pwn7 heap1

pwn_spbctf

Task: amd64 PIE/Partial-RELRO heap pwn; printf leaks heap pointers and PIE base, and an 8-byte strcpy buffer overflows into the destination pointer of a second strcpy. Solution: overflow buf_a to point the second strcpy at puts@GOT, write winner()'s address there, and let the trailing puts() jump to system(\"cat flag.txt\").

pie heap_overflow ret2win strcpy got_overwrite partial_relro write_what_where

arbitrary_writegot_overwritepie_base_leakheap_pointer_overflow

$ ls tags/ techniques/

pie heap_overflow ret2win strcpy got_overwrite partial_relro write_what_where

arbitrary_writegot_overwritepie_base_leakheap_pointer_overflow

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn7_heap0— pwn_spbctf
[pwn][Pro]pwn7 heap_vptr— pwn_spbctf
[pwn][Pro]rbp2— pwn_spbctf
[pwn][Pro]pwn5_rw— pwn_spbctf
[pwn][Pro]pwn10_nosoeasy — No-So-Easy: tcache poison → GOT overwrite— spbctf