RPISEC/MBE: writeup lab9C C++

ex@Ex:~/test$ ./lab9C 
+------- DSVector Test Menu -------+
| 1. Append item                   |
| 2. Read item                     |
| 3. Quit                          |
+----------------------------------+
Enter choice: 2
Choose an index: 7
DSVector[7] = -134461635
+------- DSVector Test Menu -------+
| 1. Append item                   |
| 2. Read item                     |
| 3. Quit                          |
+----------------------------------+
Enter choice: 2
Choose an index: 8
DSVector[8] = 1

ex@Ex:~/test$ gdb ./glab9C 
pwndbg: loaded 175 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from ./glab9C...done.
pwndbg> b 78
Breakpoint 1 at 0x80489b0: file lab9C.cpp, line 78.
pwndbg> r
Starting program: /home/ex/test/glab9C 

Breakpoint 1, main (argc=1, argv=0xffffcee4) at lab9C.cpp:78
78            print_menu();
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────
    EAX  0x1
    EBX  0x0
    ECX  0xf7e2a890 (_IO_stdfile_1_lock) ◂— 0x0
    EDX  0x0
    EDI  0x0
    ESI  0xf7e29000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1d7d6c
    EBP  0xffffce48 ◂— 0x0
    ESP  0xffffca00 —▸ 0xf7e29d80 (_IO_2_1_stdout_) ◂— 0xfbad2087
    EIP  0x80489b0 (main+108) —▸ 0xffff5fe8 ◂— 0x0
──────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────
    ► 0x80489b0 <main+108>    call   print_menu() &lt;0x8048914>
    
    0x80489b5 <main+113>    mov    dword ptr [esp + 4], 0x8048dad
    0x80489bd <main+121>    mov    dword ptr [esp], std::cout@@GLIBCXX_3.4 &lt;0x804b020>
    0x80489c4 <main+128>    call   0x80486c0
    
    0x80489c9 <main+133>    call   get_unum() &lt;0x804888b>
    
    0x80489ce <main+138>    mov    dword ptr [esp + 0x2c], eax
    0x80489d2 <main+142>    mov    eax, dword ptr [esp + 0x2c]
    0x80489d6 <main+146>    cmp    eax, 2
    0x80489d9 <main+149>    je     main+220 &lt;0x8048a20>
    
    0x80489db <main+151>    cmp    eax, 3
    0x80489de <main+154>    je     main+295 &lt;0x8048a6b>
───────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────
In file: /home/ex/test/lab9C.cpp
    73     bool done = false;
    74     disable_buffering(stdout);
    75 
    76     while (!done)
    77     {
    ► 78         print_menu();
    79         std::cout &lt;&lt; "Enter choice: ";
    80         choice = get_unum();
    81 
    82         /* handle menu selection */
    83         switch (choice)
───────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────
00:0000│ esp  0xffffca00 —▸ 0xf7e29d80 (_IO_2_1_stdout_) ◂— 0xfbad2087
01:0004│      0xffffca04 ◂— 0x0
02:0008│      0xffffca08 ◂— 0x2
03:000c│      0xffffca0c ◂— 0x0
04:0010│      0xffffca10 —▸ 0xf7fcf3d0 —▸ 0xf7c51000 ◂— jg     0xf7c51047
05:0014│      0xffffca14 —▸ 0xf7fdf3ec (check_match+364) ◂— add    esp, 0x10
06:0018│      0xffffca18 —▸ 0xffffcee4 —▸ 0xffffd0d1 ◂— '/home/ex/test/glab9C'
07:001c│      0xffffca1c ◂— 0x1
─────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────
    ► f 0  80489b0 main+108
    f 1 f7c69e81 __libc_start_main+241
Breakpoint /home/ex/test/lab9C.cpp:78
pwndbg> p test1
$1 = {
    alloc_len = 4158965218, 
    len = 1, 
    vector_data = {1, 1, -134352247, 2348, -138064364, 479434334, -134417456, -134351043, 1, 1, -138026184, 2348, -138023736, -134417456, -13628, -13632, 6, 0, -134230016, -138023736, -138063846, -138026184, 479434334, -136002334, 14982322, -13500, -13628, -134415172, 1, 1, -134351863, 1525626795, -134417720, -13524, 0, 0, -136087472, -13524, -134351863, 479434334, -134417720, -13492, 0, -134348901, -136094432, -13492, -134227300, 2, -134414288, 1, 0, 1, -134418160, -135743555, 0, -134351892, 0, -134230016, 0, -134351892, -135743933, -135743933, -134352247, 936, -136114844, -1650751214, -134418160, -135842896, -135743933, -135743933, -134352247, 4723, -136099696, 814159578, -134418160, -134351043, 1, 1, -136021040, 4723, -136008688, -134418160, -13356, -13360, 6, 0, -134230016, -136008688, -136096734, -136021040, 814159578, -135842896, 25442486, -13228, -13356, -134415172, -136096734, -136084848, -1410636286, -135907992, 90135344, -13196, 0, 0, -136096734, -136066160, -134351863, 814159578, -134417720, -13220, 0, -134348901, -136021040, -13220, -134227300, 1, -134414944, 1, 0, 1, -134418160, -13188, -134227300, 1, 0, -134230016, 0, 1, -134418160, -13156, -134541272, 0, 6, -134565376, -134872096, -1, -134418160, -136021040, -134418160, 1, -135642135, -134541272, -134553164, -134565376, -13128, -135653635, -134553164, 0, 6, -134553164, -134541272, -134565376, -134541272, -13128, -13100, -134417720, -134414944, 6, 1, 0, -134541272, 6, 0, 6, 16, 170421504, 1, -136021040, -135989659, -134549504, -134543952, -134544060, -12888, -134973034, -134541272, -134565376, -134553164, 0, -13032, -134973098, -134549504, -135199837, -134543952, -134304224, -134538796, -135199940, -134549504, -134544060, -134544928, -135198853, -134544060, -134543952, -134544256, -135198884, -134549504, -134549504, -134543904, -135573499, -134544060, -134544928...}
}
pwndbg> 

