setup

  • heap exploitation is very dependent on libc version
  • we use glibc 2.31, if you don’t use this version, it’ll be hard/impossible to solve the challenge locally.
  • we suggest using the following docker container, as it contains all the tools you need
cd challenges/
docker run -d --rm -h banana --name banana -v .:/ctf/work --cap-add=SYS_PTRACE skysider/pwndocker
docker exec -it banana /bin/bash

   

helpful commands

  • you’ll be spending a lot of time in gdb this week
  • hopefully you’ve gotten comfortable with it over the term.
  • here are some commands in pwndbg that’ll come in handy
vis_heap_chunks - visualises the chunks in the heap
bins            - shows the different chunks in the various bins
tcachebins      - shows just the tcache bins

   

Demo

  • Your tutor will go over the heap demo
  • This is just a short demonstration of how a use after free works

   

Practical

The heap prac challenge for this week requires you to exploit a use after free bug

To help you out, here’s a skeleton solution script which contains logic to create/destroy stuff