In 0CTFQuals 2018 - BabyHeap challenge, there is an off-by-one vulnerability that leads to double free vulnerability which allows us to launch fastbin dup attack. Basically, we can leak a libc address to de-randomize ASLR, and overwrite __malloc_hook with one gadget to execute /bin/sh. As part of our exploit, we managed to overwrite top chunk pointer in the main arena which forces malloc to return an almost arbitrary memory location on the following allocation. This is an interesting heap exploitation challenge to learn bypassing protections like NX, Canary, PIE, Full RELRO, and ASLR in x86_64 binaries.
babyheap
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||