random

1. intro

2. code 및 분석

2.1.  code

#include <stdio.h>

int main(){
        unsigned int random;
        random = rand();        // random value!

        unsigned int key=0;
        scanf("%d", &key);

        if( (key ^ random) == 0xdeadbeef ){
                printf("Good!\n");
                system("/bin/cat flag");
                return 0;
        }

        printf("Wrong, maybe you should try 2^32 cases.\n");
        return 0;
}

2.2. 분석

단순히 랜덤값과 입력받은 키 값의 xor 값이 deadbeef면 플래그를 준다.

 

3. 취약점 확인 및 공격 준비

3.1. 취약점

씨드가 없는 랜덤값은 항상 일정하다는 것이 취약점이다.

3.2. 공격 준비

검증을 위해 지속적으로 random 결과 값을 받아보았는데 아래와 같았다.

RAX: 0x6b8b4567
RBX: 0x0
RCX: 0x7f1c40f710a4 --> 0x16a5bce3991539b1
RDX: 0x7f1c40f710a8 --> 0x6774a4cd16a5bce3
RSI: 0x7ffd6acf61ac --> 0x6b8b4567
RDI: 0x7f1c40f71620 --> 0x7f1c40f710b4 --> 0x61048c054e508aaa
RBP: 0x7ffd6acf61e0 --> 0x400670 (<__libc_csu_init>:    mov    %rbp,-0x28(%rsp))
RSP: 0x7ffd6acf61d0 --> 0x7ffd6acf62c0 --> 0x1
RIP: 0x400606 (<main+18>:       mov    %eax,-0x4(%rbp))
R8 : 0x7f1c40f710a4 --> 0x16a5bce3991539b1
R9 : 0x7f1c40f71120 --> 0x8
R10: 0x47f
R11: 0x7f1c40be7f70 (<rand>:    sub    $0x8,%rsp)
R12: 0x400510 (<_start>:        xor    %ebp,%ebp)
R13: 0x7ffd6acf62c0 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4005f8 <main+4>:   sub    $0x10,%rsp
   0x4005fc <main+8>:   mov    $0x0,%eax
   0x400601 <main+13>:  callq  0x400500 <rand@plt>
=> 0x400606 <main+18>:  mov    %eax,-0x4(%rbp)
   0x400609 <main+21>:  movl   $0x0,-0x8(%rbp)
   0x400610 <main+28>:  mov    $0x400760,%eax
   0x400615 <main+33>:  lea    -0x8(%rbp),%rdx
   0x400619 <main+37>:  mov    %rdx,%rsi
[------------------------------------stack-------------------------------------]

즉, 0x6b8b4567 와 xor하여 그 값이 deadbeef인 값을 삽입하면 된다.

 

4. exploit

random@pwnable:~$ python
Python 2.7.12 (default, Mar  1 2021, 11:38:31)
[GCC 5.4.0 20160609] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> 0x6b8b4567^0xdeadbeef
3039230856
>>> 3039230856^0x6b8b4567
3735928559
>>> hex(3735928559)
'0xdeadbeef'
>>>
random@pwnable:~$ ls
flag  random  random.c
random@pwnable:~$ ./random
3039230856
Good!
----------#플래그는 삭제