Format String 1
This commit is contained in:
Maxime Vorwerk
1
format_string_1/flag.txt
Normal file
1
format_string_1/flag.txt
Normal file
@@ -0,0 +1 @@
|
||||
flagFLAG
|
||||
BIN
format_string_1/format-string-1
Executable file
BIN
format_string_1/format-string-1
Executable file
Binary file not shown.
44
format_string_1/format-string-1.c
Executable file
44
format_string_1/format-string-1.c
Executable file
@@ -0,0 +1,44 @@
|
||||
#include <stdio.h>
|
||||
|
||||
|
||||
int main() {
|
||||
char buf[1024];
|
||||
char secret1[64];
|
||||
char flag[64];
|
||||
char secret2[64];
|
||||
|
||||
// Read in first secret menu item
|
||||
FILE *fd = fopen("secret-menu-item-1.txt", "r");
|
||||
if (fd == NULL){
|
||||
printf("'secret-menu-item-1.txt' file not found, aborting.\n");
|
||||
return 1;
|
||||
}
|
||||
fgets(secret1, 64, fd);
|
||||
// Read in the flag
|
||||
fd = fopen("flag.txt", "r");
|
||||
if (fd == NULL){
|
||||
printf("'flag.txt' file not found, aborting.\n");
|
||||
return 1;
|
||||
}
|
||||
fgets(flag, 64, fd);
|
||||
// Read in second secret menu item
|
||||
fd = fopen("secret-menu-item-2.txt", "r");
|
||||
if (fd == NULL){
|
||||
printf("'secret-menu-item-2.txt' file not found, aborting.\n");
|
||||
return 1;
|
||||
}
|
||||
fgets(secret2, 64, fd);
|
||||
|
||||
printf("Give me your order and I'll read it back to you:\n");
|
||||
fflush(stdout);
|
||||
scanf("%1024s", buf);
|
||||
printf("Here's your order: ");
|
||||
printf(buf);
|
||||
printf("\n");
|
||||
fflush(stdout);
|
||||
|
||||
printf("Bye!\n");
|
||||
fflush(stdout);
|
||||
|
||||
return 0;
|
||||
}
|
||||
BIN
format_string_1/format-string-1_patched
Executable file
BIN
format_string_1/format-string-1_patched
Executable file
Binary file not shown.
1
format_string_1/secret-menu-item-1.txt
Normal file
1
format_string_1/secret-menu-item-1.txt
Normal file
@@ -0,0 +1 @@
|
||||
secret1
|
||||
1
format_string_1/secret-menu-item-2.txt
Normal file
1
format_string_1/secret-menu-item-2.txt
Normal file
@@ -0,0 +1 @@
|
||||
secret2
|
||||
30
format_string_1/sol.py
Executable file
30
format_string_1/sol.py
Executable file
@@ -0,0 +1,30 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
from pwn import *
|
||||
|
||||
exe = ELF("./format-string-1_patched")
|
||||
|
||||
context.binary = exe
|
||||
|
||||
|
||||
def conn():
|
||||
if args.LOCAL:
|
||||
r = process([exe.path])
|
||||
if args.DEBUG:
|
||||
gdb.attach(r)
|
||||
else:
|
||||
r = remote("addr", 1337)
|
||||
|
||||
return r
|
||||
|
||||
|
||||
def main():
|
||||
r = conn()
|
||||
|
||||
# good luck pwning :)
|
||||
|
||||
r.interactive()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user