Beginner's Heap - SECCON Beginner's CTF 2020

Plan Overwrite under chunk’s fd pointer by Heap Overflow, and then call win function by tcache poisoning. Preparation Malloced and then, it connects area freed of B to tcache. -=-=-=-=-= TCACHE -=-=-=-=-= [ tcache (for 0x20) ] || \/ [ 0x000055dfd3002350(rw-) ] || \/ [ END OF TCACHE ] -=-=-=-=-=-=-=-=-=-=-=-=-=-= Vulnerability Vulnerability is Heap Overflow. You can write 0x80 byte to a chunk for 0x18. Overwrite B’s fd pointer Now, there isn’t a freed chunk which connects to the next because the freed chunk’s fd is NULL....

2022-05-06 · 2 min · Me