N1CTF 2018

N1ctf 2018 was an outstanding capture the flag game.
Under the guidance of upperclassmen, I win three PWN easy probrems with half a heart.Keep learning…… Orz….


Use after free in cancel function

Notice that in vote function ,we can modify vote ’s count.
So we can take UAF create a freed chunk and then vote to modify *fd pointer to make chunk overlapping that makes fastbin attack smoothly.
Thread is totally a thrik.


Mmaped address can be leaked by create a fastbin-chain , and predictable RNG is also workable.

Does Server time is same the as our Machine time?
Does Different version of libc.so predicted random number are the same?
Successfully but not safely:-D_

Vulnerability stack overflow is in encrypt section,it can overwrite the encrypt pointer *psd_pointer by coincidence.

Overwrite the encrypt pointer to leaked mmaped address and inject our shellcode by encryption algorithm.
When Logout we can execute our shellcode and spawn a shell.


A heap overflow corrupting thread_arena.
Firstly , heap overflow is obvious, we can overflow size bytes.(0<size<0x4000)

Notice that our program alloced by thread heap, the address of thread heap is mmaped , thread_arena is created on the same mmap_segment of it’s chunk, and the mmap_segment’s base address is close to libc base address.
Guess if we malloc a large number of chunk to exhaust address space, thread heap will grow upwards.
After competition,i view malloc.c source code and find:

When av’s address space exhausted, av will mmaped above the thread_arena.
But here , we need to make func grow_heap return error.

The only way to bypass this is if we made __mprotect fail. So , if we made our heap segment close to a different memory segment. Normally, its above a non-readable, writable and executable page so that it can easily extend into it. But if we spam alloc to make it above a libc segment, this is no way to grow and create a new heap instead.

So our path is to malloc a lot and when is going to exhausted the av’s address space, we overwrite thread_arena’s FastbinY[] by overflow read function.Hjiack control flow in the end.