Tags: custom-heap heap-canary
Rating:
### I have not solved this challenge at the time of CTF and solved it later.
### Challenge has implemented custom heap page also have protection like heap canary.
### We can overwrite the size of block we have created in option 1 ( Create block menu) using option 2 ( Write to a block menu). Which gives us Read and Write primitive.
### Exploitation step:
- First we leak the canary
- Use canary to controlled the write address, Overwrite it with GOT entry of `malloc`.
- Leak the libc address of malloc
- Calculate the libc base address
- overwrite the `malloc` GOT entry with the one gadget address
- call `create block` function which internally call malloc which will then gives us shell