picoctf/pwn/buffer_overflow_2/vuln.c

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 100
#define FLAGSIZE 64

void win(unsigned int arg1, unsigned int arg2) {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    exit(0);
  }

  fgets(buf,FLAGSIZE,f);
  if (arg1 != 0xCAFEF00D)
    return;
  if (arg2 != 0xF00DF00D)
    return;
  printf(buf);
}

void vuln(){
  char buf[BUFSIZE];
  gets(buf);
  puts(buf);
}

int main(int argc, char **argv){
  setvbuf(stdout, NULL, _IONBF, 0);

  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  puts("Please enter your string: ");
  vuln();
  return 0;
}
pwn/buffer_overflow_2 2024-09-03 19:46:13 +02:00			`#include <stdio.h>`
			`#include <stdlib.h>`
			`#include <string.h>`
			`#include <unistd.h>`
			`#include <sys/types.h>`

			`#define BUFSIZE 100`
			`#define FLAGSIZE 64`

			`void win(unsigned int arg1, unsigned int arg2) {`
			`char buf[FLAGSIZE];`
			`FILE *f = fopen("flag.txt","r");`
			`if (f == NULL) {`
			`printf("%s %s", "Please create 'flag.txt' in this directory with your",`
			`"own debugging flag.\n");`
			`exit(0);`
			`}`

			`fgets(buf,FLAGSIZE,f);`
			`if (arg1 != 0xCAFEF00D)`
			`return;`
			`if (arg2 != 0xF00DF00D)`
			`return;`
			`printf(buf);`
			`}`

			`void vuln(){`
			`char buf[BUFSIZE];`
			`gets(buf);`
			`puts(buf);`
			`}`

			`int main(int argc, char **argv){`
			`setvbuf(stdout, NULL, _IONBF, 0);`

			`gid_t gid = getegid();`
			`setresgid(gid, gid, gid);`

			`puts("Please enter your string: ");`
			`vuln();`
			`return 0;`
			`}`