Binary Exploitation

Signed-length bug on glibc 2.39 turns into a heap primitive. Safe-linking leak, unsorted-bin libc leak, tcache poisoning through an XOR cipher, and a forged exit handler chain.

category: reversing (with a light pwn twist)

Binary: abnormaleak (ELF 64-bit, x86-64, dynamically linked, not stripped)

---

- **Category:** Pwn / Binary Exploitation - **Difficulty:** Medium - **Binary:** `imperial_archive` (ELF 32-bit, i386, dynamically linked, not stripped) - **Protections:** NX, Part

**Challenge:** A Micromachine — read-only device/OTP/flag combined challenge (web / queuer helper). **Target:** get `/app/public/playlist.txt` to contain `/flag/flag.txt` content.

`Echo` is a small remote pwn challenge:

The exploit is the same core idea as `stack-bof`: the useful bug is not the final `gets()` alone, but the pair:

- Name: `Very Simple FSB` - Category: `pwn` - Remote: `35.194.108.145:13840`

The bug is not the final `gets()` by itself. The real primitive is:

**Flag:** `bctf{Nev3r_underst00d_why_we_n33d_TSX_and_TXS_unt1l_n0w..:D}`

Source first:

The bug is a use-after-free in the Forth dictionary.

ret2win with a stack-alignment twist — hop through a single ret gadget before calling win() so system() sees a 16-byte-aligned stack.

32-bit ret2dlresolve — Partial RELRO, NX on, no libc leak, only read@plt. Force the linker to resolve system("/bin/sh").

Two-stage SROP without libc. pop rax; ret + syscall are enough. First frame does read + stack pivot, second frame executes execve("/bin/sh").

Stack overflow into ret2dlresolve — force the dynamic linker to resolve system at runtime and run system("sh").