Summary
- use large calloc size (
> mmap_threshold = 0x20000 by default) to fallback to mmap => heap chunk has constant offset from libc
- overwrite stdout buffer to point before
_shortbuf
- overwrite stdout/stdin flags to flush stdout before each read => leak absolute libc base
- overwrite stdout buffer + flush for arbitrary read
- leak stack => overwrite main return address => rop to execv => done
Full writeup and
exploit script (with extensive comments).
