pwn9_mc5 — Mic Check: leak and pwn 2!

spbctf

Task: menu-driven heap allocator (glibc 2.31) with UAF (delete doesn't clear slot) and heap overflow in allocate() where user-controlled name_len can exceed the chunk size. Solution: unsorted-bin leak to get libc, then tcache poisoning by overflowing an in-use chunk into a tcache-linked neighbour's fd to return __free_hook, write system, free('/bin/sh').

heap uaf tcache-poisoning __free_hook unsorted-bin-leak glibc-2.31 heap-overflow

unsorted_bin_leakfree_hook_overwritetcache_poisoning_via_heap_overflowsystem_binsh

$ ls tags/ techniques/

heap uaf tcache-poisoning __free_hook unsorted-bin-leak glibc-2.31 heap-overflow

unsorted_bin_leakfree_hook_overwritetcache_poisoning_via_heap_overflowsystem_binsh

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn9_mc4 — Mic Check: leak and pwn!— spbctf
[pwn][Pro]pwn10_nosoeasy — No-So-Easy: tcache poison → GOT overwrite— spbctf
[pwn][Pro]iz_heap_lv1 — BSS-pointer overlap + tcache poisoning— spbctf
[pwn][Pro]pwn8_logger — logger_easy!(not) — UAF/alias + tcache poison— spbctf
[pwn][Pro]cleaker (Mic Check 10)— pwn_spbctf