Heap-Hop Solves: 31 Medium Heap exploitation is cool, and the best is when no free is used. >Try to pwn the challenge and get the flag remotely. Note: You must spawn an instance to solve this challenge. You can connect to it with netcat: nc IP PORT Author: Express#8049 Remote service at : nc 51.254.39.184 1336 Heap-hop is a heap exploitation challenge I did during the pwnme CTF. It involved classic tricks like tcache poisoning and GOT hiijacking. You can find the related files here. TL...

IntroductionFile streams are now a very common attack surface, here is a high level introduction that should make you understand the design of known attacks beyond the code reading for a particular function. I already talked about FSOP here. This article reviews glibc 2.36. Most of this article comes from this awesome series of articles about the _IO_FILE strcuture. Global designAs said in my previous writeup: Basically on linux “everything is a file” from the character device the any stream...

Introductionbabyfile is a file stream exploitation I did during the SECCON CTF 2022 Quals event. I didn’t succeed to flag it within the 24 hours :(. But anyway I hope this write up will be interesting to read given I show another way to gain code execution – I have not seen before – based on _IO_obstack_jumps! The related files can be found here. If you’re not familiar with file stream internals, I advice you to read my previous writeups about file stream exploitation, especially this one and...

Introductionzigzag is a zig heap challenge I did during the corCTF 2022 event. It was pretty exotic given we have to pwn a heap like challenge written in zig. It is not using the C allocator but instead it uses the GeneralPurposeAllocator, which makes the challenge even more interesting. Find the tasks here. TL; DR Understanding zig GeneralPurposeAllocator internals Hiijack the BucketHeader of a given bucket to get a write what were / read what where primitive. Leak stack + ROP on the fi...