From 2fdd355b01c4bc7ed7c74dc12f64864573a641cc Mon Sep 17 00:00:00 2001 From: h7x4 Date: Tue, 3 Sep 2024 19:59:34 +0200 Subject: [PATCH] pwn/format_string_0 --- pwn/format_string_0/format-string-0 | Bin 0 -> 16632 bytes pwn/format_string_0/format-string-0.c | 101 ++++++++++++++++++++++++++ pwn/format_string_0/output.txt | 8 ++ 3 files changed, 109 insertions(+) create mode 100755 pwn/format_string_0/format-string-0 create mode 100644 pwn/format_string_0/format-string-0.c create mode 100644 pwn/format_string_0/output.txt diff --git a/pwn/format_string_0/format-string-0 b/pwn/format_string_0/format-string-0 new file mode 100755 index 0000000000000000000000000000000000000000..a2905dfbdd61c30009a90bbf661fb0938f8e291f GIT binary patch literal 16632 zcmeHOYiu0Xb-r9$7X6S&y=+>Ftx+V#@`Gzql4bg-A*q#Cg&vG7H7WWS4Y|YJt(QCN znOTu^Du;^lVr2zP6SP8+A2LwK28tGJ5u~!(igcA)PJg&`ezYp;psHIJBxJh^tF%HY zd;6Vx?-|aHxImGj{ZZ^CX3jm|dE9f)y~DlpxL-`|-IZu)5L^=C8A05{3R6PrEJWAi zlGRw3SSC!dUfd^c1#$}xQ%Z=c8q-S&C1Bd5^%_CRu9Yg1npN~uk`sa{M@W?H7K*8> zik@DoSf-*y@npAzs+t!qCUM|RN&Y|zg<#5hVS9#D6T(pXObub5 z(~{21jHYZyEZG^_&d_#DXLKT%ay}_1bad%_b~T#dh*z{jazZeT+vT)fPU|z>sqL6j z8&sZsKgj$%?e%H9*ET9YuWdACh3O#$3#Q!OXJJQq`R^7U=7YMuTH|oFL3w1VS@B3A z-@kp^BZW+RAzv(yw2yRcZ{NNx>AT4-(tzSJaM1AY-hWtN+@=ZBX%vYu#j`(>t=4kV z_tVS1{MxO5_~$?V>XFafcH{SrgKzz873omiWJ5Ys$RAG;;;FtI2kC_QXlRibAo0Mx zFYzTq>`jF(kCiu}LTsynf35~TSOcfH7W02k4cw@Kp9W5{c%gqoi}^oL1HZopZq~r< z8hAVK6=JOzGs#j2zJA1D)(L!JS(q;amLJ$&U=7*%qVNN6V5lVge70y8#GqSp2+O$T zK$Oa`7#u8={TvMQzB};vWjp>&Vr@&LWy2F%|<|NGlF4rS?m@^1Dk97UeeCE=s^GowII`54L z&es^(Y>wb`{c!1s;QC**6m>=L@cMzojNtkwMCzv_I1&(+z6gGMhzjxf2!2NdKN7+3 zjNrKlj)d1sJp=U&)H6`eKs^KX4Ae95zn+1AYrgMi=@TC`rB5!IdqjxzSEhqRWhQ;% z2Td1b+m%P(13X`8`zMg*^@8+sB$=Q4$4aF#A$eNx&Ck6P@(Ibm5%RQPo1gomkf(*( z{M^eSPYbm9xo?I%EzIWUj)y!g$mZvs4|!Th&d=E)PYbj8xzC0?Ey(8Qx|v7x?K1kE zLdFliEymv)&@#I{Qoq@e;DK6kMTc_@|_><8Gq;3(&O)?PyF-M zzC)?b>CPXfFJ8QBl_@G~o`mML!DRFLFQb#HKNl9*iL+x^P^O=zbFk_xY0!|~Hbp?? z^5DdU!3E{!^`n>=Gg4ps6}i$(&NWw)8pmKk9n7To|z4GYE)Q$A%^r_WTUn(Ey_-Q}6!91=;=&FGSif#*ckKO`Knb@TQt^ zlJ@EG)b;d zx=WaS1?=oJPUER-Cl6mcx$oM^)V1-q$1f^xyC6|Dx)g2>vX3s|-0yBMMfd9^#L#{A z49>65;B>A9==naJroN7o@^UNu;TlI$mVDu1mE^4iol4E5$KRa#eyF&Q(2J?b*MWeZ z{VPSM|BmRXeUoHyt`RY%$KR&ZS}L{crv3#AvtPU+$FWs6F$4C>e$|NX*fBuksT(Jb z-7sIgQ^kfs7gsi)Yx*?8-ip)IUYwNZfb#d&Ln`DkuoG2-Wy&1nx;9cGCDqUI8CjCTzUNXKf^?L+UtYV$SF*lszmH0^kQnd1XIwrjw?FzTSQOon7S<@PrJcHxP^f}KqUBY|*-i$=!jFK4s)V%Ctbe9h5U zaBSZ(20X_O9OHi0zu(9gjUbozjZEHi1_IX`HHPy+&KPyeo@n!pHeZF<1H<556qt6b!