Category: pwn
Author: s3nn__
The Caro-Kann is all pwns and no hope...
Show Beth why there are better defences against 1.e4
300
Reveal Spoiler
There is a Double-free vulnerability in the binary; libc2.31 is used, compiled without tcache support. Players need to exploit the double-free vulnerability to carry out a fastinb dup to
- Carry out an unsortedbin attack to get heap and libc leak
- Overwrite the __malloc_hook to achieve code execution
A solution that performs the above steps is provided in sol.py. Use the following:
Run against local docker container
python3.7 sol.py R LHOST
Run against CyberRanges (IP might change in sol.py)
python3.7 sol.py R
Run against local binary
python3.7 sol.py