Gros - echo1


Arch:     amd64-64-little
RELRO:    Partial RELRO
Stack:    No canary found
NX:       NX disabled
PIE:      No PIE (0x400000)
RWX:      Has RWX segments

Running binary:

hey, what's your name? : test

- select echo type -
- 1. : BOF echo
- 2. : FSB echo
- 3. : UAF echo
- 4. : exit
> 1
hello test

goodbye test

- select echo type - ...

We give name and then there is menu with only first option working - Buffer OverFlow.

First 4-th bytes of the name lands at constant address 0x6020a0 <id>.

The code of “BOF echo”:

__int64 echo1()
  char s[32]; // [rsp+0h] [rbp-20h]

  get_input(s, 0x80);
  func_array->print_goodbye(func_array, 0x80);
  return 0LL;

As there are no security contermeasures the challenge is straight-forward: