move walkthroughs to descriptions

binary-exploitation/pie-overflow-w/_0/binary-exploitation-pie-overflow-w.c

@@ -131,11 +131,8 @@ int challenge(int argc, char **argv, char **envp)
     puts("- the canary is disabled, otherwise you would corrupt it before");
     puts("overwriting the return address, and the program would abort.");
 
-    puts("Because the binary is position independent, you cannot know");
-    puts("exactly where the win_authed() function is located.");
-    puts("This means that it is not clear what should be written into the return address.\n");
-
-    size = 4096;
+    printf("Payload size: ");
+    scanf("%lu", &size);
 
     printf("You have chosen to send %lu bytes of input!\n", size);
     printf("This will allow you to write from %p (the start of the input buffer)\n", input);
@@ -144,21 +141,6 @@ int challenge(int argc, char **argv, char **envp)
     printf("Of these, you will overwrite %d bytes into the return address.\n", (long)((unsigned long) input + size - rp_));
     printf("If that number is greater than 8, you will overwrite the entire return address.\n\n");
 
-    puts("Overwriting the entire return address is fine when we know");
-    puts("the whole address, but here, we only really know the last three nibbles.");
-    puts("These nibbles never change, because pages are aligned to 0x1000.");
-    puts("This gives us a workaround: we can overwrite the least significant byte");
-    puts("of the saved return address, which we can know from debugging the binary,");
-    puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
-    puts("Since that last byte will be constant between executions (due to page alignment),");
-    puts("this will always work.");
-    puts("If the address we want to redirect execution to is a bit farther away from");
-    puts("the saved return address, and we need to write two bytes, then one of those");
-    puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
-    puts("incorrect 15 of 16 times.");
-    puts("This is okay: we can just run our exploit a few times until it works");
-    puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
-
     puts("One caveat in this challenge is that the win_authed() function must first auth:");
     puts("it only lets you win if you provide it with the argument 0x1337.");
     puts("Speifically, the win_authed() function looks something like:");
@@ -233,4 +215,5 @@ int main(int argc, char **argv, char **envp)
 
     challenge(argc, argv, envp);
 
+    printf("### Goodbye!\n");
 }

binary-exploitation/pie-overflow-w/_1/binary-exploitation-pie-overflow-w.c

@@ -131,11 +131,8 @@ int challenge(int argc, char **argv, char **envp)
     puts("- the canary is disabled, otherwise you would corrupt it before");
     puts("overwriting the return address, and the program would abort.");
 
-    puts("Because the binary is position independent, you cannot know");
-    puts("exactly where the win_authed() function is located.");
-    puts("This means that it is not clear what should be written into the return address.\n");
-
-    size = 4096;
+    printf("Payload size: ");
+    scanf("%lu", &size);
 
     printf("You have chosen to send %lu bytes of input!\n", size);
     printf("This will allow you to write from %p (the start of the input buffer)\n", input);
@@ -144,21 +141,6 @@ int challenge(int argc, char **argv, char **envp)
     printf("Of these, you will overwrite %d bytes into the return address.\n", (long)((unsigned long) input + size - rp_));
     printf("If that number is greater than 8, you will overwrite the entire return address.\n\n");
 
-    puts("Overwriting the entire return address is fine when we know");
-    puts("the whole address, but here, we only really know the last three nibbles.");
-    puts("These nibbles never change, because pages are aligned to 0x1000.");
-    puts("This gives us a workaround: we can overwrite the least significant byte");
-    puts("of the saved return address, which we can know from debugging the binary,");
-    puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
-    puts("Since that last byte will be constant between executions (due to page alignment),");
-    puts("this will always work.");
-    puts("If the address we want to redirect execution to is a bit farther away from");
-    puts("the saved return address, and we need to write two bytes, then one of those");
-    puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
-    puts("incorrect 15 of 16 times.");
-    puts("This is okay: we can just run our exploit a few times until it works");
-    puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
-
     puts("One caveat in this challenge is that the win_authed() function must first auth:");
     puts("it only lets you win if you provide it with the argument 0x1337.");
     puts("Speifically, the win_authed() function looks something like:");
@@ -233,4 +215,5 @@ int main(int argc, char **argv, char **envp)
 
     challenge(argc, argv, envp);
 
