SSCTF 2016 final pwn writeup

Categories CTF

This is the pwn challenge for the SSCTF final. It is a good example of hijacking the length field of a structure to achieve arbitrary read and write primitive. It also provides a playground to practice heap fengshui.

You can find the binary here. The challenge is compiled with FULL RELRO and makes patching a little tricky.

The challenge implements custom memory management scheme, reversing this part carefully and we are able to play heap fengshui.

I wrote a little fuzzer, which quickly triggered a uninitialized memory corruption vulnerability. Well, what we need to do is to arrange the heap smart, and use query to leak the memory cookie and update to forgery the length field of a sort record.

The following is the full exploit:


No Comments

Leave a Reply