collision

{"author": ["ret2basic"]}

Challenge

Daddy told me about cool MD5 hash collision today. I wanna do something like that too!

ssh col@pwnable.kr -p2222 (pw:guest)

Code Review

#include <stdio.h>
#include <string.h>
unsigned long hashcode = 0x21DD09EC;
unsigned long check_password(const char* p){
        int* ip = (int*)p;
        int i;
        int res=0;
        for(i=0; i<5; i++){
                res += ip[i];
        }
        return res;
}

int main(int argc, char* argv[]){
        if(argc<2){
                printf("usage : %s [passcode]\n", argv[0]);
                return 0;
        }
        if(strlen(argv[1]) != 20){
                printf("passcode length should be 20 bytes\n");
                return 0;
        }

        if(hashcode == check_password( argv[1] )){
                system("/bin/cat flag");
                return 0;
        }
        else
                printf("wrong passcode.\n");
        return 0;
}

The program takes 5 4-byte hex numbers as argv[1] and it calls check_password(). If the sum of these 5 hex numbers equals 0x21DD09EC then the program prints out the flag.

Solution

We need to find 5 integers in hex that sum to 0x21dd09ec. The naive idea is to divide 0x21dd09ec by 5. It won't work because 0x21dd09ec isn't divisible by 5. But, following from this logic, we could find a solution using the formula:

0x21dd09ec = (0x21dd09ec // 5) * 4 + <residue>

Here we have 0x21dd09ec // 5 = 0x6c5cec8, so residue = 0x21dd09ec - 0x6c5cec8 * 4 = 0x6c5cecc. Since the convertion is done by int* ip = (int*)p (pointer, not string), we should use little-endian in argv[1].

Exploit

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# This exploit template was generated via:
# $ pwn template --host pwnable.kr --port 2222 --user col --password guest --path /home/col/col
from pwn import *

# Set up pwntools for the correct architecture
exe = context.binary = ELF('col')

# Many built-in settings can be controlled on the command-line and show up
# in "args".  For example, to dump all data sent/received, and disable ASLR
# for all created processes...
# ./exploit.py DEBUG NOASLR
# ./exploit.py GDB HOST=example.com PORT=4141
host = args.HOST or 'pwnable.kr'
port = int(args.PORT or 2222)
user = args.USER or 'col'
password = args.PASSWORD or 'guest'
remote_path = '/home/col/col'

# Connect to the remote SSH server
shell = None
if not args.LOCAL:
    shell = ssh(user, host, port, password)
    shell.set_working_directory(symlink=True)

def start_local(argv=[], *a, **kw):
    '''Execute the target binary locally'''
    if args.GDB:
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    else:
        return process([exe.path] + argv, *a, **kw)

def start_remote(argv=[], *a, **kw):
    '''Execute the target binary on the remote host'''
    if args.GDB:
        return gdb.debug([remote_path] + argv, gdbscript=gdbscript, ssh=shell, *a, **kw)
    else:
        return shell.process([remote_path] + argv, *a, **kw)

def start(argv=[], *a, **kw):
    '''Start the exploit against the target.'''
    if args.LOCAL:
        return start_local(argv, *a, **kw)
    else:
        return start_remote(argv, *a, **kw)

# Specify your GDB script here for debugging
# GDB will be launched if the exploit is run via e.g.
# ./exploit.py GDB
gdbscript = '''
tbreak main
continue
'''.format(**locals())

#===========================================================
#                    EXPLOIT GOES HERE
#===========================================================
# Arch:     i386-32-little
# RELRO:    Partial RELRO
# Stack:    Canary found
# NX:       NX enabled
# PIE:      No PIE (0x8048000)

argv = [p32(0x6c5cec8) * 4 + p32(0x6c5cecc)]
print(f"{argv = }")
io = start(argv)
success(io.readall().decode())