libc 2.35
-
DiceCTF @ HOPE 2022 - Catastrophe
Overwrite libc GOT using
Fastbin Dup -
BSides Algiers 2023 - just pwnme
Tcache poisoning to build a ROP chain|LIBC GOT overwrite
libc 2.34
- MetaCTF 2021 - Hookless
Double Free via House of Botcake. Overwrite IO_2_1_stdout with environ address to leak stack address -> write a ROP directly on stack to achieve code execution
libc 2.31
-
NahamCon CTF 2025 - Found Memory
The binary have Use-After-Free, so that we can use that to control the bin's fd pointer, and use that to change chunk size field to 0x420 for libc leak (need to create 2 fake chunks to bypass unsortedbin mitigation). And then overwrite __free_hook to get a shell. We can leak heap base so that we don't need to brute force
-
NahamCon CTF 2024 - Lost Memory
First allocate some random size chunk for a stack leak, then use tcache poisoning to put a ROP chain in saved RIP (the ROP chain will add atoi GOT address to system and return to main), our next step is just pass a binsh string to it
-
malloca alloc chunk on stack depending on size,we forge a fake chunk on stack, do a house of spirit attack on it then alloc a chunk on stack with our ROP that overwrite return address
-
Fastbin dup to overwrite
__free_hookwithsystem -
Use-After-Free; Heap Overflow in
Decompressfunction Overwrite bin's fd → Tcache poisoning -
Extend chunk attack & Tcache poisoning to drop a shell
libc 2.27
-
We working with multithread (each thread has its own tcache) and the program free unused chunk each 5s. We can trigger
malloc_consolidateto make a fastbin chunk to unsortedbin cause duplicate. The demo istest.c -
Hack The Box Business 2025 - Cyber Bankrupt
Attack tcache entry for arbitrary write and leak libc. Note that in local it has a
0x410free chunk in tcache bin, this can make us calculate the offset, so when you're connected to the target just subtract0x410chunk for all chunks you use
libc 2.23
-
UAF to House of Force Can trigger Double-Free in
deletefunction → Fastbin duplication -
Fastbin dup via overlapping chunks by its index