Damn Vulnerable Chat! (ip : port, binary link, libc link)
./deploy/run.sh
This is a skeleton interface for NCURSES based chatting program There is three threads, two of child threads are SECCOMP sandboxed There is a thread-race-condition vulnerability that allows stack underflow
Using the stack underflow in getinput function, attacker can extend the bug into full-chain ROP by using scanf. initially (%14$s) overwrites main's stack and bypass CANARY.
using ROP, attacker leaks LIBC with GOT address then, trigger second exploit with scanf (replace free - scanf)
free's GOT is changed to system. now we jump into free("sh");