## Faking till you're making
#### Description
Upon investigating some malicous blockchain workings, we found out a binary was being exploited to money launder. We took a look at it, and found a note by the author of the binary saying something about "maleficarum". Any clue what that is?
#### Author
#### Points and solves
486 points and 46 solves.

We are given a small program
int main(void)
char *__s;
ulonglong data [10];
char *b;
ulonglong *a;
setvbuf(stdout,(char *)0x0,2,0);
free(data + 2);
__s = (char *)malloc(0x30);
return 0;
and a win function:
void sh(void)

## The vulnerability:
It is very clear that this binary is vulnerable to the House of Spirits;
That is because we have full control ```data``` and we free ```data + 0x2```
So we can forge a fake chunk of size with size ```0x40``` and when we free it, it'll end up on the tcache of size 0x40.
When we malloc ```0x30``` bytes, it is actually ```0x40``` including headers. So the glibc heap will reuse the forged tcache chunk, which is on the stack.
We read into ```__s``` which lets us overflow the jump into the win function.

## The chunk:
```fake_chunk1 = p64(0) + p64(0x40) + 6*p64(0)```
We set the size to 0x40, with PREV_INUSE = 0, and this is enough to trick glibc into thinking this is a legitimate chunk to free.
After we send this chunk, it is a simple buffer overflow and override the return addres to the win function.

#### Flag

Original writeup (https://github.com/ElikBelik77/ctfs-writeups/tree/master/offshift/faking_making).