some things

DownUnderCTF 2023/beginner/one byte/README.md

@@ -0,0 +1,45 @@
+# one byte
+
+```
+Here's a one byte buffer overflow!
+
+Author: joseph
+nc 2023.ductf.dev 30018 
+```
+
+# Source
+
+## onebyte.c
+
+```c
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+void init() {
+    setvbuf(stdout, 0, 2, 0);
+    setvbuf(stdin, 0, 2, 0);
+}
+
+void win() {
+    system("/bin/sh");
+}
+
+int main() {
+    init();
+
+    printf("Free junk: 0x%lx\n", init);
+    printf("Your turn: ");
+
+    char buf[0x10];
+    read(0, buf, 0x11);
+}
+```
+
+# Analyse
+
+Das Ziel ist recht eindeutig. Wir kontrollieren 1 Byte und sollen einen Sprung nach win() bewirken.
+
+# Lösung
+
+#TODO

DownUnderCTF 2023/beginner/one byte/onebyte.c

@@ -0,0 +1,22 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+void init() {
+    setvbuf(stdout, 0, 2, 0);
+    setvbuf(stdin, 0, 2, 0);
+}
+
+void win() {
+    system("/bin/sh");
+}
+
+int main() {
+    init();
+
+    printf("Free junk: 0x%lx\n", init);
+    printf("Your turn: ");
+
+    char buf[0x10];
+    read(0, buf, 0x11);
+}

DownUnderCTF 2023/beginner/one byte/onebyte.py

@@ -0,0 +1,28 @@
+from pwn import *
+import os
+
+gs = '''
+unset env LINES
+unset env COLUMNS
+set follow-fork-mode child
+br *main
+c
+'''
+
+elf = ELF(os.getcwd()+"/downunderflow")
+
+def start():
+    if args.GDB:
+        return gdb.debug(elf.path, gs)
+    if args.REMOTE:
+        return remote("2023.ductf.dev", 30018)
+    else:
+        return process(os.getcwd()+"/downunderflow")
+
+io = start()
+
+print(io.recvuntil("Your turn: "))
+io.send(cyclic(11))
+
+
+io.interactive()