Don't like this style? Click here to change it! blue.css
OK so I want to begin the end and go for a full green exploit on the latest glibc.
Here we go:
This is "Level 4" (PCP 30) running on nc 207.154.239.148 1773 with source in http://sec.prof.ninja/ctf/cuttingedge.zip
This one is a double-free only version of our code (just like level 3) but without a free_hook available.
Here is our exploit in pseudo-code:
We're going to learn from a write-up and we'll want some extra tools.
https://docs.pwntools.com/en/stable/libcdb.html
Some useful stuff:
libcdb.unstrip_libc("./libc.so.6")dt 'tcbhead_t'p *(tcbhead_t*)$fs_baseglibc.sym.initialThere is a set of functions that run at the end of the process by reference. We're going to overwrite those and put system("/bin/sh") into the exit_funcs.