{"id":5293,"date":"2015-05-19T14:44:21","date_gmt":"2015-05-19T05:44:21","guid":{"rendered":"https:\/\/mimumimu.net\/blog\/?p=5293"},"modified":"2015-05-19T14:51:11","modified_gmt":"2015-05-19T05:51:11","slug":"defcon-ctf-23-quals-catwestern","status":"publish","type":"post","link":"https:\/\/mimumimu.net\/blog\/2015\/05\/19\/defcon-ctf-23-quals-catwestern\/","title":{"rendered":"DEFCON CTF 23 Quals – catwestern Writeup"},"content":{"rendered":"

\u3054\u7121\u6c99\u6c70\u3057\u3066\u307e\u3059\u3002\u307f\u3080\u3089\u3067\u3059\u3002
\u4eca\u5e74\u306f\u3001\u67d0\u300c\u307f\u304b\u304b\u300d\u306a\u5834\u6240\u3067 Team Enu \u306e\u307f\u306a\u3055\u3093\u3068\u4e00\u7dd2\u306b\u53c2\u52a0\u3057\u3066\u304d\u307e\u3057\u305f\u3002<\/p>\n

\u3084\u306f\u308a\u5408\u5bbf\u5f62\u5f0f\u3067\u3084\u308b\u3068\u3044\u3046\u306e\u306f\u9762\u767d\u3044\u3067\u3059\u3057\u3001
\u51fa\u6765\u308b\u4eba\u304c\u5468\u308a\u306b\u5c45\u307e\u3059\u3068\u3001\u305d\u308c\u3060\u3051\u3067\u304b\u306a\u308a\u6210\u9577\u3067\u304d\u308b\u306a\u3068\u3044\u3046\u3053\u3068\u3092\u5f37\u304f\u601d\u3044\u307e\u3057\u305f\u3002
\u30fb\u30fb\u30fb\u6765\u5e74\u3082\u3053\u3046\u3044\u3046\u611f\u3058\u3067\u51fa\u6765\u305f\u3089\u3044\u3044\u306a\u3041\u30fb\u30fb\u3068\u601d\u3046\u305d\u3093\u306a\u4eca\u65e5\u3053\u306e\u9803\u3067\u3059\u3002<\/p>\n

\u3068\u3044\u3046\u308f\u3051\u3067\u3001\u3061\u3083\u3093\u3068\u6700\u5f8c\u307e\u3067\u81ea\u5206\u3067\u3084\u308a\u304d\u3063\u305f\u5185\u5bb9\u306e Write-up \u3068\u3044\u3046\u3053\u3068\u3067
catwestern \u306eWrite-up \u3092\u3002<\/p>\n

 <\/p>\n

catwestern<\/h3>\n
\n

\u6307\u5b9a\u3055\u308c\u305f\u30b5\u30fc\u30d0\u306b\u63a5\u7d9a\u3059\u308b\u3068\u6b21\u306e\u3088\u3046\u306a\u30d0\u30a4\u30ca\u30ea\u30c7\u30fc\u30bf\u304c\u9001\u4fe1\u3055\u308c\u3066\u304d\u307e\u3059\u3002<\/p>\n

\"image\"<\/a><\/p>\n

 <\/p>\n

\u4e0a\u306e\u65b9\u306f\u300c\u30ec\u30b8\u30b9\u30bf\u300d\u306e\u60c5\u5831\u3067\u3001
\u201dAbout to send ** bytes:\u201d \u306e\u5148\u306b x86_64 \u3063\u307d\u3044\u30d0\u30a4\u30ca\u30ea\u304c
\u9001\u3089\u308c\u3066\u304d\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308b\u304b\u3068\u601d\u3044\u307e\u3059\u3002 <\/p>\n

 <\/p>\n

\u3053\u3053\u3067 mzyy94 \uff08\u307f\u3063\u304d\u30fc\uff09\u3055\u3093\u304c
\u300crax=\u2026 \u3092\u305d\u306e\u307e\u307e\u8fd4\u3059\u3068\u3001\u5fdc\u7b54\u304c\u5909\u308f\u308b\uff01\u300d\u3068\u6559\u3048\u3066\u304f\u308c\u307e\u3057\u3066
\u5b9f\u884c\u3057\u3066\u305d\u306e\u7d50\u679c\u3092\u8fd4\u305b\u3070\u3044\u3044\u306e\u304b\u306a\u3001\u3068\u3044\u3046\u3053\u3068\u3067\u3084\u3063\u3066\u307f\u307e\u3057\u305f\u3002<\/p>\n

