pwnProhard

pwn8_logger — logger_easy!(not) — UAF/alias + tcache poison

spbctf

Task: menu-driven C++ logger over glibc 2.31 with UAF (DelLogger doesn't NULL slot) and no bounds-checking re-use. Solution: 5-phase heap chain — (1) UAF aliasing to turn a tcache linked-list pointer into a printf format leaking heap, (2) unsorted-bin libc leak via guard-chunk trick, (3) create enabled trigger slot pointing at \"/bin/sh\" in libc, (4) tcache poison __free_hook via alias-chaining P_a→P0, (5) DelLogger(7) → system(\"/bin/sh\").

$ ls tags/ techniques/

heap uaf double-free tcache-poisoning __free_hook unsorted-bin-leak glibc-2.31 alias-primitive __printf_chk

tcache_poisoningunsorted_bin_libc_leakfree_hook_overwriteuaf_alias_primitivetcache_linked_list_as_printf_formatbinsh_in_libc

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn9_mc5 — Mic Check: leak and pwn 2!— spbctf
[pwn][Pro]pwn9_mc4 — Mic Check: leak and pwn!— spbctf
[pwn][Pro]pwn10_nosoeasy — No-So-Easy: tcache poison → GOT overwrite— spbctf
[pwn][free]priority-queue— b01lersc
[pwn][Pro]iz_heap_lv1 — BSS-pointer overlap + tcache poisoning— spbctf