virtual void add_weapon(string str){
if(weapon.empty()){
weapon = str ;
if(!weapon.compare("Droupnir")){
add_atk(800);
}
if(!weapon.compare("Gungnir")){
add_mp(1600);
cast_spell(shared_ptr<Figure>(this));
}
if(!weapon.compare("Sleiphnir")){
add_hp(300);
}
cout << "Done !" << endl ;
}else{
cout << "You already have weapons" << endl ;
}
}
this code is one of Odin class function , it is very vulnerable.
shared_ptr is reference count pointer.if you use shared_ptr like this, "Odin Object" is referenced by two shared_ptr.
although other shared_ptr is alive, "Odin Object" can be freed by another shared_ptr . this cause Use-after-free
No PIE, FULL Relro
-
Trigger UAF.
-
Make Fake Odin Object.
You can arbitrarily allocate heap memory in change_descript menu. -
leak libc and overwrite __free_hook .
by using "fake string object".