[coding] DEFCON CTF Qualifier 2015, catwestern Writeups

<문제 유형>

blackcon@bk:~/def/code$nc catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me 9999

****Initial Register State****

rax=0x408ac14d14c91041

rbx=0x92b94f86512d81f7

rcx=0x27e130edb33ed938

rdx=0x4908d46be209ea22

rsi=0x46544d33f066a612

rdi=0x7917f07f5de389fd

r8=0x1be4f02013a8e1bd

r9=0xa30f7795d3397ee3

r10=0x2bce7d9563e73db2

r11=0x75aabcc891d0be75

r12=0x65f56eb6f0aea8a0

r13=0xfb79336eaae8f23a

r14=0xfe3972f02bb89884

r15=0x43aa67d92fe69f90

****Send Solution In The Same Format****

About to send 62 bytes:

L��I��H��M�I��0�PqI��I��H�� L��

****Improperly formatted solution

->64bit 레지스터를 제공

->쓰레기값처럼 보이지만 64bit Opcode를 제공

<풀이 순서>

1. 레지스터값을 저장하는 asm.s를 생성( ex: mov rax, 0x12345678 ,,, )

-> 코드를 생성 후 nasm -f elf64 -o ./asm ./asm.s 로 컴파일

2. OPcode를 실행할 수 있는 바이너리 생성( gcc -o exec exec.c -z execstack )

3. 레지스터와 opcode를 파일로 저장 후 실행

4. 그 결과를 받아와서 서버로 전송.

[+] exec.c

#include <stdio.h>
#include <string.h>

unsigned char code[] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";

int main() {
    long long rax = 0;
    long long rbx = 0;
    long long rcx = 0;
    long long rdx = 0;
    long long rsi = 0;
    long long rdi = 0;
    long long r8  = 0;
    long long r9  = 0;
    long long r10 = 0;
    long long r11 = 0;
    long long r12 = 0;
    long long r13 = 0;
    long long r14 = 0;
    long long r15 = 0;

int (*ret)() = (int(*)())code;
    ret();
    __asm__ __volatile__( "mov %%rax, %0" :"=g"(rax) );
    __asm__ __volatile__( "mov %%rbx, %0" :"=g"(rbx) );
    __asm__ __volatile__( "mov %%rcx, %0" :"=g"(rcx) );
    __asm__ __volatile__( "mov %%rdx, %0" :"=g"(rdx) );
    __asm__ __volatile__( "mov %%rsi, %0" :"=g"(rsi) );
    __asm__ __volatile__( "mov %%rdi, %0" :"=g"(rdi) );
    __asm__ __volatile__( "mov %%r8, %0" :"=g"(r8) );
    __asm__ __volatile__( "mov %%r9, %0" :"=g"(r9) );
    __asm__ __volatile__( "mov %%r10, %0" :"=g"(r10) );
    __asm__ __volatile__( "mov %%r11, %0" :"=g"(r11) );
    __asm__ __volatile__( "mov %%r12, %0" :"=g"(r12) );
    __asm__ __volatile__( "mov %%r13, %0" :"=g"(r13) );
    __asm__ __volatile__( "mov %%r14, %0" :"=g"(r14) );
    __asm__ __volatile__( "mov %%r15, %0" :"=g"(r15) );
    printf("rax=%p\n", rax );
    printf("rbx=%p\n", rbx );
    printf("rcx=%p\n", rcx );
    printf("rdx=%p\n", rdx );
    printf("rsi=%p\n", rsi );
    printf("rdi=%p\n", rdi );
    printf("r8=%p\n", r8 );
    printf("r9=%p\n", r9 );
    printf("r10=%p\n", r10 );
    printf("r11=%p\n", r11 );
    printf("r12=%p\n", r12 );
    printf("r13=%p\n", r13 );
    printf("r14=%p\n", r14 );
    printf("r15=%p\n", r15 );
    return 0;
}

[+] go.py

#!/usr/bin/env python
import struct
import socket
import os

p  = lambda x:  struct.pack( ">Q", x )
up = lambda x:  struct.unpack( "<Q", x )[0]

host = "catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me"
port = 9999
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect( ( host, port ) )

def u_recv( st ):
    bf = ''
    while st not in bf:
        bf += s.recv( 1 )
    return bf

def make_asm( data ):
    pay =   "section .text\n"
    pay +=  "\tglobal _start\n"
    pay +=  "_start:\n"
    pay +=  "\tmov rax, %s\n" % data[ 0 ]
    pay +=  "\tmov rbx, %s\n" % data[ 1 ]
    pay +=  "\tmov rcx, %s\n" % data[ 2 ]
    pay +=  "\tmov rdx, %s\n" % data[ 3 ]
    pay +=  "\tmov rsi, %s\n" % data[ 4 ]
    pay +=  "\tmov rdi, %s\n" % data[ 5 ]
    pay +=  "\tmov r8,  %s\n" % data[ 6 ]
    pay +=  "\tmov r9,  %s\n" % data[ 7 ]
    pay +=  "\tmov r10, %s\n" % data[ 8 ]
    pay +=  "\tmov r11, %s\n" % data[ 9 ]
    pay +=  "\tmov r12, %s\n" % data[10 ]
    pay +=  "\tmov r13, %s\n" % data[11 ]
    pay +=  "\tmov r14, %s\n" % data[12 ]
    pay +=  "\tmov r15, %s\n" % data[13 ]
    fd = open ( "asm.s", "wb" )
    fd.write( pay )
    fd.close()
    os.popen( "nasm -f elf64 -o ./asm ./asm.s" )

