# 34 - echo2 ## The Challenge Pwn this echo service. download : Running at : nc pwnable.kr 9011 ## The Solution This solution will take a different approach from other writeups. This binary is the same as echo1 with one key difference, `bof` is disabled, but `fsb` \[Format Strings Bug] and `uaf` \[Use After Free] are enabled. With `fsb` we can write to some sections in memory or leak data. On my first approach I wanted to use `fsb` to overwrite data. I abandoned it because of some issue with the null terminator \[I forgot what it was ¯\\\_(ツ)\_/¯]. `uaf` allocates 32 bytes, writes user input \[No Overflow] and frees it. Why is it called `uaf`? I noticed strange things happen if I choose to exit and then decline. A look at the code shows that even if I decline, `name` is freed. Now if we use `uaf` our input will be written where our name was. ![cleanup function](https://3609409146-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MFKoejdbAjmSQIWMVBk%2F-MKUCZ1Eu558HBieOdro%2F-MKfDzJDDJ3wEDyhRqq3%2Fimage.png?alt=media\&token=9f624b0e-5d9d-4516-a58e-90eb63c08664) After an overflow of 24 characters we can overwrite the address of `greetings`, a function that is called at the start of `uaf` using a register \[for position independent code]. Using the stack base leak we can redirect the execution to the input, which will contain shellcode :) There were some differences between the local and remote binaries: * To achieve local heap leak use %3$x, for remote leak - %x * The offset from the base was different on the remote To overcome the second obstacle I bruteforced the offset until I obtained shell. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nickbhe.gitbook.io/shikata-ga-nai/pwnable.kr/34-echo2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.