pwndbg> disassemble main
Dump of assembler code for function main:
   0x08048944 <+0>:    push   ebp
   0x08048945 <+1>:    mov    ebp,esp
   0x08048947 <+3>:    and    esp,0xfffffff0
   0x0804894a <+6>:    sub    esp,0x440
   0x08048950 <+12>:    mov    eax,DWORD PTR [ebp+0x8]
   0x08048953 <+15>:    mov    DWORD PTR [esp+0x1c],eax
   0x08048957 <+19>:    mov    eax,DWORD PTR [ebp+0xc]
   0x0804895a <+22>:    mov    DWORD PTR [esp+0x18],eax
   0x0804895e <+26>:    mov    eax,gs:0x14
   0x08048964 <+32>:    mov    DWORD PTR [esp+0x43c],eax
   0x0804896b <+39>:    xor    eax,eax
   0x0804896d <+41>:    lea    eax,[esp+0x30]
   0x08048971 <+45>:    mov    DWORD PTR [esp],eax
   ...
End of assembler dump.
pwndbg> b *main
Breakpoint 1 at 0x8048944
pwndbg> b *main+32
Breakpoint 2 at 0x8048964

pwndbg> r
Starting program: /home/ex/test/lab9C 

Breakpoint 1, 0x08048944 in main ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────
 EAX  0xf7e2add8 (environ) —▸ 0xffffceec —▸ 0xffffd0e7 ◂— 'CLUTTER_IM_MODULE=xim'
 EBX  0x0
 ECX  0xefd3c3e
 EDX  0xffffce74 ◂— 0x0
 EDI  0x0
 ESI  0xf7e29000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1d7d6c
 EBP  0x0
 ESP  0xffffce4c —▸ 0xf7c69e81 (__libc_start_main+241) ◂— add    esp, 0x10
 EIP  0x8048944 (main) ◂— push   ebp
──────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────
 ► 0x8048944 <main>       push   ebp
   0x8048945 <main+1>     mov    ebp, esp
   0x8048947 <main+3>     and    esp, 0xfffffff0
   0x804894a <main+6>     sub    esp, 0x440
   0x8048950 <main+12>    mov    eax, dword ptr [ebp + 8]
   0x8048953 <main+15>    mov    dword ptr [esp + 0x1c], eax
   0x8048957 <main+19>    mov    eax, dword ptr [ebp + 0xc]
   0x804895a <main+22>    mov    dword ptr [esp + 0x18], eax
   0x804895e <main+26>    mov    eax, dword ptr gs:[0x14]
   0x8048964 <main+32>    mov    dword ptr [esp + 0x43c], eax
   0x804896b <main+39>    xor    eax, eax
───────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────
00:0000│ esp  0xffffce4c —▸ 0xf7c69e81 (__libc_start_main+241) ◂— add    esp, 0x10
01:0004│      0xffffce50 ◂— 0x1
02:0008│      0xffffce54 —▸ 0xffffcee4 —▸ 0xffffd0d3 ◂— '/home/ex/test/lab9C'
03:000c│      0xffffce58 —▸ 0xffffceec —▸ 0xffffd0e7 ◂— 'CLUTTER_IM_MODULE=xim'
04:0010│      0xffffce5c —▸ 0xffffce74 ◂— 0x0
