A quesiton about YAWN inctf 2018

Question

A quesiton about YAWN inctf 2018

Closed this issue 6 years ago · 2 comments

AntiverX commented 6 years ago

https://github.com/sajjadium/ctf-writeups/blob/master/InCTF/2018/YAWN/exploit.py#L53

Why tables[0] addr- 0x1040 = heap base addr?

I got this value from memory dump, but I think perhaps there is relationship between heap base addr and table[0] addr.

Thanks.

Answer 1 · 2018-10-27T20:27:55.000Z

Hi,

Sorry for late response. Just saw this.

Basically, the heap layout is deterministic, so at the time we leak that heap address, the corresponding chunk was at 0x1040 offset. You can easily see it if you run gdb.attach(p) right before leaking the heap address.

Answer 2 · 2018-11-01T08:39:13.000Z

I get it.
Thanks.