huge commit
This commit is contained in:
9
2026/cscg/pwn/intro-pwn-1/training-challenge/README.md
Normal file
9
2026/cscg/pwn/intro-pwn-1/training-challenge/README.md
Normal file
@@ -0,0 +1,9 @@
|
||||
This is an introductory challenge for exploiting Linux binaries with memory corruptions. Nowadays there are quite a few mitigations that make it not as straight forward as it used to be.
|
||||
So in order to introduce players to pwnable challenges, [LiveOverflow created a video walkthrough](https://www.youtube.com/watch?v=hhu7vhmuISY) of the first challenge.
|
||||
|
||||
This challenge was already featured in last year's CSCG. We are aware that public writeups exist, but we figured this challenge is still a nice-to-have for newcomers, so we released it again.
|
||||
|
||||
*Note*: The video writeup of LiveOverflow is not completely functional. To give you hint: It's about the address of the `ret` instruction that was chosen to re-align the stack.
|
||||
|
||||
Suppose `ASLR` is rather 'smooth' - meaning a whole bunch of nibbles are zero - (which is pretty much always the case in our setup) all addresses within the offset range of `0xa00` to `0xaff`
|
||||
translate to addresses looking like `xxxxxxxxxx0axx`, requiring you to send the bytes `xx xx xx xx xx xx 0a xx` over the wire. Now the problem with this is that `0a` is a newline (`\\n`), which in turn terminates `gets()` (refer to `man 3 gets`), meaning that your payload terminates prematurely.
|
||||
BIN
2026/cscg/pwn/intro-pwn-1/training-challenge/pwn1
Executable file
BIN
2026/cscg/pwn/intro-pwn-1/training-challenge/pwn1
Executable file
Binary file not shown.
70
2026/cscg/pwn/intro-pwn-1/training-challenge/pwn1.c
Normal file
70
2026/cscg/pwn/intro-pwn-1/training-challenge/pwn1.c
Normal file
@@ -0,0 +1,70 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <signal.h>
|
||||
#include <string.h>
|
||||
|
||||
// pwn1: gcc pwn1.c -o pwn1
|
||||
|
||||
// --------------------------------------------------- SETUP
|
||||
|
||||
void ignore_me_init_buffering() {
|
||||
setvbuf(stdout, NULL, _IONBF, 0);
|
||||
setvbuf(stdin, NULL, _IONBF, 0);
|
||||
setvbuf(stderr, NULL, _IONBF, 0);
|
||||
}
|
||||
|
||||
void kill_on_timeout(int sig) {
|
||||
if (sig == SIGALRM) {
|
||||
printf("[!] Anti DoS Signal. Patch me out for testing.");
|
||||
_exit(0);
|
||||
}
|
||||
}
|
||||
|
||||
void ignore_me_init_signal() {
|
||||
signal(SIGALRM, kill_on_timeout);
|
||||
alarm(60);
|
||||
}
|
||||
|
||||
// --------------------------------------------------- MENU
|
||||
|
||||
void WINgardium_leviosa() {
|
||||
printf("┌───────────────────────┐\n");
|
||||
printf("│ You are a Slytherin.. │\n");
|
||||
printf("└───────────────────────┘\n");
|
||||
system("/bin/sh");
|
||||
}
|
||||
|
||||
void welcome() {
|
||||
char read_buf[0xff];
|
||||
printf("Enter your witch name:\n");
|
||||
gets(read_buf);
|
||||
printf("┌───────────────────────┐\n");
|
||||
printf("│ You are a Hufflepuff! │\n");
|
||||
printf("└───────────────────────┘\n");
|
||||
printf(read_buf);
|
||||
}
|
||||
|
||||
void AAAAAAAA() {
|
||||
char read_buf[0xff];
|
||||
|
||||
printf(" enter your magic spell:\n");
|
||||
gets(read_buf);
|
||||
if(strcmp(read_buf, "Expelliarmus") == 0) {
|
||||
printf("~ Protego!\n");
|
||||
} else {
|
||||
printf("-10 Points for Hufflepuff!\n");
|
||||
_exit(0);
|
||||
}
|
||||
}
|
||||
// --------------------------------------------------- MAIN
|
||||
|
||||
void main(int argc, char* argv[]) {
|
||||
ignore_me_init_buffering();
|
||||
ignore_me_init_signal();
|
||||
|
||||
welcome();
|
||||
AAAAAAAA();
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user