Simple PWN 0x17(UAF - leak information)

Posted on 2023-01-24 | Post modified | In Security/Course/NTU CS/PWN |

Simple PWN 0x17(UAF - leak information)

tags: `CTF` `PWN` `eductf`

Version: Ubuntu 20.04

UAF backgroud

SS111-Pwn2 Advanced Binary Exploitation (Pwn) - Heap Exploitation

Original Code

#include <stdio.h>
#include <stdlib.h>

int main()
{
    void *p1, *p2;
    p1 = malloc(0x30);
    p2 = malloc(0x30);

    free(p1);
    free(p2);

    puts(p2);
}

If we set the pointer to NULL after it was freed, then we can get some vital info. from this chunk.

Analyze

After malloc all pointer
After free p1
After free p2, the data section will transfer to store metadata, and fd store the address of p1 header
Thus, we print out the value of p2, we will leak something if it wasn’t set NULL after it was freed