Skip to content

Latest commit

 

History

History

caro-kann

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
public
public
 
 
setup
setup
 
 
sol
sol
 
 
README.md
README.md
 
 
docker-build.sh
docker-build.sh
 
 
docker-run.sh
docker-run.sh
 
 

README.md

Caro-Kann Defence

Category: pwn

Author: s3nn__

Description

The Caro-Kann is all pwns and no hope...

Show Beth why there are better defences against 1.e4

Points

300

Solution

Reveal Spoiler

There is a Double-free vulnerability in the binary; libc2.31 is used, compiled without tcache support. Players need to exploit the double-free vulnerability to carry out a fastinb dup to

  1. Carry out an unsortedbin attack to get heap and libc leak
  2. Overwrite the __malloc_hook to achieve code execution

A solution that performs the above steps is provided in sol.py. Use the following:

Run against local docker container
python3.7 sol.py R LHOST

Run against CyberRanges (IP might change in sol.py)
python3.7 sol.py R

Run against local binary
python3.7 sol.py