05:0014│      0xffffce60 ◂— 0x1
06:0018│      0xffffce64 —▸ 0xffffcee4 —▸ 0xffffd0d3 ◂— '/home/ex/test/lab9C'
07:001c│      0xffffce68 —▸ 0xf7e29000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1d7d6c
─────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────
 ► f 0  8048944 main
   f 1 f7c69e81 __libc_start_main+241
Breakpoint *main

pwndbg> c
Continuing.

Breakpoint 2, 0x08048964 in main ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────
 EAX  0x6fefef00
 EBX  0x0
 ECX  0x2b079799
 EDX  0xffffce74 ◂— 0x0
 EDI  0x0
 ESI  0xf7e29000 (_GLOBAL_OFFSET_TABLE_) ◂— 0x1d7d6c
 EBP  0xffffce48 ◂— 0x0
 ESP  0xffffca00 —▸ 0xf7fdf289 (check_match+9) ◂— add    edi, 0x1dd77
 EIP  0x8048964 (main+32) ◂— mov    dword ptr [esp + 0x43c], eax
──────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────
   0x8048950 <main+12>    mov    eax, dword ptr [ebp + 8]
   0x8048953 <main+15>    mov    dword ptr [esp + 0x1c], eax
   0x8048957 <main+19>    mov    eax, dword ptr [ebp + 0xc]
   0x804895a <main+22>    mov    dword ptr [esp + 0x18], eax
   0x804895e <main+26>    mov    eax, dword ptr gs:[0x14]
 ► 0x8048964 <main+32>    mov    dword ptr [esp + 0x43c], eax
   0x804896b <main+39>    xor    eax, eax
   0x804896d <main+41>    lea    eax, [esp + 0x30]
   0x8048971 <main+45>    mov    dword ptr [esp], eax
   0x8048974 <main+48>    call   DSVector<int>::DSVector() <0x8048b4a>
 
   0x8048979 <main+53>    mov    dword ptr [esp + 0x2c], 0
───────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────
00:0000│ esp  0xffffca00 —▸ 0xf7fdf289 (check_match+9) ◂— add    edi, 0x1dd77
01:0004│      0xffffca04 ◂— 0x2c4
02:0008│      0xffffca08 —▸ 0xf7c53474 ◂— retf   0x8a3f
03:000c│      0xffffca0c ◂— 0x9e8a3fca
04:0010│      0xffffca10 —▸ 0xf7fcf3d0 —▸ 0xf7c51000 ◂— jg     0xf7c51047
05:0014│      0xffffca14 —▸ 0xf7fdf3ec (check_match+364) ◂— add    esp, 0x10
06:0018│      0xffffca18 —▸ 0xffffcee4 —▸ 0xffffd0d3 ◂— '/home/ex/test/lab9C'
07:001c│      0xffffca1c ◂— 0x1
─────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────
 ► f 0  8048964 main+32
   f 1 f7c69e81 __libc_start_main+241
Breakpoint *main+32
pwndbg>

pwndbg> p &test1.vector_data 
$3 = (int (*)[257]) 0xffffca38
pwndbg> p (0xffffce4c - 0xffffca38) / 4
$4 = 261
pwndbg> p (0xffffce3c - 0xffffca38) / 4
$5 = 257