81 lines
1.8 KiB
Plaintext
81 lines
1.8 KiB
Plaintext
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <sys/types.h>
|
|
#include <wchar.h>
|
|
#include <locale.h>
|
|
|
|
#define BUFSIZE 64
|
|
#define FLAGSIZE 64
|
|
#define CANARY_SIZE 4
|
|
|
|
void win() {
|
|
char buf[FLAGSIZE];
|
|
FILE *f = fopen("flag.txt","r");
|
|
if (f == NULL) {
|
|
printf("%s %s", "Please create 'flag.txt' in this directory with your",
|
|
"own debugging flag.\n");
|
|
fflush(stdout);
|
|
exit(0);
|
|
}
|
|
|
|
fgets(buf,FLAGSIZE,f); // size bound read
|
|
puts(buf);
|
|
fflush(stdout);
|
|
}
|
|
|
|
char global_canary[CANARY_SIZE];
|
|
void read_canary() {
|
|
FILE *f = fopen("canary.txt","r");
|
|
if (f == NULL) {
|
|
printf("%s %s", "Please create 'canary.txt' in this directory with your",
|
|
"own debugging canary.\n");
|
|
fflush(stdout);
|
|
exit(0);
|
|
}
|
|
|
|
fread(global_canary,sizeof(char),CANARY_SIZE,f);
|
|
fclose(f);
|
|
}
|
|
|
|
void vuln(){
|
|
char canary[CANARY_SIZE];
|
|
char buf[BUFSIZE];
|
|
char length[BUFSIZE];
|
|
int count;
|
|
int x = 0;
|
|
memcpy(canary,global_canary,CANARY_SIZE);
|
|
printf("How Many Bytes will You Write Into the Buffer?\n> ");
|
|
while (x<BUFSIZE) {
|
|
read(0,length+x,1);
|
|
if (length[x]=='\n') break;
|
|
x++;
|
|
}
|
|
sscanf(length,"%d",&count);
|
|
|
|
printf("Input> ");
|
|
read(0,buf,count);
|
|
|
|
if (memcmp(canary,global_canary,CANARY_SIZE)) {
|
|
printf("***** Stack Smashing Detected ***** : Canary Value Corrupt!\n"); // crash immediately
|
|
fflush(stdout);
|
|
exit(-1);
|
|
}
|
|
printf("Ok... Now Where's the Flag?\n");
|
|
fflush(stdout);
|
|
}
|
|
|
|
int main(int argc, char **argv){
|
|
|
|
setvbuf(stdout, NULL, _IONBF, 0);
|
|
|
|
// Set the gid to the effective gid
|
|
// this prevents /bin/sh from dropping the privileges
|
|
gid_t gid = getegid();
|
|
setresgid(gid, gid, gid);
|
|
read_canary();
|
|
vuln();
|
|
return 0;
|
|
}
|