Flagvent 2025 (Hard) FV25.08 Kellerspeicher aufm Haufen (GNU...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/flagvent2025/hard
• Blog Title: Flagvent 2025 (Hard): FV25.08 Kellerspeicher aufm Haufen (GNU obstack function-pointer hijack) + FV25.09 Quantum Elves (+ FV25.10 header)
• Suggested Section: Binary Exploitation -> Libc Heap (or a new mini-page/section) -> "GNU obstack exploitation / function-pointer hijack (chunkfun)"; also potentially cross-link from "Integer Overflow" (allocation-size overflow to 0-byte alloc) and "Write What Where to Exec" (function pointer overwrite).

🎯 Content Summary

This post is a technical writeup of multiple Flagvent 2025 “hard” challenges. The security-relevant one is FV25.08 (PWN), which achieves remote code execution by abusing a 32-bit integer overflow that yields a 0-byte allocation for a pointer array, enabling an out-of-bounds (OOB) pointer write into adjacent heap objects. The exploit then turns that write into (1) a heap leak, (2) a libc leak (by reading GNU obstack’s chunkfun which...

🔧 Technical Details

Exploit integer-overflowed allocation sizes to create “0-byte buffer, huge logical length” OOB writes: When code allocates sizeof(ptr) * size but performs the multiplication in 32-bit (e.g., via SHL EAX, 0x3) while later using a 64-bit size_t logical length, choose size so the multiplication wraps (e.g., 0x20000000 * 8 = 0x100000000 → 0 in 32-bit). The program then treats the pointer array as enormous and writes elements[curr++] out-of-bounds into adjacent heap objects, enabling targeted pointer corruption.

Convert a cross-object OOB write into an arbitrary read by corrupting a neighbor’s pointer field: If object A can OOB-write into object B’s pointer (e.g., B->elements), redirect that pointer to a sensitive address and then use an existing read primitive (like pop reading/printing elements[0]) to disclose memory. In this writeup, neben-&...

🤖 Agent Actions

Summary:

• Added a new libc-heap case study on GNU obstack exploitation, covering 32-bit size-wrap → 0-byte allocation OOB writes, leaking chunkfun for libc base, and hijacking obstack control flow via a forged header to call system("/bin/sh").
• Linked the new obstack exploit page from the libc-heap README Case Studies section for discoverability.

Testing:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/flagvent2025/hard

Content Categories: Based on the analysis, this content was categorized under "Binary Exploitation -> Libc Heap (or a new mini-page/section) -> "GNU obstack exploitation / function-pointer hijack (chunkfun)"; also potentially cross-link from "Integer Overflow" (allocation-size overflow to 0-byte alloc) and "Write What Where to Exec" (function pointer overwrite).".

Repository Maintenance:

• MD Files Formatting: 937 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0