pwnable.kr - random
Pada situs pwnable.kr, diberikan challenge berupa random number generate dengan source code
#include <stdio.h>
int main(){
unsigned int random;
random = rand(); // random value!
unsigned int key=0;
scanf("%d", &key);
if( (key ^ random) == 0xdeadbeef ){
printf("Good!\n");
system("/bin/cat flag");
return 0;
}
printf("Wrong, maybe you should try 2^32 cases.\n");
return 0;
}
Fungsi rand() akan mengembalikan nilai pseudo-random antara 0 dan RAND_MAX. Value dari fungsi rand() akan disimpan pada variable random, dan terdapat variable key yang menampung user input sehingga pada kondisi if dilakukan XOR antara key ^ random jika hasil nya 0xdeadbeef akan mendapatkan flag. *Apabila belum mengerti tentang XOR Encryption dapat melihat video dari Cyber Security IPB
Proof Of Concept
Saya menggunakan gdb dengan plugin peda.
root@linux ~# gdb -q random
Reading symbols from random...(no debugging symbols found)...done.
gdb-peda$ disass main
Dump of assembler code for function main:
0x00000000004005f4 <+0>: push rbp
0x00000000004005f5 <+1>: mov rbp,rsp
0x00000000004005f8 <+4>: sub rsp,0x10
0x00000000004005fc <+8>: mov eax,0x0
0x0000000000400601 <+13>: call 0x400500 <rand@plt>
0x0000000000400606 <+18>: mov DWORD PTR [rbp-0x4],eax ; Pasang breakpoint disini
0x0000000000400609 <+21>: mov DWORD PTR [rbp-0x8],0x0
0x0000000000400610 <+28>: mov eax,0x400760
0x0000000000400615 <+33>: lea rdx,[rbp-0x8]
0x0000000000400619 <+37>: mov rsi,rdx
0x000000000040061c <+40>: mov rdi,rax
0x000000000040061f <+43>: mov eax,0x0
0x0000000000400624 <+48>: call 0x4004f0 <__isoc99_scanf@plt>
0x0000000000400629 <+53>: mov eax,DWORD PTR [rbp-0x8]
0x000000000040062c <+56>: xor eax,DWORD PTR [rbp-0x4]
0x000000000040062f <+59>: cmp eax,0xdeadbeef
0x0000000000400634 <+64>: jne 0x400656 <main+98>
0x0000000000400636 <+66>: mov edi,0x400763
0x000000000040063b <+71>: call 0x4004c0 <puts@plt>
0x0000000000400640 <+76>: mov edi,0x400769
0x0000000000400645 <+81>: mov eax,0x0
0x000000000040064a <+86>: call 0x4004d0 <system@plt>
0x000000000040064f <+91>: mov eax,0x0
0x0000000000400654 <+96>: jmp 0x400665 <main+113>
0x0000000000400656 <+98>: mov edi,0x400778
0x000000000040065b <+103>: call 0x4004c0 <puts@plt>
0x0000000000400660 <+108>: mov eax,0x0
0x0000000000400665 <+113>: leave
0x0000000000400666 <+114>: ret
End of assembler dump.
gdb-peda$ b *0x0000000000400606
Breakpoint 1 at 0x400606
gdb-peda$ r
Starting program: /home/rhama/challenge/pwnable/random
[----------------------------------registers-----------------------------------]
RAX: 0x6b8b4567 ; nilai dari rand()
RBX: 0x0
RCX: 0x7f2b52c1e0a4 --> 0x16a5bce3991539b1
RDX: 0x7f2b52c1e0a8 --> 0x6774a4cd16a5bce3
RSI: 0x7fff8fc822fc --> 0x6b8b4567
RDI: 0x7f2b52c1e620 --> 0x7f2b52c1e0b4 --> 0x61048c054e508aaa
RBP: 0x7fff8fc82330 --> 0x400670 (<__libc_csu_init>: mov QWORD PTR [rsp-0x28],rbp)
RSP: 0x7fff8fc82320 --> 0x7fff8fc82410 --> 0x1
RIP: 0x400606 (<main+18>: mov DWORD PTR [rbp-0x4],eax)
R8 : 0x7f2b52c1e0a4 --> 0x16a5bce3991539b1
R9 : 0x7f2b52c1e120 --> 0x8
R10: 0x47f
R11: 0x7f2b52895f60 (<rand>: sub rsp,0x8)
R12: 0x400510 (<_start>: xor ebp,ebp)
R13: 0x7fff8fc82410 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x4005f8 <main+4>: sub rsp,0x10
0x4005fc <main+8>: mov eax,0x0
0x400601 <main+13>: call 0x400500 <rand@plt>
=> 0x400606 <main+18>: mov DWORD PTR [rbp-0x4],eax
0x400609 <main+21>: mov DWORD PTR [rbp-0x8],0x0
0x400610 <main+28>: mov eax,0x400760
0x400615 <main+33>: lea rdx,[rbp-0x8]
0x400619 <main+37>: mov rsi,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fff8fc82320 --> 0x7fff8fc82410 --> 0x1
0008| 0x7fff8fc82328 --> 0x0
0016| 0x7fff8fc82330 --> 0x400670 (<__libc_csu_init>: mov QWORD PTR [rsp-0x28],rbp)
0024| 0x7fff8fc82338 --> 0x7f2b5287b830 (<__libc_start_main+240>: mov edi,eax)
0032| 0x7fff8fc82340 --> 0x0
0040| 0x7fff8fc82348 --> 0x7fff8fc82418 --> 0x7fff8fc83302 ("/home/rhama/challenge/pwnable/random")
0048| 0x7fff8fc82350 --> 0x100000000
0056| 0x7fff8fc82358 --> 0x4005f4 (<main>: push rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Breakpoint 1, 0x0000000000400606 in main ()
Didapatkan nilai 0x6b8b4567 atau 180428983 dalam desimal yang tersimpan dalam register RAX
Karena kondisi if( (key ^ random) == 0xdeadbeef ), langkah selanjut nya adalah melakukan XORING antara random dan 0xdeadbeef untuk mendapatkan key dari XOR.
root@linux ~# python -c "print 0x6b8b4567 ^ 0xdeadbeef"
3039230856
Didapatkan key 3039230856 yang dapat digunakan untuk mendapatkan flag pada challenge random ini.
root@linux ~# ssh random@pwnable.kr -p2222
random@pwnable.kr's password:
____ __ __ ____ ____ ____ _ ___ __ _ ____
| \| |__| || \ / || \ | | / _] | |/ ]| \
| o ) | | || _ || o || o )| | / [_ | ' / | D )
| _/| | | || | || || || |___ | _] | \ | /
| | | ` ' || | || _ || O || || [_ __ | \| \
| | \ / | | || | || || || || || . || . \
|__| \_/\_/ |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|
- Site admin : daehee87.kr@gmail.com
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Wed Dec 21 06:05:58 2016 from 125.198.19.179
random@ubuntu:~$ ./random
3039230856
Good!
Mommy, I thought libc random is unpredictable...
random@ubuntu:~$
Read other posts