Tags: off-by-one doublefree fastbin one_gadget fastbindup 


In `0CTFQuals 2018 - BabyHeap` challenge, there is an `off-by-one` vulnerability that leads to `double free` vulnerability which allows us to launch `fastbin dup` attack. Basically, we can leak a `libc` address to de-randomize `ASLR`, and overwrite `__malloc_hook` with `one gadget` to execute `/bin/sh`. As part of our exploit, we managed to overwrite `top chunk` pointer in the `main arena` which forces `malloc` to return an almost arbitrary memory location on the following allocation. This is an interesting `heap exploitation` challenge to learn bypassing protections like `NX`, `Canary`, `PIE`, `Full RELRO`, and `ASLR` in `x86_64` binaries.

Original writeup (https://github.com/sajjadium/ctf-writeups/tree/master/0CTFQuals/2018/babyheap).