Once for all is a heap challenge I did during the HackTheBox Cyber Apocalypse event. This is a classic unsorted bin attack plus a FSOP on stdin.Find the tasks and the final exploit here and here. Reverse engineeringAll the snippets of pseudo-code are issued by IDA freeware: 12345678910111213141516171819202122232425262728293031323334int __cdecl main(int argc, const char **argv, const char **envp){ int v4; // [rsp+18h] [rbp-8h] BYREF int i; // [rsp+1Ch] [rbp-4h] for ( i = 0; i <= 49;...

What we can do In the edit feature, we can overwrite the bytes right after any chunk up to the NULL byte. In the alloc handler, it iterates once too may times through the alloc array, which means it can overlap on the first entry of the size array with a huge size which would be a chunk address, then we can easily trigger large heap overflow. The libc version is 2.23 which means there not a lot of security checks about _IO_FILE_plus integrity compared to more recent versions. Top chunk free’...

Introphonebook is a basic heap challenge I did during the dctf event. It’s basically just a heap overflow wich allows us to overflow a function pointer with for example the address of system. The bug12345678$ ./phonebookChoose an option: [1-5]1. Store someone's information2. Edit information3. Call someone4. Unfriend someone5. Add the hidden_note> We can create an entity and then initialize: a name, a numero and a function pointer. 1234567891011121314151617int __fastcall create(unsi...

Faible Ty Réseau is a basic heap-like challenge, it allows us to create a configuration, edit it, call a function pointer on it and finally to free it: 123456789101112131415161718192021222324252627282930313233343536373839int __cdecl main(int argc, const char **argv, const char **envp){ int v4; // [rsp+4h] [rbp-Ch] BYREF unsigned __int64 v5; // [rsp+8h] [rbp-8h] v5 = __readfsqword(0x28u); while ( 1 ) { puts(aVousN); printf(a1ModifierLesPa, argv); fflush(stdout); v4 =...