At first glance, I thought there are 3 ways to exploit this problem, since it gives me 3 choices: BOF
, FSB
, UAF
, however, the last two are not available.
In echo1
, it calls get_input
to input 128 input, but the buffer equals to bp-20h
, so it can only save data with max length of 32.
Above the return address is the old rbp
, so we can write 32 + 8
trash and an address to jump to to overflow it.
After searching with jmpcall si
in peda, we found no result.
There is an id
in .bss
which we can write into and the address is fixed.
So, we can input id with jmp esp
hex code, write A*40 + id's addr + shellcode
. (After leave; retn;
the rsp
will point to shellcode)