The program mmap’s a custom heap that is given
Chunks are allocated on this heap with a custom memory allocator.
There are 3 main vulnerabilities in this program.
getnline() function has an off-by-one vulnerability which allows an extra byte to be written to a note chunk, corrupting the
size field of a subsequent note chunk
- heap chunks that are re-allocated are not zero’d out before the re-allocation, leaving artifacts from old heap chunks, including heap chunk pointers, in the new heap chunk that can be leaked
- there is a write-what-where vulnerability
We can use the 2nd vulnerability to bypass ASLR and leak the mmaped heap address.
The vulnerability in this program is that it allows a 1-byte overflow to happen
Putting everything together, we can get the flag using the following exploit.