# 6.1.11 pwn 9447CTF2015 Search-Engine

- [题目复现](#题目复现)
- [题目解析](#题目解析)
- [漏洞利用](#漏洞利用)
- [参考资料](#参考资料)


[下载文件](../src/writeup/6.1.11_pwn_9447ctf2015_search_engine)

## 题目复现
```
$ file search 
search: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=4f5b70085d957097e91f940f98c0d4cc6fb3343f, stripped
$ checksec -f search
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Fortified Fortifiable  FILE
Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   Yes     1               3       search
```
64 位程序，开启了 NX 和 Canary。

玩一下，看名字就知道是一个搜索引擎，大概流程是这样的，首先给词库加入一些句子，句子里的单词以空格间隔开，然后可以搜索所有包含某单词的句子，当找到某条句子后，将其打印出来，并询问是否删除。
```
$ ./search
1: Search with a word
2: Index a sentence
3: Quit
2
Enter the sentence size:
10
Enter the sentence:
hello aaaa
Added sentence
1: Search with a word
2: Index a sentence
3: Quit
2
Enter the sentence size:
10
Enter the sentence:
hello bbbb
Added sentence
1: Search with a word
2: Index a sentence
3: Quit
1
Enter the word size:
5
Enter the word:
hello
Found 10: hello bbbb
Delete this sentence (y/n)?
y
Deleted!
Found 10: hello aaaa
Delete this sentence (y/n)?
n
1: Search with a word
2: Index a sentence
3: Quit
3
```
根据经验，这是一道堆利用的题目。


## 题目解析

## 漏洞利用

## 参考资料
- [how2heap](https://github.com/shellphish/how2heap)