In InCTF 2018 - YAWN challenge, there is an off-by-one vulnerability which allows us to overwrite desc pointer with an arbitrary address. First, we leak read@GOT and a .bss address to find libc and heap base addresses, respectively. Then, we can free arbitrary chunks in the heap which allows us to launch fastbin dup attack. As a result, we can force malloc to return a fake chunk before __malloc_hook, so we can overwrite __malloc_hook with one gadget. This is an interesting heap exploitation challenge to learn bypassing protections like NX, Canary, Full RELRO, and ASLR in x86_64 binaries.
yawn
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|
parent directory.. | ||||