Daddy, teach me how to use random value in programming!
ssh random@pwnable.kr -p2222 (pw:guest)
random@pwnable:~$ ls -l
total 20
-r--r----- 1 random_pwn root 49 Jun 30 2014 flag
-r-sr-x--- 1 random_pwn random 8538 Jun 30 2014 random
-rw-r--r-- 1 root root 301 Jun 30 2014 random.c
random@pwnable:~$ cat random.c
#include <stdio.h>
int main(){
unsigned int random;
random = rand(); // random value!
unsigned int key=0;
scanf("%d", &key);
if( (key ^ random) == 0xdeadbeef ){
printf("Good!\n");
system("/bin/cat flag");
return 0;
}
printf("Wrong, maybe you should try 2^32 cases.\n");
return 0;
}
C言語のrand()は疑似乱数と呼ばれるもので、引数や呼び出し回数よって一意に規則性が小さく見えるような値を生成します。今回は引数に何も渡さないので、何回このプログラムを実行しても同じ値がrandomに代入されます。(通常は時間を引数に渡したり、よりセキュアなライブラリを利用します。)
ということで、その値が何かをgdbで確認します。
(gdb) disas main
Dump of assembler code for function main:
0x00000000004005f4 <+0>: push %rbp
0x00000000004005f5 <+1>: mov %rsp,%rbp
0x00000000004005f8 <+4>: sub $0x10,%rsp
0x00000000004005fc <+8>: mov $0x0,%eax
0x0000000000400601 <+13>: callq 0x400500 <rand@plt>
0x0000000000400606 <+18>: mov %eax,-0x4(%rbp)
0x0000000000400609 <+21>: movl $0x0,-0x8(%rbp)
0x0000000000400610 <+28>: mov $0x400760,%eax
0x0000000000400615 <+33>: lea -0x8(%rbp),%rdx
0x0000000000400619 <+37>: mov %rdx,%rsi
0x000000000040061c <+40>: mov %rax,%rdi
0x000000000040061f <+43>: mov $0x0,%eax
0x0000000000400624 <+48>: callq 0x4004f0 <__isoc99_scanf@plt>
0x0000000000400629 <+53>: mov -0x8(%rbp),%eax
0x000000000040062c <+56>: xor -0x4(%rbp),%eax
0x000000000040062f <+59>: cmp $0xdeadbeef,%eax
0x0000000000400634 <+64>: jne 0x400656 <main+98>
0x0000000000400636 <+66>: mov $0x400763,%edi
0x000000000040063b <+71>: callq 0x4004c0 <puts@plt>
0x0000000000400640 <+76>: mov $0x400769,%edi
0x0000000000400645 <+81>: mov $0x0,%eax
0x000000000040064a <+86>: callq 0x4004d0 <system@plt>
0x000000000040064f <+91>: mov $0x0,%eax
0x0000000000400654 <+96>: jmp 0x400665 <main+113>
0x0000000000400656 <+98>: mov $0x400778,%edi
0x000000000040065b <+103>: callq 0x4004c0 <puts@plt>
0x0000000000400660 <+108>: mov $0x0,%eax
0x0000000000400665 <+113>: leaveq
0x0000000000400666 <+114>: retq
End of assembler dump.
(gdb) b *main+21
Breakpoint 1 at 0x400609
(gdb) r
Starting program: /home/random/random
Breakpoint 1, 0x0000000000400609 in main ()
(gdb) info registers eax
eax 0x6b8b4567 1804289383
また、key^randomの^はXOR演算子と呼ばれるもので特徴として a^(a^b) == b となります。なので0x6b8b4567 ^ 0xdeadbeef を入力します。
$ cat random_pwn.py
from pwn import *
payload = 0x6b8b4567 ^ 0xdeadbeef
s1 = ssh(host="pwnable.kr", user="random", password="guest", port=2222)
r = s1.process("./random")
r.sendline(str(payload).encode())
r.interactive()
$ python3 random_pwn.py
[+] Connecting to pwnable.kr on port 2222: Done
[*] col@pwnable.kr:
Distro Ubuntu 16.04
OS: linux
Arch: amd64
Version: 4.4.179
ASLR: Enabled
[+] Starting remote process './random' on pwnable.kr: pid 218052
[*] Switching to interactive mode
Good!
Mommy, I thought libc random is unpredictable...