Tags: fastbin malloc heap fastbindup bufferoverflow calloc smallbin mmaped 


This challenge contains a `heap overflow` vulnerability. Lesson learned is that if the chunk being allocated is `MMAPED`, the content will not be zero out when using `calloc`. So, by using the `overflow` vulnerability, we can set `IS_MMAPED` bit of the target chunk in order to leak a libc address, and then launch the `fastbin attack` in order to overwrite `__malloc_hook`. This is a good challenge to understand how to exploit `x86_64` binaries with `Full RELRO`, `Canary`, `NX`, `PIE`, and `ASLR` protections.

Original writeup (https://github.com/sajjadium/ctf-writeups/tree/master/0CTFQuals/2017/babyheap).