{J?X@aLzS`?PA~?wvo-FV)W+&hi+nf z?IOi&~st}D1^^B1!~<0TmwBfiq3Fhw4Gl5 zIT@{HlnVBMWAx<*T;u*Cg%pf#P${B8kh#KHq>2F|ru-Sms5>;|6f<^^cZ*LL&=&DT zit0Rysx%(TQCcuMMc44l133<5)Co4I#2vzbA!gt4jygszKVvn98fb&MXjUk_9yo^s&XS;sBY5Zi$T|uo?RPL2 zA2v22^xUu$nc2MsyUouJ(9CZ0+x!3l-ef1@W@0fbJWE;E_#}N3L65pdKB!bqgLZvb zsZ4{;f|fvAKdMydsnFY?mq2g-*GlCYXc2UEgAl8(Rw~;-*ZrhYIRr|DzDc0c@WMgS zFw)Yn?#`u66Ohq+VET}t1mB+_g`G=V2C+I)b_$>+#6C%YF0G&x^GERc6k)05EniLaE~7_))czS9%h8_KUkKpq_zx z2I?88XW;*P21+YU*+o-Ry-bwf29n@TDaEP9lr{cl?aUg*-y>0opHcie&GWZ^Yc=1h z<+R45!t$SfQgMl&Y&40;?`w&gOH3l+H?NnpoWH$$RZ4}Rw`o*pT}fq)BH_7_Yo;k{ z3C+v(A?myyruS@A?p8!h+-k}i<7v%v+-a>x>vJmHKHi7P{xoTQyd0H0=M_tG$LDrbjd_X*#Cqgr;XSoz!$%(-}?U?dU8ddYE0g{*Wd@;1b${PCj0#Ar$F{AfC zXm#v$P`J?71>;*Z&esd$G#?u9z3|udJmc}Ed$X2UB3Pp|C-ca9bQk2 ze;1X-`dh1CXQiK2;!|xVy9nuGe%_S&cZvA?_-kpkQt zgM=*hJ@pCThPX$RVtzIQU(C9Mgat-`@zzq&ALN5Sck+?^U#QHTuIR1G5$t~LEAAm2GpLyUdn1`2Re*S~>6U|~; z&vU+?|C;pE9Pa;-_x@<3IkC9^jS_Dbf2^;IjE?6a;M8t>TprW<^f3z+dEXBDR1N?8 zYv5V!=fY}}+z5I94*Glz{VxHhe8%JX2H}YFjA@b^q0T~l3;0T0kAJG;gu7lnCQdVmJPRkP3&R^Q!y>Cx1U~EjW zQfVzs?>s21-Fpx8bnmqe?ArBg>X3D)yJv3-7V!-cCU055<^;75B1CBG0_};Y0xSnl zJ8dDmwXhwcN=5C8sDk8fj4A}_gdepL0u9rqj4HX>piu?I_D;Zq?^-##m?=2I+H(ND zGWnua_MMF0#ZhgI=d{Ag6fDmvxC3}fPHhKx3|PuLyuYK$0NXV1Y`2V*_4~dKRBj=W zn?|Zst9OfpqQ{URJh!#_-F~@WBot6)E$h&}UOkTVxL)g))T3}ACj)I$@ty2Z-Ahl1 zq(3?o*!`e^r)Z9A*oxwKC6O$;cx0X}mXjq954gQxGy?UP^Vm9t?JG*FyJt^3&3&n! zv$5|bnHepj2}J`>Nsc<6j|bdUj0G7oX_JAjl?s7K(i|2^RFl3lAd-QDmljF72B751 zsgrbade-MMaKfB2RnuQta2+k!LwPvMy6}Y)xkrRF50e-hkyMZ21HQKZ2b9*u_*aYH zd{tT-Oma2_;dLrQ+fj+y=d?ZV1Kh-ln)2@q z!+T=(yuNx#FR%?()HH5S`^x?uYhR9^*ZY&&p4+GAz*OS#+rVh8&-Q#ja7o+e8pulZ zk*aLZ>+(D>Qe}I-zcBR=;j55Ei*^@6&!a|bdA8^E`>eLVPiu1gtjF|4$m!mIdA>hr z(gvosr!k7guVK0GigL>Kd_R)b_O$+_!tKZV|2vS8eGe(2@cqq%HsIeoVku{F`D}V@;t7jZf76vbMjh6(%FLRAoD+ zB#+wje&-1+t*9)IO<1;5QX#&NO4Od$nP>D3C*K#de$1WtGi}e~$Ll#^D2wmvdCc~l zf98LH3boJnydLL$wRE2mE%Ek$1Yy)(Y%-PlCPfSqMoPT>cOhGjgTv(eecopq*JqyT zENq)2_Iy9oN-tqiSWj^aJmc3Opt;BG^L+~Mo2GR#6}ovmV7qh>+OKGf+8N^ueU)XGk!T +#include +#include +#include +#include +#include + +#define BUFSIZE 32 +#define FLAGSIZE 64 + +char flag[FLAGSIZE]; + +void sigsegv_handler(int sig) { + printf("\n%s\n", flag); + fflush(stdout); + exit(1); +} + +int on_menu(char *burger, char *menu[], int count) { + for (int i = 0; i < count; i++) { + if (strcmp(burger, menu[i]) == 0) + return 1; + } + return 0; +} + +void serve_patrick(); + +void serve_bob(); + + +int main(int argc, char **argv){ + FILE *f = fopen("flag.txt", "r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(flag, FLAGSIZE, f); + signal(SIGSEGV, sigsegv_handler); + + gid_t gid = getegid(); + setresgid(gid, gid, gid); + + serve_patrick(); + + return 0; +} + +void serve_patrick() { + printf("%s %s\n%s\n%s %s\n%s", + "Welcome to our newly-opened burger place Pico 'n Patty!", + "Can you help the picky customers find their favorite burger?", + "Here comes the first customer Patrick who wants a giant bite.", + "Please choose from the following burgers:", + "Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe", + "Enter your recommendation: "); + fflush(stdout); + + char choice1[BUFSIZE]; + scanf("%s", choice1); + char *menu1[3] = {"Breakf@st_Burger", "Gr%114d_Cheese", "Bac0n_D3luxe"}; + if (!on_menu(choice1, menu1, 3)) { + printf("%s", "There is no such burger yet!\n"); + fflush(stdout); + } else { + int count = printf(choice1); + if (count > 2 * BUFSIZE) { + serve_bob(); + } else { + printf("%s\n%s\n", + "Patrick is still hungry!", + "Try to serve him something of larger size!"); + fflush(stdout); + } + } +} + +void serve_bob() { + printf("\n%s %s\n%s %s\n%s %s\n%s", + "Good job! Patrick is happy!", + "Now can you serve the second customer?", + "Sponge Bob wants something outrageous that would break the shop", + "(better be served quick before the shop owner kicks you out!)", + "Please choose from the following burgers:", + "Pe%to_Portobello, $outhwest_Burger, Cla%sic_Che%s%steak", + "Enter your recommendation: "); + fflush(stdout); + + char choice2[BUFSIZE]; + scanf("%s", choice2); + char *menu2[3] = {"Pe%to_Portobello", "$outhwest_Burger", "Cla%sic_Che%s%steak"}; + if (!on_menu(choice2, menu2, 3)) { + printf("%s", "There is no such burger yet!\n"); + fflush(stdout); + } else { + printf(choice2); + fflush(stdout); + } +} diff --git a/pwn/format_string_0/output.txt b/pwn/format_string_0/output.txt new file mode 100644 index 0000000..8cf3b6c --- /dev/null +++ b/pwn/format_string_0/output.txt @@ -0,0 +1,8 @@ +$ nc mimas.picoctf.net 60131 +Welcome to our newly-opened burger place Pico 'n Patty! Can you help the picky customers find their favorite burger? +Here comes the first customer Patrick who wants a giant bite. +Please choose from the following burgers: Breakf@st_Burger, Gr%114d_Cheese, Bac0n_D3luxe +Enter your recommendation: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +There is no such burger yet! + +picoCTF{7h3_cu570m3r_15_n3v3r_SEGFAULT_ef312157}