Tags: fastbins pwn heap tcache calloc 

Rating:

## Summary
This is a pwn challenge which has a note system, often met at heap challenges. We are given the option to create, edit, show and delete chunks. There is also a secret function which allows us to get a leak. All protections are enabled and the binary uses a modern libc version. The creation of chunks is done via calloc, which doesn’t look in the tcache directly and also fills the allocated chunk with zeroes. We are also limited to 7 entries in our pointer list, which suggests that we can only have 7 chunks allocated.

In order to solve this, I used the secret function to get PIE leak, exploited UAF vulnerability to overwrite keys in order to fill tcache, allocated a chunk over the pointer list by overwriting FD of a fastbin chunk and using that to read and write anywhere for libc leak, stack leak and ROP.

See the full writeup here: [https://header.ro/posts/simplenote/](https://header.ro/posts/simplenote/)

Original writeup (https://header.ro/posts/simplenote/).