Daddy, teach me how to use random value in programming!
ssh random@pwnable.kr -p2222 (pw:guest)
##########################################################################
파파고번역
아빠, 프로그래밍에 랜덤가치를 사용하는 법을 가르쳐줘!
ssh random@pwnable.kr -p2222(pw:guest)
#########################################################################
#include <stdio.h>
int main(){
unsigned int random;
random = rand(); // random value!
unsigned int key=0;
scanf("%d", &key);
if( (key ^ random) == 0xdeadbeef ){
printf("Good!\n");
system("/bin/cat flag");
return 0;
}
printf("Wrong, maybe you should try 2^32 cases.\n");
return 0;
}
0x00000000004005f4 <+0>: push rbp
0x00000000004005f5 <+1>: mov rbp,rsp
0x00000000004005f8 <+4>: sub rsp,0x10
0x00000000004005fc <+8>: mov eax,0x0
0x0000000000400601 <+13>: call 0x400500 <rand@plt>
0x0000000000400606 <+18>: mov DWORD PTR [rbp-0x4],eax
0x0000000000400609 <+21>: mov DWORD PTR [rbp-0x8],0x0
0x0000000000400610 <+28>: mov eax,0x400760
0x0000000000400615 <+33>: lea rdx,[rbp-0x8]
0x0000000000400619 <+37>: mov rsi,rdx
0x000000000040061c <+40>: mov rdi,rax
0x000000000040061f <+43>: mov eax,0x0
0x0000000000400624 <+48>: call 0x4004f0 <__isoc99_scanf@plt>
0x0000000000400629 <+53>: mov eax,DWORD PTR [rbp-0x8]
0x000000000040062c <+56>: xor eax,DWORD PTR [rbp-0x4]
0x000000000040062f <+59>: cmp eax,0xdeadbeef
0x0000000000400634 <+64>: jne 0x400656 <main+98>
0x0000000000400636 <+66>: mov edi,0x400763
0x000000000040063b <+71>: call 0x4004c0 <puts@plt>
0x0000000000400640 <+76>: mov edi,0x400769
0x0000000000400645 <+81>: mov eax,0x0
0x000000000040064a <+86>: call 0x4004d0 <system@plt>
0x000000000040064f <+91>: mov eax,0x0
0x0000000000400654 <+96>: jmp 0x400665 <main+113>
0x0000000000400656 <+98>: mov edi,0x400778
0x000000000040065b <+103>: call 0x4004c0 <puts@plt>
0x0000000000400660 <+108>: mov eax,0x0
0x0000000000400665 <+113>: leave
---Type <return> to continue, or q <return> to quit---
0x0000000000400666 <+114>: ret
코드가 매우 간결하다.
key값을 입력받아 key^random값(xor한값)이 0xdeadbeef이면된다.
그런데 rand()함수는 랜덤값을 반환한다?무엇을 입력하더라도 랜덤값이 나올것라고 예측되지만
rand()함수의 취약점에 대해 알아보자.
즉 항상 일정한 값을 가져온다.
이것을 방지하기위해선 srand()함수를 사용하여야한다. srand()또한 시간이 예측될수 있다면 위험하다.
b *main+18로 break point를 지정해 살펴보면 rand함수로 생성된 값을보면
3번의 실행 모두 같은값을 넣는모습을 볼수있다.
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/random/random
Breakpoint 2, 0x0000000000400606 in main ()
(gdb) info reg $eax
eax 0x6b8b4567 1804289383
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/random/random
Breakpoint 2, 0x0000000000400606 in main ()
(gdb) info reg $eax
eax 0x6b8b4567 1804289383
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/random/random
Breakpoint 2, 0x0000000000400606 in main ()
(gdb) info reg $eax
eax 0x6b8b4567 1804289383
eax 값이 항상 0x6b8b4567인것을 알수있다.
이제 입력값^0x6b8b4567=0xdeadbeef인것을 찾으면 되는데
xor은 A^B=C 이고, C^A=B이고, A^C=B 이다
입력값은 0x6b8b4567^0xdeadbeef를 계산해서 넣어주면된다.
>>> 0x6b8b4567^0xdeadbeef
3039230856
./ramdom 로 실행후
3039230856로 입력값을 주어도 되고
파이썬으로 인자값을 넣어주어도 된다.
(python -c 'print "3039230856"') | ./random
'보안 > pwnable.kr' 카테고리의 다른 글
| pwnable.kr passcode (0) | 2020.01.30 |
|---|---|
| pwnable.kr flag (0) | 2020.01.30 |
| pwnable.kr bof (0) | 2020.01.30 |
| pwnable.kr collision (0) | 2019.12.11 |
| pwnable.kr fd (1) | 2019.12.11 |
최근댓글