+    printf("### Goodbye!\n");
 }

binary-exploitation/pie-overflow-w/_10/binary-exploitation-pie-overflow-w.c

@@ -131,11 +131,8 @@ int challenge(int argc, char **argv, char **envp)
     puts("- the canary is disabled, otherwise you would corrupt it before");
     puts("overwriting the return address, and the program would abort.");
 
-    puts("Because the binary is position independent, you cannot know");
-    puts("exactly where the win_authed() function is located.");
-    puts("This means that it is not clear what should be written into the return address.\n");
-
-    size = 4096;
+    printf("Payload size: ");
+    scanf("%lu", &size);
 
     printf("You have chosen to send %lu bytes of input!\n", size);
     printf("This will allow you to write from %p (the start of the input buffer)\n", input);
@@ -144,21 +141,6 @@ int challenge(int argc, char **argv, char **envp)
     printf("Of these, you will overwrite %d bytes into the return address.\n", (long)((unsigned long) input + size - rp_));
     printf("If that number is greater than 8, you will overwrite the entire return address.\n\n");
 
-    puts("Overwriting the entire return address is fine when we know");
-    puts("the whole address, but here, we only really know the last three nibbles.");
-    puts("These nibbles never change, because pages are aligned to 0x1000.");
-    puts("This gives us a workaround: we can overwrite the least significant byte");
-    puts("of the saved return address, which we can know from debugging the binary,");
-    puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
-    puts("Since that last byte will be constant between executions (due to page alignment),");
-    puts("this will always work.");
-    puts("If the address we want to redirect execution to is a bit farther away from");
-    puts("the saved return address, and we need to write two bytes, then one of those");
-    puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
-    puts("incorrect 15 of 16 times.");
-    puts("This is okay: we can just run our exploit a few times until it works");
-    puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
-
     puts("One caveat in this challenge is that the win_authed() function must first auth:");
     puts("it only lets you win if you provide it with the argument 0x1337.");
     puts("Speifically, the win_authed() function looks something like:");
@@ -233,4 +215,5 @@ int main(int argc, char **argv, char **envp)
 
     challenge(argc, argv, envp);
 
+    printf("### Goodbye!\n");
 }

binary-exploitation/pie-overflow-w/_11/binary-exploitation-pie-overflow-w.c

@@ -131,11 +131,8 @@ int challenge(int argc, char **argv, char **envp)
     puts("- the canary is disabled, otherwise you would corrupt it before");
     puts("overwriting the return address, and the program would abort.");
 
-    puts("Because the binary is position independent, you cannot know");
-    puts("exactly where the win_authed() function is located.");
-    puts("This means that it is not clear what should be written into the return address.\n");
-
-    size = 4096;
+    printf("Payload size: ");
+    scanf("%lu", &size);
 
     printf("You have chosen to send %lu bytes of input!\n", size);
     printf("This will allow you to write from %p (the start of the input buffer)\n", input);
@@ -144,21 +141,6 @@ int challenge(int argc, char **argv, char **envp)
     printf("Of these, you will overwrite %d bytes into the return address.\n", (long)((unsigned long) input + size - rp_));
     printf("If that number is greater than 8, you will overwrite the entire return address.\n\n");
 
-    puts("Overwriting the entire return address is fine when we know");
-    puts("the whole address, but here, we only really know the last three nibbles.");
-    puts("These nibbles never change, because pages are aligned to 0x1000.");
-    puts("This gives us a workaround: we can overwrite the least significant byte");
-    puts("of the saved return address, which we can know from debugging the binary,");
-    puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
-    puts("Since that last byte will be constant between executions (due to page alignment),");
-    puts("this will always work.");
-    puts("If the address we want to redirect execution to is a bit farther away from");
-    puts("the saved return address, and we need to write two bytes, then one of those");
-    puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
-    puts("incorrect 15 of 16 times.");
-    puts("This is okay: we can just run our exploit a few times until it works");
-    puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
-
     puts("One caveat in this challenge is that the win_authed() function must first auth:");
     puts("it only lets you win if you provide it with the argument 0x1337.");
     puts("Speifically, the win_authed() function looks something like:");
@@ -233,4 +215,5 @@ int main(int argc, char **argv, char **envp)
 
     challenge(argc, argv, envp);
 
