pwn7_mc1 (Mic Check — Heap Game)

pwn_spbctf

Task: heap 'game' binary (PIE/NX/canary/Full RELRO) that prints a target pointer each round and lets you pick the malloc size; landing the second malloc(0x10) on the target 10 times wins. Solution: ignore the srand(time) PRNG entirely — the target is leaked directly, so solve by pure glibc chunk-size arithmetic: size = (target - prev_ptr - 0x20) - 8 makes the bump allocator land exactly on target.

pie heap game elf x86-64 system pwn remote full-relro malloc-arithmetic chunk-size-rounding bump-allocator leaked-target

chunk_size_arithmeticbump_allocator_landingglibc_malloc_size_roundingleaked_target_pointer

$ ls tags/ techniques/

pie heap game elf x86-64 system pwn remote full-relro malloc-arithmetic chunk-size-rounding bump-allocator leaked-target

chunk_size_arithmeticbump_allocator_landingglibc_malloc_size_roundingleaked_target_pointer

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn7_heap0— pwn_spbctf
[pwn][Pro]pwn7 heap1— pwn_spbctf
[pwn][Pro]pwn7 heap_indexes— pwn_spbctf
[pwn][Pro]pwn9_mc5 — Mic Check: leak and pwn 2!— spbctf
[pwn][Pro]pwn10_nosoeasy — No-So-Easy: tcache poison → GOT overwrite— spbctf