0CTF-2015 freenote: playing with malloc library

Categories CTF

I spent several hours on this challenge, the logic of this program is simple and an information leakage vulnerability was discovered. But I was not familiar with malloc’s heap management scheme and failed to exploit this vulnerability.

The vulnerability has its root in no  '\0'  was appended to the input note, it’s possible to leak a heap pointer by crafting a string before the heap pointer. But I didn’t know how then, after reading this and this writeup I finally figured out how to do this. This and this also help a lot to understand heap exploitation technique. This article is a record for reference.

Firstly we have to understand the linux heap structure.


We can understand how function free() works by reading the source code of libc6( apt-get source libc6 ) .

The following assignments in function unlink() are interesting:

notice that we have full control of P, then we can make P->bk->fd = P and pass the sanity check. after the unlink, P is overwritten with p->fd which is &p-3. Thus we can directly modify P to achieve arbitrary memory reading and writing.

the following code leaks the heap base address and libc’s address:




No Comments

Leave a Reply