emyei/DEFCON 2015

## DEFCON 2015
#!/usr/bin/python

# DEFCON 2015 : catwestern 1
# author: NULL Life
# https://twitter.com/marceloje
# https://twitter.com/NullLifeTeam

import socket, os, subprocess

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me", 9999))

# Init regs (mov r?, value)
data = s.recv(1024)
registros = data[data.find("State****") + 10:]
regs = registros.replace("=", ", ").replace("r", "mov r");

# Get opcodes
data = s.recv(1024)
opcodes = data[data.find(" bytes:") + 9:]
f = open('p.asm', 'w')

# ASM file header and main function
header = '''
extern	printf
SECTION .data
fmt:    db "rsi=0x%llx", 0x0a,"rdx=0x%llx", 0x0a, "rcx=0x%llx", 0x0a, "r8=0x%llx", 0x0a, "r9=0x%llx", 0x0a,  "rbx=0x%llx", 0x0a, "r10=0x%llx
", 0x0a, "r11=0x%llx", 0x0a, "r12=0x%llx", 0x0a, "r13=0x%llx", 0x0a, "r14=0x%llx", 0x0a, "r15=0x%llx", 0x0a, 0x00
fmt2:  db "rdi=0x%llx", 0x0a,"rax=0x%llx", 0x0a, 0x00

section .text
global main
main:
call code
push rax
push rdi
push fmt
pop rdi
mov rax, 0
push r15
push r14
push r13
push r12
push r11
push r10
push rbx
call printf
add rsp, 56
pop rsi
pop rdx
push fmt2
pop rdi
mov rax, 0
call printf
ret
code:
'''

# Create ASM file
f.write(header)
f.write(regs)
for i in range(0, len(opcodes)):
        f.write("db	0x" + opcodes[i].encode("hex") + "\n")
f.close()

# Compile and execute
os.system('nasm -f elf64 -o p.o p.asm')
os.system('gcc -o p p.o')
p = subprocess.Popen(['./p'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
out, err = p.communicate()

# Send output and get flag
s.send(out + "\n")
print s.recv(1024)

s.close()
	#!/usr/bin/python

	# DEFCON 2015 : catwestern 1
	# author: NULL Life
	# https://twitter.com/marceloje
	# https://twitter.com/NullLifeTeam

	import socket, os, subprocess

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect(("catwestern_631d7907670909fc4df2defc13f2057c.quals.shallweplayaga.me", 9999))

	# Init regs (mov r?, value)
	data = s.recv(1024)
	registros = data[data.find("State****") + 10:]
	regs = registros.replace("=", ", ").replace("r", "mov r");

	# Get opcodes
	data = s.recv(1024)
	opcodes = data[data.find(" bytes:") + 9:]
	f = open('p.asm', 'w')

	# ASM file header and main function
	header = '''
	extern printf
	SECTION .data
	fmt: db "rsi=0x%llx", 0x0a,"rdx=0x%llx", 0x0a, "rcx=0x%llx", 0x0a, "r8=0x%llx", 0x0a, "r9=0x%llx", 0x0a, "rbx=0x%llx", 0x0a, "r10=0x%llx
	", 0x0a, "r11=0x%llx", 0x0a, "r12=0x%llx", 0x0a, "r13=0x%llx", 0x0a, "r14=0x%llx", 0x0a, "r15=0x%llx", 0x0a, 0x00
	fmt2: db "rdi=0x%llx", 0x0a,"rax=0x%llx", 0x0a, 0x00

	section .text
	global main
	main:
	call code
	push rax
	push rdi
	push fmt
	pop rdi
	mov rax, 0
	push r15
	push r14
	push r13
	push r12
	push r11
	push r10
	push rbx
	call printf
	add rsp, 56
	pop rsi
	pop rdx
	push fmt2
	pop rdi
	mov rax, 0
	call printf
	ret
	code:
	'''

	# Create ASM file
	f.write(header)
	f.write(regs)
	for i in range(0, len(opcodes)):
	f.write("db 0x" + opcodes[i].encode("hex") + "\n")
	f.close()

	# Compile and execute
	os.system('nasm -f elf64 -o p.o p.asm')
	os.system('gcc -o p p.o')
	p = subprocess.Popen(['./p'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
	out, err = p.communicate()

	# Send output and get flag
	s.send(out + "\n")
	print s.recv(1024)

	s.close()