HSCTF 2021 | PWN Writeups

HSCTF 2021 | PWN Use After Freedom TL;DR Vulnerability: use after free Exploit steps: Leak glibc address by freeing a chunk into unsorted bins Perform partial unlink (unsorted bin attack) to overwrite global_max_fast Free a 0x3940 sized chunk to overwrite __free_hook with the address of 0x3940 sized chunk Use write after free to change the fd of 0x3940 sized chunk with system Allocate a 0x3940 sized chunk so _free_hook becomes system Call free(/bin/sh) Exploit #!