[Phoenix] Net two

1. intro

2. code 및 분석

2.1.  C code

/*
 * phoenix/net-two, by https://exploit.education
 *
 * Shout out to anyone who doesn't know what the opposite of in is.
 *
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/random.h>
#include <sys/types.h>
#include <unistd.h>

#define BANNER \
  "Welcome to " LEVELNAME ", brought to you by https://exploit.education"

int main(int argc, char **argv) {
  int i;
  unsigned long quad[sizeof(long)], result, wanted;

  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);
  printf("%s\nFor this level, sizeof(long) == %d, keep that in mind :)\n",
      BANNER, (int)sizeof(long));

  if (getrandom((void *)&quad, sizeof(quad), 0) != sizeof(quad)) {
    errx(1, "unable to getrandom(%d bytes)", sizeof(quad));
  }

  result = 0;
  for (i = 0; i < sizeof(long); i++) {
    result += quad[i];
    if (write(1, (void *)&quad[i], sizeof(long)) != sizeof(long)) {
      errx(1, "Why have you foresaken me, write()");
    }
  }

  if (read(0, (void *)&wanted, sizeof(long)) != sizeof(long)) {
    errx(1, "Unable to read\n");
  }

  if (result == wanted) {
    printf("You have successfully passed this level, well done!\n");
  } else {
    printf("Whoops, better luck next time. Receieved %lu, wanted %lu\n", wanted,
        result);
  }

  return 0;
}

 

2.2. 분석

이번에는 luint 변수인 quad를 선언하고 랜덤 값을 삽입한 뒤 result 변수에 quad[i]를 더한다.

이후 wanted 변수에 입력을 받아 result와 wanted를 비교하여 같으면 성공이다.

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

특별히 취약점은 없다.

 

3.2. 공격 준비

아오... 코드만으로 대충 해보려했는데 자꾸 형변환이 안돼서 gdb로 깠다.

안까고 싶었는데...

출력되는 문자열의 길이를 한번이라도 체크해볼걸... ㅠㅠ

 

문자열이 총 8 bytes 인줄 알고 각 자리의 hex 값을 더해보려했는데 자꾸 실패했다.

알고보니 64 bytes였음...

 

8 bytes 씩 8개 가져와서 계속 더하는데 더한 값이 8 bytes를 초과하면 버린다.

 

4. exploit

위를 기준으로 코딩하면 아래와 같다.

from pwn import *

p = remote('localhost',64002)

p.recvline()
p.recvline()

quad = 0
j = 8

for i in range(8):
    get = u64(p.recv(j))
    quad = quad + get
    print i+1, "st get = ", str(get), "hex = ", str(hex(get))
    print "quad = ", str(quad), "hex = ", str(hex(quad))

    if len(str(hex(quad)))>18:
        print "lenth over = ", str(hex(quad))
        quad = int("0x" + str(hex(quad))[len(str(hex(quad)))-18+2:],16)
        print "change = ", str(hex(quad))

print quad
p.sendline(p64(quad))

print p.recvline()

 

user@phoenix-amd64:~$ python /tmp/a.py
[+] Opening connection to localhost on port 64002: Done
1 st get =  4268828195899499809 hex =  0x3b3deca07fc2e521
quad =  4268828195899499809 hex =  0x3b3deca07fc2e521
2 st get =  16901727429982123844 hex =  0xea8eff8c628f7744
quad =  21170555625881623653 hex =  0x125ccec2ce2525c65
lenth over =  0x125ccec2ce2525c65
change =  0x25ccec2ce2525c65
3 st get =  17328357041230072388 hex =  0xf07ab0eb5fa84a44
quad =  20052168593402144425 hex =  0x116479d1841faa6a9
lenth over =  0x116479d1841faa6a9
change =  0x16479d1841faa6a9
4 st get =  13351142668948258878 hex =  0xb948c9852038c03e
quad =  14956567188640851687 hex =  0xcf90669d623366e7
5 st get =  7834240348377592091 hex =  0x6cb8d016da14311b
quad =  22790807537018443778 hex =  0x13c4936b43c479802
lenth over =  0x13c4936b43c479802
change =  0x3c4936b43c479802
6 st get =  12178711250809464224 hex =  0xa903795b668d25a0
quad =  16522774714118356386 hex =  0xe54cb00fa2d4bda2
7 st get =  7385232095077550121 hex =  0x667d9d763ae94829
quad =  23908006809195906507 hex =  0x14bca4d85ddbe05cb
lenth over =  0x14bca4d85ddbe05cb
change =  0x4bca4d85ddbe05cb
8 st get =  16438244633152429172 hex =  0xe42060667a059c74
quad =  21899507368638784063 hex =  0x12feaadec57c3a23f
lenth over =  0x12feaadec57c3a23f
change =  0x2feaadec57c3a23f
3452763294929232447
You have successfully passed this level, well done!

[*] Closed connection to localhost port 64002