Rating:

`RCTF 2018 - stringer` challenge contains `Off-By-One` and `Double Free` vulnerabilities. Lesson learned is that if the chunk being allocated is `MMAPED`, the content will not be zero out when using `calloc`.

So, by using `Off-By-One` attack, we can set `IS_MMAPED` bit of the target chunk in order to leak a libc address, and then launch the `Fastbin Attack` (https://github.com/shellphish/how2heap/blob/master/fastbin_dup_into_stack.c) by using `Double Free` vulnerability in order to overwrite `__malloc_hook`.

This is a good challenge to understand how to exploit `x64_86` binaries with `Full RELRO`, `Canary`, `NX`, `PIE`, and `ASLR` enabled.

Original writeup (https://github.com/sajjadium/ctf-writeups/tree/master/RCTF/2018/stringer).