Skip to content

Latest commit

 

History

History

doubled pwns

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
public
public
 
 
setup
setup
 
 
sol
sol
 
 
README.md
README.md
 
 
docker-build.sh
docker-build.sh
 
 
docker-run.sh
docker-run.sh
 
 

README.md

Doubled Pwns

Category: pwn

Author: s3nn__

Description

This is Beth's chance to get back at Benny by attacking his doubled pwns.

Points

300

Solution

Reveal Spoiler

There is a double-free vulnerability in the binary; libc2.27 is used, compiled with tcache support. Players need to exploit the double-free vulnerability to carry out a tcachebin dup to

  1. Carry out an unsortedbin attack to get a heap and libc leak
  2. Overwrite the __free_hook to achieve code execution

A solution that performs the above steps is provided in sol.py Use the following:

Run against local docker container
python3.7 sol.py R LHOST

Run against CyberRanges (IP might change in sol.py)
python3.7 sol.py R

Run against local binary
python3.7 sol.py