33 - echo1
The Challenge
Pwn this echo service.
download : http://pwnable.kr/bin/echo1
Running at : nc pwnable.kr 9010
The Solution
By running the binary we learned that:
We can input a name
Three options are given to us:
only the first option is implemented, and it's named bof [lol]
We can exit the program and then decline. This behavior is more relevant to echo2, but if we exit after declining we get a nice print of the memory mapping. It teaches us that ASLR is turned on.
After further debugging we learned that:
No other protection is turned on
There is no overflow in the name input. The first four characters are stored in a variable named "id" in the BSS section. This section isn't affected by ASLR, and in this binary, it is executable too!
Not very surprising, we can BOF in the "bof" input
The attack becomes clear now:
The buffer overflow will be made of a buffer + address of "id" + shellcode
"id" would contain 'jmp esp', thus redirect us to the shellcode
Last updated