FSB
and UAF
is used in this simple problem.
Let's have a look at it.
int __cdecl main(int argc, const char **argv, const char **envp)
{
int *v3; // rsi@1
_QWORD *v4; // rax@1
int v6; // [sp+Ch] [bp-24h]@1
_QWORD v7[4]; // [sp+10h] [bp-20h]@1
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
o = malloc(40uLL);
*((_QWORD *)o + 3) = greetings;
*((_QWORD *)o + 4) = byebye;
printf("hey, what's your name? : ", 0LL);
v3 = (int *)v7;
__isoc99_scanf("%24s", v7);
v4 = o;
*(_QWORD *)o = v7[0];
v4[1] = v7[1];
v4[2] = v7[2];
id = v7[0];
getchar();
func[0] = (__int64)echo1;
func_1_ = (__int64)echo2;
func_2_ = (__int64)echo3;
v6 = 0;
do
{
while ( 1 )
{
while ( 1 )
{
puts("\n- select echo type -");
puts("- 1. : BOF echo");
puts("- 2. : FSB echo");
puts("- 3. : UAF echo");
puts("- 4. : exit");
printf("> ", v3);
v3 = &v6;
__isoc99_scanf("%d", &v6);
getchar();
if ( (unsigned int)v6 > 3 )
break;
((void (__fastcall *)(const char *, int *))func[(unsigned __int64)(unsigned int)(v6 - 1)])("%d", &v6);
}
if ( v6 == 4 )
break;
puts("invalid menu");
}
cleanup();
printf("Are you sure you want to exit? (y/n)", &v6);
v6 = getchar();
}
while ( v6 != 121 );
puts("bye");
return 0;
}
When cleanup
, it does free(o)
. At this time, if you press 4
to exit and cancel then, o
is freed but it will be used in the following step when you press 2
.
In echo3
, it malloc(32)
whose size is small enough to fetch the same block freed by cleanup
. We can use it to modify the address of greetings(o+3*8)
.
Since the NX is disabled, our shellcode can be written in name
, then we can leak it's address through FSB
. After that, just overwrite greetings
and trigger it to get a shell.