Tags: glibc heap dicectf babyrop rop 2022 pwn 


babyrop is a simple heap-use-after-free exploitation challenge in glibc 2.34, meaning no allocator hooks to be used as function pointers for PC control. We are also stuck w/ seccomp and can't /bin/sh.
My solution was to massage the heap and abuse the UAF in order to overlap a safe_string struct with a controllable string pointer to achieve arb read / write
Since we don't have any allocator hooks to abuse for PC control on glibc 2.34, we can pivot to the stack and rop.
Also, since seccomp filters execve() I use my rop to open the flag file and read the data to memory and then print it.
More details in the full writup :)

Original writeup (https://0xten.gitbook.io/public/dice-ctf/2022/babyrop).