+    printf("### Goodbye!\n");
 }

binary-exploitation/pie-overflow-w/_12/binary-exploitation-pie-overflow-w.c

@@ -131,11 +131,8 @@ int challenge(int argc, char **argv, char **envp)
     puts("- the canary is disabled, otherwise you would corrupt it before");
     puts("overwriting the return address, and the program would abort.");
 
-    puts("Because the binary is position independent, you cannot know");
-    puts("exactly where the win_authed() function is located.");
-    puts("This means that it is not clear what should be written into the return address.\n");
-
-    size = 4096;
+    printf("Payload size: ");
+    scanf("%lu", &size);
 
     printf("You have chosen to send %lu bytes of input!\n", size);
     printf("This will allow you to write from %p (the start of the input buffer)\n", input);
@@ -144,21 +141,6 @@ int challenge(int argc, char **argv, char **envp)
     printf("Of these, you will overwrite %d bytes into the return address.\n", (long)((unsigned long) input + size - rp_));
     printf("If that number is greater than 8, you will overwrite the entire return address.\n\n");
 
-    puts("Overwriting the entire return address is fine when we know");
-    puts("the whole address, but here, we only really know the last three nibbles.");
-    puts("These nibbles never change, because pages are aligned to 0x1000.");
-    puts("This gives us a workaround: we can overwrite the least significant byte");
-    puts("of the saved return address, which we can know from debugging the binary,");
-    puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
-    puts("Since that last byte will be constant between executions (due to page alignment),");
-    puts("this will always work.");
-    puts("If the address we want to redirect execution to is a bit farther away from");
-    puts("the saved return address, and we need to write two bytes, then one of those");
-    puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
-    puts("incorrect 15 of 16 times.");
-    puts("This is okay: we can just run our exploit a few times until it works");
-    puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
-
     puts("One caveat in this challenge is that the win_authed() function must first auth:");
     puts("it only lets you win if you provide it with the argument 0x1337.");
     puts("Speifically, the win_authed() function looks something like:");
@@ -233,4 +215,5 @@ int main(int argc, char **argv, char **envp)
 
     challenge(argc, argv, envp);
 
+    printf("### Goodbye!\n");
 }

binary-exploitation/pie-overflow-w/_13/binary-exploitation-pie-overflow-w.c

@@ -131,11 +131,8 @@ int challenge(int argc, char **argv, char **envp)
     puts("- the canary is disabled, otherwise you would corrupt it before");
     puts("overwriting the return address, and the program would abort.");
 
-    puts("Because the binary is position independent, you cannot know");
-    puts("exactly where the win_authed() function is located.");
-    puts("This means that it is not clear what should be written into the return address.\n");
-
-    size = 4096;
+    printf("Payload size: ");
+    scanf("%lu", &size);
 
     printf("You have chosen to send %lu bytes of input!\n", size);
     printf("This will allow you to write from %p (the start of the input buffer)\n", input);
@@ -144,21 +141,6 @@ int challenge(int argc, char **argv, char **envp)
     printf("Of these, you will overwrite %d bytes into the return address.\n", (long)((unsigned long) input + size - rp_));
     printf("If that number is greater than 8, you will overwrite the entire return address.\n\n");
 
-    puts("Overwriting the entire return address is fine when we know");
-    puts("the whole address, but here, we only really know the last three nibbles.");
-    puts("These nibbles never change, because pages are aligned to 0x1000.");
-    puts("This gives us a workaround: we can overwrite the least significant byte");
-    puts("of the saved return address, which we can know from debugging the binary,");
-    puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
-    puts("Since that last byte will be constant between executions (due to page alignment),");
-    puts("this will always work.");
-    puts("If the address we want to redirect execution to is a bit farther away from");
-    puts("the saved return address, and we need to write two bytes, then one of those");
-    puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
-    puts("incorrect 15 of 16 times.");
-    puts("This is okay: we can just run our exploit a few times until it works");
-    puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
-
     puts("One caveat in this challenge is that the win_authed() function must first auth:");
     puts("it only lets you win if you provide it with the argument 0x1337.");
     puts("Speifically, the win_authed() function looks something like:");
@@ -233,4 +215,5 @@ int main(int argc, char **argv, char **envp)
 
     challenge(argc, argv, envp);
 
+    printf("### Goodbye!\n");
 }

binary-exploitation/pie-overflow-w/_14/binary-exploitation-pie-overflow-w.c

@@ -131,11 +131,8 @@ int challenge(int argc, char **argv, char **envp)
     puts("- the canary is disabled, otherwise you would corrupt it before");
     puts("overwriting the return address, and the program would abort.");
 
