#include <stdio.h>
int main(){
unsigned int random;
random = rand(); // random value!
unsigned int key=0;
scanf("%d", &key);
if( (key ^ random) == 0xdeadbeef ){
printf("Good!\n");
system("/bin/cat flag");
return 0;
}
printf("Wrong, maybe you should try 2^32 cases.\n");
return 0;
}How to Exploit
- srand() 함수가 없으므로 사실 난수가 아니다. gdb로 bp 걸어서 난수가
0x6b8b4567이라는 것을 알았다.0x6b8b4567 ^ 0xdeadbeef = 0xb526fb88
Exploit Code
random@prowl:~$ ./random
3039230856Capture The Flag
'Writeup [pwn] > pwnable.kr' 카테고리의 다른 글
| ascii_easy (0) | 2020.03.07 |
|---|---|
| unlink (0) | 2020.03.07 |
| passcode (0) | 2020.03.07 |
| mistake (0) | 2020.03.07 |
| memcpy (0) | 2020.03.07 |