Skip to content
Permalink
Browse files

one punch man writeup

  • Loading branch information...
VoidMercy committed Oct 14, 2019
1 parent 799cff4 commit ad1fe3c425fe36ebaf1416c6a0b561b6b0d3b1b0
Showing with 1 addition and 1 deletion.
  1. +1 −1 hitcon-ctf-2019/one-punch-man/README.md
@@ -1,3 +1,3 @@
# One Punch Man

This was a heap challenge with UAF, calloc, and only smallbin sizes on libc 2.29.
This was a heap challenge with UAF free, calloc, view, seccomp and only smallbin sizes on libc 2.29. We solve this by using a trick similar to unsorted bin attack, by having 6 tcache filled and 2 smallbins. Now that we can write a smallbin ptr anywhere, we can do a double tcache fetch, since the binary only uses malloc() when tcache bin count is ?= 7, which can be bypassed using smallbin ptr write. With the double fetch, we write top chunk to tcache struct on the heap. Then, we can just overwrite the tcache freelist head, and get unlimited arbitrary tcache allocations (aka arbitrary write). However, we could not get arbitrary read easily, so we opted to stack pivot by overwriting freehook to a very nice gadget in longjmp. This gadget mangled our values with qword ptr fs:0x30, but we could overwrite qword ptr fs:0x30 since it is in libc, and get a stack pivot into our heap chunk when we call free(chunk). With a stack pivot, we can orw the flag.

0 comments on commit ad1fe3c

Please sign in to comment.
You can’t perform that action at this time.