Tags: tcache pwn houseofpoortho picoctf 

Rating:

There is a UAF (which will allow for double frees later) and a possible null byte overflow during allocation. Libc 2.29 has the whole key mechanism of protecting tcachebins.

Allocate a chunk, then allocate another chunk (let's say size 0x150). Free both the chunk above and this 0x150 chunk (real size 0x160 because metadata). Then re-allocate something of the first size to get that chunk back; this time, also null byte overflow the size field below. Re-free the overflown chunk and now it goes into a different bin (specifically the 0x100 tcache bin because of the single null byte overflow).

Then re-allocate size 0x150 to get this very same chunk back from its tcachebin, and then free it back into 0x100 as the null byte is still in effect, thereby creating a double free. Now, overwrite next pointers for the 0x100 tcachebin and perform a classic tcache poisoning attack to overwrite free hook.

Many of us have decided to name this attack the House of Poortho, in honor of the challenge writer.

Original writeup (https://www.willsroot.io/2019/10/picoctf-2019-zero-to-hero-writeup.html).