pwn7_heap0

pwn_spbctf

Task: intro heap challenge — two adjacent malloc chunks where the second holds a function pointer that is later called; an unbounded gets() into the first chunk overflows into the second chunk's fnptr. Solution: parse the leaked buf1/buf2/main addresses, compute exact pad = buf2 - buf1 (0x50) and PIE base = main_leak - 0x11bb, overwrite the fnptr with winner (system(\"cat flag.txt\")) and trigger the call.

pie heap gets elf x86-64 ret2win pwn no-canary function-pointer-overwrite heap-overflow remote info-leak pie-leak

ret2winheap_overflow_into_function_pointerpie_base_from_main_leakexact_pad_from_chunk_leaks

$ ls tags/ techniques/

pie heap gets elf x86-64 ret2win pwn no-canary function-pointer-overwrite heap-overflow remote info-leak pie-leak

ret2winheap_overflow_into_function_pointerpie_base_from_main_leakexact_pad_from_chunk_leaks

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn7 heap1— pwn_spbctf
[pwn][Pro]pivot (pevot)— pwn_spbctf
[pwn][Pro]pwn7 heap_vptr— pwn_spbctf
[pwn][Pro]pwn7_mc1 (Mic Check — Heap Game)— pwn_spbctf
[pwn][Pro]pwn10_nosoeasy — No-So-Easy: tcache poison → GOT overwrite— spbctf