 <\/p>\n

Code:<\/p>\n

\n
#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n#include <arpa\/inet.h>\n#include <string.h>\n#include <sys\/mman.h>\n \nstatic char* code;\nstatic unsigned long reg[15];\n \nvoid main(void)\n{\n    int sock;\n    struct sockaddr_in server;\n \n    memset((void*)&server,0,sizeof(server));\n    server.sin_addr.s_addr = inet_addr("52.74.101.145");\n    server.sin_family = AF_INET;\n    server.sin_port = htons(9999);\n \n    sock = socket(AF_INET,SOCK_STREAM,0);\n    if(sock == -1) return;\n \n    if(connect(sock, (struct sockaddr*)&server, sizeof(server)) < 0)\n        return;\n \n    while(1)\n    {\n        char buf[4192];\n        int i,codesize,pagesize;\n \n        memset(buf,0,sizeof(buf));\n        read(sock,buf,sizeof(buf));\n \n        printf("INPUT : \\n%s\\n",buf);\n \n        {\n            char *tp;\n         \n            tp = strtok(buf,"\\n");\n            for(i = -1; tp != NULL; i++)\n            {\n                if(strstr(tp,"=") != 0)\n                    reg[i] = strtouq(strstr(tp,"=")+1,NULL,0);\n                tp = strtok(NULL,"\\n");\n            }\n        }\n\n        read(sock,buf,sizeof(buf));\n        codesize = atoi(buf+0x37);\n \n        if(codesize == 0)\n            break;\n \n        pagesize = sysconf(_SC_PAGE_SIZE);\n        code = memalign(pagesize,pagesize);\n \n        memset(code,0xC3,pagesize);\n        memcpy(code,buf+0x42,codesize);\n        printf("CODESIZE : %d bytes.\\n",codesize);\n \n        if(mprotect(code,pagesize,PROT_READ | PROT_EXEC) < 0)\n        {\n            free(code);\n            return;\n        }\n \n        printf("EXECUTE..");\n \n        asm volatile ("movq (reg),%rax");\n        asm volatile ("movq (reg+8),%rbx");\n        asm volatile ("movq (reg+16),%rcx");\n        asm volatile ("movq (reg+24),%rdx");\n        asm volatile ("movq (reg+32),%rsi");\n        asm volatile ("movq (reg+40),%rdi");\n        asm volatile ("movq (reg+48),%r8");\n        asm volatile ("movq (reg+56),%r9");\n        asm volatile ("movq (reg+64),%r10");\n        asm volatile ("movq (reg+72),%r11");\n        asm volatile ("movq (reg+80),%r12");\n        asm volatile ("movq (reg+88),%r13");\n        asm volatile ("movq (reg+96),%r14");\n        asm volatile ("movq (reg+104),%r15");\n         \n        asm volatile ("call *code");\n \n        asm volatile ("movq %rax,(reg)");\n        asm volatile ("movq %rbx,(reg+8)");\n        asm volatile ("movq %rcx,(reg+16)");\n        asm volatile ("movq %rdx,(reg+24)");\n        asm volatile ("movq %rsi,(reg+32)");\n        asm volatile ("movq %rdi,(reg+40)");\n        asm volatile ("movq %r8,(reg+48)");\n        asm volatile ("movq %r9,(reg+56)");\n        asm volatile ("movq %r10,(reg+64)");\n        asm volatile ("movq %r11,(reg+72)");\n        asm volatile ("movq %r12,(reg+80)");\n        asm volatile ("movq %r13,(reg+88)");\n        asm volatile ("movq %r14,(reg+96)");\n        asm volatile ("movq %r15,(reg+104)");\n         \n        printf("DONE.\\n");\n        free(code);\n \n        memset(buf,0,sizeof(buf));\n        sprintf(buf,"rax=0x%llx\\nrbx=0x%llx\\nrcx=0x%llx\\nrdx=0x%llx\\nrsi=0x%llx\\nrdi=0x%llx\\nr8=0x%llx\\nr9=0x%llx\\nr10=0x%llx\\nr11=0x%llx\\nr12=0x%llx\\nr13=0x%llx\\nr14=0x%llx\\nr15=0x%llx\\n",reg[0],reg[1],reg[2],reg[3],reg[4],reg[5],reg[6],reg[7],reg[8],reg[9],reg[10],reg[11],reg[12],reg[13]);\n \n        printf("OUTPUT :\\n%s\\n",buf);\n        write(sock,buf,strlen(buf));\n    }\n}<\/pre>\n<\/div>\n
