pwnProhard

iz_heap_lv1 — BSS-pointer overlap + tcache poisoning

spbctf

Task: ISITDTU 2019 heap challenge (glibc 2.27) where arr[20] aliases a global name buffer, giving a pointer-table write primitive via Show-Name(Y); broken bounds let you free/edit index 20. Solution: forge fake chunks in BSS, fill tcache[0x90], free the fake 0x90 chunk into unsorted bin to leak libc via %s past a non-NUL newline byte, then re-forge a 0x30 chunk, double-free it into tcache[0x30], poison its fd to __free_hook, write system there, and free a chunk containing '/bin/sh' to spawn a shell.

$ ls tags/ techniques/

heap no_pie tcache_poisoning unsorted_bin_leak double_free amd64 glibc_227 free_hook

unsorted_bin_libc_leakbss_chunk_forgetcache_double_freefree_hook_overwritefake_chunk_header

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn9_mc5 — Mic Check: leak and pwn 2!— spbctf
[pwn][Pro]pwn10_nosoeasy — No-So-Easy: tcache poison → GOT overwrite— spbctf
[pwn][Pro]pwn9_mc4 — Mic Check: leak and pwn!— spbctf
[pwn][free]priority-queue— b01lersc
[pwn][Pro]Taste— grodno_new_year_2026