CISCN 2019 Pwn

It have been really a long time since the last time I updated my blog. I have been fall into disuse for a year and reduced to a cheerleader completely /(ㄒoㄒ)/~~.
So I should keep my blog updated and now here I am, as a newbie to open my writeup for ciscn-2019.


Index overflow, we can read or write 1byte arbitrarily in the stack.
First leak program base address and libc address.
Then hijack the return address to ret2libc or onegadget more easier.


There is no index check in the remove function as follow.
We can use if for use after free or double free.

The steps are clear in the scenario, we employ a typical double free fastbin attack to getshell.


API info chunk connected by singly linked list.
However, if we can add the same content ,it will link to a same API Info chunk as shows.

So it give us the opportunity to double free.
Same as above, fastbin attack is fast and effective.


A simple stack overflow without leak.

My thought is to brute force to get a sysenter (fast system call) in alarm function.Afterwards, let eax=0x11, ebx=addrress of “/bin/sh”, ecx=edx=0 try to getshell without leak directly.


The program is a virtual process simulator, it allows to input a program contains the following operations: push ,pop, add, sub, mul, div, load, save, and it also need us to initialize the stack space.

By reversing, we find OOB read/write in save and load.

Because missing the subscript check, attackers are able to beyond the boundary and read/wirte anything anywhere.

Our scenario follows:

  1. load function to load the address of heap in stack
  2. sub and div function to get the offset and load the address of libc.puts.
  3. sub function to calculate to get the address of libc.system.
  4. save function to assign libc.system in the GOT address of puts.
  5. program execute at puts(name), what it executes is system("/bin/sh") actually.


It’s a copy of heap_paradise from
However, I failed in solving the problem because I had no idea the problem used tcache :), too young too simple.

Vulnerability is obvious, there is no check when delete.

Following house of romen, we can brute force to overwrite _free_hook , puts for leaking and system for getting shell.

The scenario is as follows and by the way, the heap layout and quantity limitation is a little annoying, the possibility of pwned is \(1/16\).

So, I prefer a more reliable way, it don’t have to worry about probabilities.
we overwrite _IO_write_base for leaking address as heap_paradise do.