A not so long time ago, in a galaxy not so far away..
How to build
gcc -m32 -o poli_wars poli_wars.c ; strip poli_wars
How to run
socat tcp-l:some_port,reuseaddr,fork exec:"./poli_wars"
How to solve
*** SPOILER ALERT ***
In a nutshell:
- House of Mind heap exploitation technique (Reference - FastBin Method) is used to set global variable which controls falcon deployment to a value != 0. Bwings are used for padding heap to correct position. Xwing to overwrite top chunk size.
- The particular ship_name of the z95 fighter (z95;) allow us to preapare a structure with z95;/bin/sh\x00 as first 3 params to bee freed later.
- Falcon allow us to leak all we need (got and libc addresses).
- Falcon is also vulnerable to heap overflow with no check thus allowing us to use House of Force technique.
- 'Houseforcing' into got allow us to replace free address with system.
- Sending our z95 spacecraft alone to face deathstar results in shell.