Heap Grooming

Dead or Alive was a hard Pwn challenge which composed of UAF bug inside a heap note type application. Bug was very similar to the Prison Break challenge, but without a Copy operation. Glibc present was pretty new (2.35) which means no hooks were available. I resorted to executing code by utilizing exit_funcs overwrite.

Prison Break was a classic vanilla heap note Pwn challenge with UAF bug. I had to leak libc addresses off the heap to acquire __free_hook address which could then be overwritten to system.