Can you kill the demon and get the flag?
Running on Qemu user-level emulation with heap randomization + libc
randomization.
- By analysing, you can easily find double free bug @ 0x401080.
- Overwrite list head at global(0x4120D0) to main_arena using unsorted bin attack with double free bug (Something like in house of orange). You write any value to bss.
- You can get arbitrary write by modifying list structure in bss.
- Write shellcode into bss and make function pointer in list to point it.
- Call function pointer and get Shell! (qemu usermode does not have NX)