Hitcon CTF 2020 | Tenet Solution

hitcon2020_tenet.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *

context.update(arch='amd64')
exe = './server.rb'

host = args.HOST or '52.192.42.215'
port = int(args.PORT or 9427)

def local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)

def remote(argv=[], *a, **kw):
    '''Connect to the process on the remote host'''
    io = connect(host, port)
    if args.GDB:
        gdb.attach(io, gdbscript=gdbscript)
    return io

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.LOCAL:
        return local(argv, *a, **kw)
    else:
        return remote(argv, *a, **kw)

gdbscript = '''
continue
'''.format(**locals())

io = start()

payload = asm('''
// clear cookie
mov rbx, 0x02170000
mov rdx, 0x00000000
mov rsi, [rbx]
mov [rbx], rdx

// for reverse
mov rbx, 0x02170000
mov rdx, r14

// if cookie & 1, add 1 to register
// r15 is result
// rax is counter
// rsi is cookie

// clear variables
xor r15, r15
xor rax, rax

// for reverse
mov r14, r15

// Looooop
L4:
// Exit condition
cmp rax, 63
jg L5

// copy cookie
mov rdx, rsi
// (cookie >> i) & 1
mov rcx, rax
sar rdx, cl
and rdx, 1
test rdx, rdx
je L3

// bit is one
mov rcx, rax
mov rdx, 1
sal rdx, cl
or r15, rdx
// reverse
sal rdx, cl
mov rdx, 1
mov rcx, rbx

// bit not one, executes everytime (keeps the counter moving)
L3:
add rax, 1
sub rbx, 1
jmp L4

L5:
// cleanup for reverse
xor r15, r15
mov rbx, 64

// exit
mov rax, 0x3c
syscall
''')

print(disasm(payload))

print(io.recvline())
io.sendline(str(len(payload)).encode())
print(io.recvline())
io.send(payload)

io.interactive()