Please sign in to comment.
one punch man writeup
- Loading branch information...
|@@ -1,3 +1,3 @@|
|# One Punch Man|
|This was a heap challenge with UAF, calloc, and only smallbin sizes on libc 2.29.|
|This was a heap challenge with UAF free, calloc, view, seccomp and only smallbin sizes on libc 2.29. We solve this by using a trick similar to unsorted bin attack, by having 6 tcache filled and 2 smallbins. Now that we can write a smallbin ptr anywhere, we can do a double tcache fetch, since the binary only uses malloc() when tcache bin count is ?= 7, which can be bypassed using smallbin ptr write. With the double fetch, we write top chunk to tcache struct on the heap. Then, we can just overwrite the tcache freelist head, and get unlimited arbitrary tcache allocations (aka arbitrary write). However, we could not get arbitrary read easily, so we opted to stack pivot by overwriting freehook to a very nice gadget in longjmp. This gadget mangled our values with qword ptr fs:0x30, but we could overwrite qword ptr fs:0x30 since it is in libc, and get a stack pivot into our heap chunk when we call free(chunk). With a stack pivot, we can orw the flag.|