11. Hack And Tools
12. Pentest Tools Download
13. Hacking Tools For Windows
14. New Hacker Tools
15. Hacking Tools Windows 10
16. Pentest Tools Android
17. Hack Tools Download
18. Hack Tools Download
19. Pentest Tools Find Subdomains
20. Hacker Tools Free Download
21. Android Hack Tools Github
22. Hack Tools For Ubuntu
23. Hacker Tools Mac
24. Nsa Hacker Tools
25. Hacking Tools Usb
26. Wifi Hacker Tools For Windows
27. Tools 4 Hack
28. Hacker Tools Apk Download
29. Hacking Tools And Software
30. Hack Tools Mac
31. Tools For Hacker
32. Bluetooth Hacking Tools Kali
33. Hacking Tools
34. Hak5 Tools
35. Hack Tool Apk
36. Hacking Tools For Mac
37. Hacking Tools For Games
38. Pentest Tools For Android
39. Pentest Tools Online
40. Pentest Tools Website
41. Pentest Tools Alternative
42. Hacker Tools Windows
43. Hack Tool Apk
44. Hak5 Tools
45. Kik Hack Tools
46. Pentest Tools Linux
47. New Hacker Tools
48. Pentest Tools Url Fuzzer
49. Nsa Hacker Tools
50. Hackrf Tools
51. Hacking Tools For Kali Linux
52. Nsa Hack Tools Download
53. Hacker Tool Kit
54. Hacker Security Tools
55. Hacker Tools 2019
56. Hacking Tools Mac
57. How To Make Hacking Tools
58. Hacker Tools 2020
59. Hack Tools 2019
60. Easy Hack Tools
61. Hacker Tools Online
62. Hacking Tools For Windows 7
63. Hacking Tools For Kali Linux
64. Pentest Tools Github
65. Hacker Tools For Windows
66. Hack Tools For Games
67. Hacking Apps
68. Github Hacking Tools
69. Hacker Tools Apk
70. Hacker Tools List
71. Hackers Toolbox
72. Hacker Techniques Tools And Incident Handling
73. Pentest Tools Url Fuzzer
74. Android Hack Tools Github
75. Pentest Tools Github
76. Hacking Tools 2019
77. How To Make Hacking Tools
78. What Is Hacking Tools
79. Hacking Tools Mac
80. Hack Tools Pc
81. Hacker Tools Github
82. Hacking Tools For Mac
83. Hack Tools Github
84. Tools Used For Hacking
85. Pentest Tools Port Scanner
86. Hacking Tools Windows 10
87. Hacker Tools 2019
88. Pentest Tools Nmap
89. New Hacker Tools
90. Hacker Tools
91. Hacker Tools For Pc
92. Pentest Tools Port Scanner
93. What Is Hacking Tools
94. Hacking Tools For Windows 7
95. Hacker Tools Mac
96. Hack Tool Apk No Root
97. Pentest Tools
98. Pentest Tools Bluekeep
99. Hacker Tools Mac
100. Underground Hacker Sites
101. Pentest Tools Url Fuzzer
102. Hacker Tools Free
103. Hack Tool Apk
104. Hack And Tools
105. Hacker Tools For Windows
106. Tools Used For Hacking
107. Hacker Tools List
108. Hacking Tools Free Download
109. Pentest Tools Windows
110. Hacker
111. Hacker Tools Apk Download
112. Hack And Tools
113. Pentest Tools Find Subdomains
114. Hacker Tools 2019
115. Ethical Hacker Tools
116. Hacker Tools Online
117. Hacking Tools Software
118. Hack App
119. Pentest Automation Tools
120. Tools 4 Hack
121. Hacking Tools For Beginners
122. Hack Tools For Pc
123. Hacking Tools 2019
124. Hacking Tools Name
125. Tools 4 Hack
126. Hacking Tools Usb
127. Hacking Tools Kit
128. Hack Tools Github
129. Hacker Search Tools
130. Pentest Tools Url Fuzzer
131. Hacking Apps
132. How To Hack
133. Hacking Tools 2020
134. Hacking Tools Download
135. Underground Hacker Sites
136. Pentest Tools Tcp Port Scanner
137. Black Hat Hacker Tools
138. Hacking Tools Download
139. Hackrf Tools
140. How To Make Hacking Tools
141. Hack Tools Online
142. Pentest Tools Open Source
143. Hack Tools For Pc
144. Android Hack Tools Github
145. Pentest Tools For Android
146. Hacking Apps
147. Underground Hacker Sites
148. Hacking Tools Github
149. Pentest Tools Alternative
150. Hacking Tools Online
151. Hacker Tools Linux
152. Hacker Search Tools
153. Hacking Tools Download
154. Hacking Tools Download
155. Hacking Tools For Kali Linux
156. Hacker Hardware Tools
157. Hacking Tools For Windows 7
158. Pentest Box Tools Download
159. Game Hacking
160. Hacking Tools For Mac
161. Hacker Tools For Pc
162. Bluetooth Hacking Tools Kali
163. How To Make Hacking Tools
164. Hack Tools For Windows
165. Hack Rom Tools
166. Pentest Tools Android
167. Hacker Tools 2019
168. Black Hat Hacker Tools
169. Hacking App
170. Hacking Tools Software
171. How To Install Pentest Tools In Ubuntu
172. Usb Pentest Tools