fd = open( "./asm", "rb" )
    data = fd.read()
    fd.close()
    data = data[0x98: 0xa0]
    start = up( data )

## reg init ##
    fd = open( "./asm", "rb" )
    data = fd.read()
    fd.close()
    data = data[ start: 0x20c]
    return data

def make_binary( reg, opcode ):
    fd = open( "./exec", "rb" )
    fr = fd.read()
    fd.close()
    pos = fr.find( "a" * 238 )
    print pos

prol = "\x55"                           # push rbp
    prol += "\x48\x89\xe5"                   # mov rbp, rsp
    prol += "\x48\x81\xec\x00\x10\x00\x00"   # sub rsp, 0x1000
    #epil = "\x48\x81\xc4\x00\x10\x00\x00"
    #epil += "\x5d"
    epil = "\x48\x89\xff"
    epil += "\xc9\xc3"

new = fr[:pos]
    new += prol
    new += reg
    new += opcode
    new += epil
    new += ( "\x00" * (238 - len( reg ) - len( opcode ) - len(epil)))
    new += fr[len(new):]

fd = open( "./bin", "wb" )
    fd.write( new )
    fd.close()

def go():
    os.popen( "chmod a+x ./bin" )
    a = os.popen( "./bin" )
    print '----------------'
    data = a.read()
    print data
    s.send( data )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )
    print s.recv( 1024 )

data = u_recv( "bytes:" )
size = int( data.split( "send ")[1].split( "byte" )[0] )
print data 
rax = data.split( "rax=" )[1].split( "\n" )[0]
rbx = data.split( "rbx=" )[1].split( "\n" )[0]
rcx = data.split( "rcx=" )[1].split( "\n" )[0]
rdx = data.split( "rdx=" )[1].split( "\n" )[0]
rsi = data.split( "rsi=" )[1].split( "\n" )[0]
rdi = data.split( "rdi=" )[1].split( "\n" )[0]
r8  = data.split( "r8="  )[1].split( "\n" )[0]
r9  = data.split( "r9="  )[1].split( "\n" )[0]
r10 = data.split( "r10="  )[1].split( "\n" )[0]
r11 = data.split( "r11="  )[1].split( "\n" )[0]
r12 = data.split( "r12="  )[1].split( "\n" )[0]
r13 = data.split( "r13="  )[1].split( "\n" )[0]
r14 = data.split( "r14="  )[1].split( "\n" )[0]
r15 = data.split( "r15="  )[1].split( "\n" )[0]

reg  = rax, rbx, rcx, rdx, rsi, rdi, r8, r9, r10, r11, r12, r13, r14, r15
print reg
reg  = make_asm( reg )

opcode = s.recv( size ).split( "\x20\x0a" )[1]
make_binary( reg, opcode )
go()
s.close()
'''
rax=0x661cf34c7a771023
rbx=0xabf5c9896f78e11a
rcx=0x8b156f5647e16fd4
rdx=0x146e94a01054a04
rsi=0xa87fd621773210e4
rdi=0xdc35c5ab946879f8
r8=0x1113a8a5b487f780
r9=0xb9a8b355f512d8b9
r10=0xec2e4e8414fa61c3
r11=0x34dde2fa201f7d88
r12=0xfffffe2959934d0a
r13=0x3c5ce8eeb53ee06e
r14=0xffffffffdd737b7a
r15=0x10790613042a616

�
The flag is: Cats with frickin lazer beamz on top of their heads!
'''

저작자표시

'Security > [게임] CTF 풀이' 카테고리의 다른 글

[exploit] 2016 SecconCTF - checker writeups (exploit only) (0)	2016.12.11
2015 HUST hacking festival (0)	2015.06.01
[exploit] DEFCON CTF Qualifier 2015, babyecho Writeups (3)	2015.05.18
[exploit] Plaid CTF 2015 EBP writeup (0)	2015.04.24
[exploit] 홀리쉴드 2014 catlang writeups (2)	2014.11.28

Hello, Stranger

[coding] DEFCON CTF Qualifier 2015, catwestern Writeups

'Security > [게임] CTF 풀이' 카테고리의 다른 글

티스토리툴바

[coding] DEFCON CTF Qualifier 2015, catwestern Writeups

'Security > [게임] CTF 풀이' 카테고리의 다른 글

관련글

티스토리툴바