In this challenge, there is an uninitialized variable vulnerability that leads to double free and use after free (UAF). Using these, we leak a libc address to de-randomize ASLR, launch tcache dup attack, and then put our fake chunk address into the tcache using tcache poisoning attack. As a result, we can force malloc to return our fake chunk before __free_hook, so we can overwrite __free_hook with one gadget. This is an interesting heap exploitation challenge to learn bypassing protections like NX, Canary, Full RELRO, and ASLR in x86_64 binaries in presence of tcache.
asvdb
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||