Pwnable.kr echo1 writeup
At first glance, I thought there are 3 ways to exploit this problem, since it gives me 3 choices:
UAF, however, the last two are not available.
echo1, it calls
get_input to input 128 input, but the buffer equals to
bp-20h, so it can only save data with max length of 32.
Above the return address is the old
rbp, so we can write
32 + 8 trash and an address to jump to to overflow it.
After searching with
jmpcall si in peda, we found no result.
There is an
.bss which we can write into and the address is fixed.
So, we can input id with
jmp esp hex code, write
A*40 + id's addr + shellcode. (After
leave; retn; the
rsp will point to shellcode)