Tags: pwn 

Rating: 5.0

There exists a bug in `new_cred`, which may cause double free when username is empty.
Using this vulnerability, we forge `ctx->cipher` to our buffer and take control by `ctx->cipher->cleanup`, which is called in libcrypto.
We can inject a ROP chain since the rsi points to the stack of an AES function and rdx is proper.


Original writeup (https://ptr-yudai.hatenablog.com/#500pts-Credentials-1-solve).