Daddy told me about cool MD5 hash collision today.
I wanna do something like that too!ssh col@pwnable.kr -p2222 (pw:guest)
col@pwnable:~$ ls -l
total 16
-r-sr-x--- 1 col_pwn col 7341 Jun 11 2014 col
-rw-r--r-- 1 root root 555 Jun 12 2014 col.c
-r--r----- 1 col_pwn col_pwn 52 Jun 11 2014 flag
col@pwnable:~$ cat col.c
#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
int* ip = (int*)p;
int i;
int res=0;
for(i=0; i<5; i++){
res += ip[i];
}
return res;
}
int main(int argc, char* argv[]){
if(argc<2){
printf("usage : %s [passcode]\n", argv[0]);
return 0;
}
if(strlen(argv[1]) != 20){
printf("passcode length should be 20 bytes\n");
return 0;
}
if(hashcode == check_password( argv[1] )){
system("/bin/cat flag");
return 0;
}
else
printf("wrong passcode.\n");
return 0;
}
コマンドラインからの20バイトの引数を5つの4バイトの整数として分け、その和が0x21dd09ecとなるようにします。
from pwn import *
frag = (0x21dd09ec + 1) // 5
payload = frag.to_bytes(4,'little')*4
payload += (frag-1).to_bytes(4,'little')
s1 = ssh(host='pwnable.kr', user='col',password='guest', port=2222)
r1 = s1.process(executable='./col', argv=['fd', payload])
print(r1.recv())
s1.close()
$ python3 collision_pwn.py
[+] Connecting to pwnable.kr on port 2222: Done
[*] col@pwnable.kr:
Distro Ubuntu 16.04
OS: linux
Arch: amd64
Version: 4.4.179
ASLR: Enabled
[+] Starting remote process './col' on pwnable.kr: pid 66019
b'daddy! I just managed to create a hash collision :)\n'
[*] Closed connection to 'pwnable.kr'