-    puts("Because the binary is position independent, you cannot know");
-    puts("exactly where the win_authed() function is located.");
-    puts("This means that it is not clear what should be written into the return address.\n");
-
-    size = 4096;
+    printf("Payload size: ");
+    scanf("%lu", &size);
 
     printf("You have chosen to send %lu bytes of input!\n", size);
     printf("This will allow you to write from %p (the start of the input buffer)\n", input);
@@ -144,21 +141,6 @@ int challenge(int argc, char **argv, char **envp)
     printf("Of these, you will overwrite %d bytes into the return address.\n", (long)((unsigned long) input + size - rp_));
     printf("If that number is greater than 8, you will overwrite the entire return address.\n\n");
 
-    puts("Overwriting the entire return address is fine when we know");
-    puts("the whole address, but here, we only really know the last three nibbles.");
-    puts("These nibbles never change, because pages are aligned to 0x1000.");
-    puts("This gives us a workaround: we can overwrite the least significant byte");
-    puts("of the saved return address, which we can know from debugging the binary,");
-    puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
-    puts("Since that last byte will be constant between executions (due to page alignment),");
-    puts("this will always work.");
-    puts("If the address we want to redirect execution to is a bit farther away from");
-    puts("the saved return address, and we need to write two bytes, then one of those");
-    puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
-    puts("incorrect 15 of 16 times.");
-    puts("This is okay: we can just run our exploit a few times until it works");
-    puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
-
     puts("One caveat in this challenge is that the win_authed() function must first auth:");
     puts("it only lets you win if you provide it with the argument 0x1337.");
     puts("Speifically, the win_authed() function looks something like:");
@@ -233,4 +215,5 @@ int main(int argc, char **argv, char **envp)
 
     challenge(argc, argv, envp);
 
+    printf("### Goodbye!\n");
 }

binary-exploitation/pie-overflow-w/_15/binary-exploitation-pie-overflow-w.c

@@ -131,11 +131,8 @@ int challenge(int argc, char **argv, char **envp)
     puts("- the canary is disabled, otherwise you would corrupt it before");
     puts("overwriting the return address, and the program would abort.");
 
-    puts("Because the binary is position independent, you cannot know");
-    puts("exactly where the win_authed() function is located.");
-    puts("This means that it is not clear what should be written into the return address.\n");
-
-    size = 4096;
+    printf("Payload size: ");
+    scanf("%lu", &size);
 
     printf("You have chosen to send %lu bytes of input!\n", size);
     printf("This will allow you to write from %p (the start of the input buffer)\n", input);
@@ -144,21 +141,6 @@ int challenge(int argc, char **argv, char **envp)
     printf("Of these, you will overwrite %d bytes into the return address.\n", (long)((unsigned long) input + size - rp_));
     printf("If that number is greater than 8, you will overwrite the entire return address.\n\n");
 
-    puts("Overwriting the entire return address is fine when we know");
-    puts("the whole address, but here, we only really know the last three nibbles.");
-    puts("These nibbles never change, because pages are aligned to 0x1000.");
-    puts("This gives us a workaround: we can overwrite the least significant byte");
-    puts("of the saved return address, which we can know from debugging the binary,");
-    puts("to retarget the return to main to any instruction that shares the other 7 bytes.");
-    puts("Since that last byte will be constant between executions (due to page alignment),");
-    puts("this will always work.");
-    puts("If the address we want to redirect execution to is a bit farther away from");
-    puts("the saved return address, and we need to write two bytes, then one of those");
-    puts("nibbles (the fourth least-significant one) will be a guess, and it will be");
-    puts("incorrect 15 of 16 times.");
-    puts("This is okay: we can just run our exploit a few times until it works");
-    puts("(statistically, ~50% chance after 11 times and ~90% chance after 36 times).");
-
     puts("One caveat in this challenge is that the win_authed() function must first auth:");
     puts("it only lets you win if you provide it with the argument 0x1337.");
     puts("Speifically, the win_authed() function looks something like:");
@@ -233,4 +215,5 @@ int main(int argc, char **argv, char **envp)
 
     challenge(argc, argv, envp);
 
+    printf("### Goodbye!\n");
 }