Segment Trees (crypto edition) (125pts) by programmer_user
This guy in the USACO server gave me this implementation of a segment tree, and I made this program to test it out. I don't know if he's ever written a program without bits/stdc++.h but it can't be that bad.
Docker base image: ubuntu@sha256:c9cf959fd83770dfdefd8fb42cfef0761432af36a764c077aed54bbc5bb25368
We have an arbitrary OOB read/write in set/range_min. Use this to leak the vtable address, which gives us a PIE leak, and the address of the vector member in MinSegmentTree, which gives is a heap leak. Then we can read from the GOT which gives us a libc leak. Finally, forge a vtable and use a one-gadget to get RCE.
All protections are enabled except for the canary. There's a stack overflow that you can exploit. Since PIE is on we can only do 1 partial overwrite. Notice that we can return into the middle of the main challenge function (and luckily there's a null byte at rsp once you do a ret). Write 2 bytes and pray that the last nibble is correct.
from pwn import *
r = process('./fish')
# 1/16 chance