I’m awfully hungry, with all these options to choose from, what should I order?
nc breakfast.sdc.tf 1337
By green beans
In short, binary have a Use-After-Free (UAF) vulnerability. Allow us to edit the heap after we free the heap.
Moreover, the dangling pointers are global variable. Therefore we can utilze the single linked list in heap and do a write on the address we want.
The basic idea of this challenge is first replace
puts to leak libc address, then replace
system("/bin/sh") to get shell
- malloc malloc free free to create a single linked list in heap
- edit obj.orders, write address of obj.orders in it
- malloc malloc. now obj.orders point to a heap, obj.order. point to obj.orders
- edit order, write
/bin/sh\x00into the heap
- edit order to got.free => obj.orders will change to got.free
- edit obj.orders to got.puts, this replace function
- edit obj.orders to got.printf
- free(obj.orders) this will call puts(got.printf) and leak libc address
- edit obj.orders to got.free, then edit obj.orders, replace
- free(obj.orders), this will call
system("/bin/sh")and give us a shell.
from pwn import *