 <\/p>\n
\u5185\u5bb9\u3068\u3057\u3066\u306f\u3001\u30ec\u30b8\u30b9\u30bf\u306e\u521d\u671f\u5024\u3092\u6301\u3063\u3066\u304d\u3066\u3001
\n  
\u81ea\u5206\u81ea\u8eab\u306b\u5bfe\u3057\u3066\u305d\u306e\u5024\u3092\u8a2d\u5b9a \u2192 \u5b9f\u884c \u2192 \u30ec\u30b8\u30b9\u30bf\u306e\u5024\u3092\u53d6\u5f97\u3057\u3066\u9001\u308a\u8fd4\u3059\u3002 <\/p>\n
\u3068\u3044\u3046\u6d41\u308c\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n
..\u305d\u3093\u306a\u611f\u3058\u3067\u5b9f\u884c\u3057\u307e\u3059\u3068\u3001 <\/p>\n
FLAG IS : Cats with frickin lazer beamz on top of their heads! <\/p>\n
\u3068\u3044\u3046\u3053\u3068\u3067\u8fd4\u7b54\u304c\u5e30\u3063\u3066\u304d\u307e\u3059\u3093\u3067\u3001\u3053\u308c\u3092\u9001\u308b\u3068\u5f97\u70b9\u304c\u3048\u3089\u308c\u307e\u3057\u305f\u3002<\/p>\n
 <\/p>\n
\n
\u4f59\u8ac7\uff1a<\/p>\n
\u3053\u306e\u3042\u305f\u308a\u306b\u5f8c\u308d\u59ff\u304c..
\n  
https:\/\/www.ntt.com\/wideangle_security\/data\/sec_repo.html<\/a><\/p>\n
\u307e\u305f\u3001\u4eca\u56de\u3053\u305d\u306f \u201cPython \u30b3\u30fc\u30c9\u66f8\u304f\u305e\uff01\uff01\u201d \u3068\u601d\u3063\u3066\u3044\u305f\u3093\u3067\u3059\u304c\u3001
\n  
\u6c17\u3065\u3044\u305f\u3089 C \u3068 C# \u3057\u304b\u66f8\u3044\u3066\u3044\u307e\u305b\u3093\u3067\u3057\u305f\u3002 <\/p>\n
\uff08\u7279\u306b\u3001\u300c\u30b3\u30fc\u30c9\u8cbc\u3063\u3066\u3088\u300d\u2192\u300cC# \u3067\u3059\u304c\u3044\u3044\u3067\u3059\u304b\u300d\u2192\u300cC#\u2026 orz\u300d \u306e\u6d41\u308c\u306f\u8f9b\u304b\u3063\u305f\u3067\u3059\uff09<\/p>\n
\u6b21\u56de\u3053\u305d\u306f\u30fb\u30fb\u6b21\u56de\u3053\u305d\u306f\u30fb\u30fb\uff01
\n  
(Babyecho \u3082 Pwn \u3082 C# \u3067\u53d6\u308a\u7d44\u3093\u3067\u307e\u3057\u305f.  BitConverter.GetBytes() \u306f\u5049\u5927\u3067\u3059.<\/p>\n
\u2026\u3053\u306e\u554f\u984c\u306e Write-up \u3082\u3001\u4ed6\u306e\u4eba\u306f\u307f\u3093\u306a\u901a\u4fe1\u90e8\u5206\u306f Python \u3067\u3084\u3063\u3066\u308b\u3093\u3067\u3059\u3088\u306d\u3002
\n  
\u3046\u30fc\u3093\u3084\u3063\u3071\u308a\u3084\u3089\u306a\u3044\u3068\u306a\u3041\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u3054\u7121\u6c99\u6c70\u3057\u3066\u307e\u3059\u3002\u307f\u3080\u3089\u3067\u3059\u3002 \u4eca\u5e74\u306f\u3001\u67d0\u300c\u307f\u304b\u304b\u300d\u306a\u5834\u6240\u3067 Team Enu \u306e\u307f\u306a\u3055\u3093\u3068\u4e00\u7dd2\u306b\u53c2\u52a0\u3057\u3066\u304d\u307e\u3057\u305f\u3002 \u3084\u306f\u308a\u5408\u5bbf\u5f62\u5f0f\u3067\u3084\u308b\u3068\u3044\u3046\u306e\u306f\u9762\u767d\u3044\u3067\u3059\u3057\u3001 \u51fa\u6765\u308b\u4eba\u304c\u5468\u308a\u306b\u5c45\u307e\u3059\u3068\u3001\u305d\u308c\u3060\u3051\u3067\u304b\u306a\u308a\u6210\u9577\u3067\u304d\u308b\u306a\u3068 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[581,579],"class_list":["post-5293","post","type-post","status-publish","format-standard","hentry","category-other","tag-catwestern-writeup","tag-defcon-ctf-23-quals"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t