32 bit ELF, with Partial RELRO, canary & NX enabled, No PIE
Add a user:
Show a user:
Update a user:
Here's the data structure of a user:
The program will free user->desc & user while deleting a user. It also clear the pointer of the user, so there's no Use-After-Free vulnerability.
The program has some strange protection while setting the user's description:
So user->desc + text_len must < user (both user->desc and user are pointers). Guess it use this protection to avoid heap overflow.
But what if we have the following heap memory layout?
According to the protection, userD->desc + text_len should less than userD, which means it will be ok to overwrite the whole userB and userC.
It is possible to arrange the above heap memory layout if we're familiar with malloc's memory allocation. We can then exploit the heap overflow vulnerability and modify the userB->desc pointer, making us able to do the read/write anywhere attack. After that is pretty simple, we leak the libc's base address and hijack free's GOT to get the shell.