Twitter Updates

    follow me on Twitter

    List for 4.5% and get 1% cash back on your purchase

    Thursday, April 16, 2020

    Defcon 2015 Coding Skillz 1 Writeup

    Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



    The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

    The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

    In python we created two structures for the initial state and the ending state.

    cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
    finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

    We inject at the beginning several movs for setting the initial state:

    for r in cpuRegs.keys():
        code.append('mov %s, %s' % (r, cpuRegs[r]))

    The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
    We compile with nasm in this way:

    os.popen('nasm -f elf64 code.asm')
    os.popen('ld -o code code.o ')

    And use GDB to execute the code until the sigtrap, and then get the registers

    fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
    for l in fd.readlines():
        for x in finalRegs.keys():
               ...

    We just parse the registers and send the to the server in the same format, and got the key.


    The code:

    from libcookie import *
    from asm import *
    import os
    import sys

    host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
    port = 9999

    cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
    finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
    fregs = 15

    s = Sock(TCP)
    s.timeout = 999
    s.connect(host,port)

    data = s.readUntil('bytes:')


    #data = s.read(sz)
    #data = s.readAll()

    sz = 0

    for r in data.split('\n'):
        for rk in cpuRegs.keys():
            if r.startswith(rk):
                cpuRegs[rk] = r.split('=')[1]

        if 'bytes' in r:
            sz = int(r.split(' ')[3])



    binary = data[-sz:]
    code = []

    print '[',binary,']'
    print 'given size:',sz,'bin size:',len(binary)        
    print cpuRegs


    for r in cpuRegs.keys():
        code.append('mov %s, %s' % (r, cpuRegs[r]))


    #print code

    fd = open('code.asm','w')
    fd.write('\n'.join(code)+'\n')
    fd.close()
    Capstone().dump('x86','64',binary,'code.asm')

    print 'Compilando ...'
    os.popen('nasm -f elf64 code.asm')
    os.popen('ld -o code code.o ')

    print 'Ejecutando ...'
    fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
    for l in fd.readlines():
        for x in finalRegs.keys():
            if x in l:
                l = l.replace('\t',' ')
                try:
                    i = 12
                    spl = l.split(' ')
                    if spl[i] == '':
                        i+=1
                    print 'reg: ',x
                    finalRegs[x] = l.split(' ')[i].split('\t')[0]
                except:
                    print 'err: '+l
                fregs -= 1
                if fregs == 0:
                    #print 'sending regs ...'
                    #print finalRegs
                    
                    buff = []
                    for k in finalRegs.keys():
                        buff.append('%s=%s' % (k,finalRegs[k]))


                    print '\n'.join(buff)+'\n'

                    print s.readAll()
                    s.write('\n'.join(buff)+'\n\n\n')
                    print 'waiting flag ....'
                    print s.readAll()

                    print '----- yeah? -----'
                    s.close()
                    



    fd.close()
    s.close()





    Related posts


    No comments:

    Post a Comment

    Home for sale- $2,000 rebate!

    Ready Real Estate slide show

    Become a fan of my page

    Sheree Dutton, Reatlor, DFW, Texas on Facebook
    Powered By Blogger

    Pandora Faves

    Back on the market, price reduced, 1% cash back rebate offered

    Sheree Dutton | Ready Real Estate | 817-975-0461
    222 Birchwood, Azle, TX
    Back on the market, price reduced and 15 cash back rebate offered!
    3BR/2BA Single Family House
    offered at $102,500
    Year Built 2006
    Sq Footage 1,142
    Bedrooms 3
    Bathrooms 2 full, 0 partial
    Floors 1
    Parking 3 Covered spaces
    Lot Size .225 acres
    HOA/Maint $0 per month

    DESCRIPTION


    Wow, talk about pride of ownership! This house has too many upgrades to count, and is so well cared for. You must see it to believe it! A lot of value in this perfect starter home.

    OPEN HOUSE SUNDAY MAY 3RD 2+5 pm

    see additional photos below
    PROPERTY FEATURES

    - Central A/C - Central heat - Fireplace
    - High/Vaulted ceiling - Walk-in closet - Tile floor
    - Living room - Breakfast nook - Dishwasher
    - Refrigerator - Stove/Oven - Microwave
    - Laundry area - inside - Balcony, Deck, or Patio - Yard

    OTHER SPECIAL FEATURES

    - 1 car garage, covered carport for 2 cars
    - covered wood deck in backyard
    - gutters
    - storage shed
    - newly stained wood fence
    - electric fireplace added, with tile hearth
    - upgraded ceiling fans and light fixtures
    - island in kitchen

    ADDITIONAL PHOTOS


    Fantastic curb appeal

    covered wood deck in back

    living room

    kitchen with island

    breakfast nook

    master bedroom
    Contact info:
    Sheree Dutton
    Ready Real Estate
    817-975-0461
    For sale by agent/broker

    powered by postlets Equal Opportunity Housing
    Posted: Sep 11, 2009, 7:31am PDT

    Blog Archive