- Published on
Utilizing double free to create a fake chunk in the BSS section of the ELF and freeing the chunk into the unsorted bin by using Unsorted Bin Attack to leak libc and overwrite __free_hook.
Heap
All Posts
- pwn (22)
- web (13)
- aupctf (11)
- aofctf (9)
- nedctf (7)
- amateurctf23 (6)
- printf (5)
- rev (5)
- htb (4)
- cyber-apocalypse24 (4)
- buffer-overflow (4)
- fsb (3)
heap (3)
- elf (3)
- brute-force (3)
- stegnography (3)
- pcc-23 (3)
- dev-notes (2)
- windows (2)
- oob-write (2)
- shellcode (2)
- canary (2)
- flask (2)
- misc (2)
- ret2libc (2)
- forensics (2)
- magic-bytes-fixing (2)
- sqli (2)
- login-bypass (2)
- ctf (2)
- ret2win (2)
- jwt (2)
- pucon (2)
- ctf-techs (1)
- format-string (1)
- guides (1)
- docker (1)
- deployment (1)
- windows-api (1)
- c (1)
- screenshot (1)
- bmp (1)
- ignite (1)
- cyber-hackathon-24 (1)
- one_gadget (1)
- pwnabletw (1)
- tcache (1)
- tcache-dup (1)
- double-free (1)
- unsorted-bin-attack (1)
- fake-chunk (1)
- free-hook-overwrite (1)
- ctypes (1)
- srand (1)
- lfi (1)
- latex (1)
- pdftex (1)
- integer-overflow (1)
- pyjail (1)
- eval-in-eval (1)
- bash-jail (1)
- pointer-overwrite (1)
- dereference-leak (1)
- arm (1)
- seccomp (1)
- sandbox (1)
- tls (1)
- threading (1)
- master-canary (1)
- bof (1)
- srop (1)
- off-by-one (1)
- john-the-ripper (1)
- hashcat (1)
- deep-sound (1)
- audio-forensics (1)
- csrf (1)
- directory-searching (1)
- django (1)
- http-headers (1)
- source-code-analysis (1)
- archiveorg (1)
- wayback-machine (1)
- blackhatmea23 (1)
- interger-overflow (1)
- deadsec24 (1)
- fsb-to-rop (1)
- word-macros (1)
- unsorted-bin (1)
- self-decryption (1)
- polymorphic (1)
- angr (1)
- variable-overwrite (1)
- auth-bypass (1)
- ssrf (1)
- file-inclusion (1)
- weak-signing-key (1)
- bit-shifting (1)
- kernel (1)
- python (1)
- pyarmor (1)
- uaf (1)
- userspace (1)
- pie-bypass (1)
- Published on
Utilizing unsorted bin to get a libc arena leak and calling system with user-controlled heap-chunk's data.- Published on
Utilizing Heap Use-After-Free to load the flag into user-controlled chunk and read it.