IKATAN ALUMNI SMPN 233 JAKARTA BLOG

Salam semua para alumni SMPN 233 Jakarta, Apa kabar ?
Blog ini gue buat dengan tujuan biar kita bisa saling sharing dan juga bila ada informasi terbaru yang isinya kumpul - kumpul bisa dengan segera disampikan, Buat para alumni yang jauh mengerti tentang blog dan sebagainya, bisa bantu gue memperbaiki blog ini dan menjadikannya lebih indah.....Gue tunggu partisipasinya.

salam kehangatan

see zhiunk

27 Jan 2024

Defcon 2015 Coding Skillz 1 Writeup

Just connecting to the service, a 64bit cpu registers dump is received, and so does several binary code as you can see:



The registers represent an initial cpu state, and we have to reply with the registers result of the binary code execution. This must be automated becouse of the 10 seconds server socket timeout.

The exploit is quite simple, we have to set the cpu registers to this values, execute the code and get resulting registers.

In python we created two structures for the initial state and the ending state.

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}

We inject at the beginning several movs for setting the initial state:

for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))

The 64bit compilation of the movs and the binary code, but changing the last ret instruction by a sigtrap "int 3"
We compile with nasm in this way:

os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

And use GDB to execute the code until the sigtrap, and then get the registers

fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
           ...

We just parse the registers and send the to the server in the same format, and got the key.


The code:

from libcookie import *
from asm import *
import os
import sys

host = 'catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me'
port = 9999

cpuRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
finalRegs = {'rax':'','rbx':'','rcx':'','rdx':'','rsi':'','rdi':'','r8':'','r9':'','r10':'','r11':'','r12':'','r13':'','r14':'','r15':''}
fregs = 15

s = Sock(TCP)
s.timeout = 999
s.connect(host,port)

data = s.readUntil('bytes:')


#data = s.read(sz)
#data = s.readAll()

sz = 0

for r in data.split('\n'):
    for rk in cpuRegs.keys():
        if r.startswith(rk):
            cpuRegs[rk] = r.split('=')[1]

    if 'bytes' in r:
        sz = int(r.split(' ')[3])



binary = data[-sz:]
code = []

print '[',binary,']'
print 'given size:',sz,'bin size:',len(binary)        
print cpuRegs


for r in cpuRegs.keys():
    code.append('mov %s, %s' % (r, cpuRegs[r]))


#print code

fd = open('code.asm','w')
fd.write('\n'.join(code)+'\n')
fd.close()
Capstone().dump('x86','64',binary,'code.asm')

print 'Compilando ...'
os.popen('nasm -f elf64 code.asm')
os.popen('ld -o code code.o ')

print 'Ejecutando ...'
fd = os.popen("gdb code -ex 'r' -ex 'i r' -ex 'quit'",'r')
for l in fd.readlines():
    for x in finalRegs.keys():
        if x in l:
            l = l.replace('\t',' ')
            try:
                i = 12
                spl = l.split(' ')
                if spl[i] == '':
                    i+=1
                print 'reg: ',x
                finalRegs[x] = l.split(' ')[i].split('\t')[0]
            except:
                print 'err: '+l
            fregs -= 1
            if fregs == 0:
                #print 'sending regs ...'
                #print finalRegs
                
                buff = []
                for k in finalRegs.keys():
                    buff.append('%s=%s' % (k,finalRegs[k]))


                print '\n'.join(buff)+'\n'

                print s.readAll()
                s.write('\n'.join(buff)+'\n\n\n')
                print 'waiting flag ....'
                print s.readAll()

                print '----- yeah? -----'
                s.close()
                



fd.close()
s.close()





More articles


  1. Hacker Tools For Ios
  2. Hacking Tools Kit
  3. Hacking Tools For Kali Linux
  4. Pentest Tools Open Source
  5. Game Hacking
  6. Hacking Tools
  7. Hacks And Tools
  8. Hacker Tools List
  9. Best Hacking Tools 2019
  10. Hacking Tools Pc
  11. Hack App
  12. How To Make Hacking Tools
  13. Bluetooth Hacking Tools Kali
  14. Pentest Tools For Windows
  15. Beginner Hacker Tools
  16. Hacking Tools Windows
  17. Hacker Tools For Pc
  18. Blackhat Hacker Tools
  19. Hacker Tools For Mac
  20. Hacker
  21. Hacking Apps
  22. Pentest Reporting Tools
  23. Hacking Tools Windows
  24. New Hack Tools
  25. Hack Tools Online
  26. Android Hack Tools Github
  27. Pentest Tools Port Scanner
  28. Hacking Tools Free Download
  29. Hacking Tools For Mac
  30. What Are Hacking Tools
  31. Github Hacking Tools
  32. Best Hacking Tools 2019
  33. Hack Tools 2019
  34. Pentest Tools Port Scanner
  35. What Are Hacking Tools
  36. Nsa Hack Tools Download
  37. Hack Apps
  38. Kik Hack Tools
  39. Hacking Tools For Beginners
  40. Hack App
  41. Game Hacking
  42. Hack Tools
  43. Tools 4 Hack
  44. Install Pentest Tools Ubuntu
  45. Pentest Tools Linux
  46. Hack Tools Download
  47. Hack Tools For Mac
  48. Hacking Tools Hardware
  49. Pentest Tools Nmap
  50. Pentest Tools
  51. Best Hacking Tools 2020
  52. Tools Used For Hacking
  53. Hack Tools For Windows
  54. Pentest Tools Find Subdomains
  55. How To Hack
  56. Hacking Tools Windows 10
  57. Hacker
  58. Hacker Tools Apk
  59. Usb Pentest Tools
  60. Hack Tool Apk No Root
  61. Hack Tools Github
  62. Hacker Tools Apk Download
  63. Hacker Tools For Windows
  64. Hacker Tools Linux
  65. Hack Tool Apk No Root
  66. Underground Hacker Sites
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)

Face Book