Dream Diary - Chapter 1

I was wondering if anyone could give me anything on Dream Diary. I have a way to corrupt memory, and I think I’m on the right track, but I’ve never done an exploit like this and am kind of stuck trying to get it working.

Obviously, if you’ve already solved this challenge and wouldn’t mind discussing it off of the forum, I can explain where I’m at.

following :smiley:

Okay, I have a working exploit locally, but I can’t for the life of me figure out why it won’t work remotely. I’m using the same system as remote (at least according to the challenge description). If someone who has solved this happens to see this post, I’d love to bounce an idea off of you via PM. Thanks!

@phspade, all I can say is that you need to have an intimate understanding of the heap and it’s structure. I think anything more than that gives away too much here. Good luck!

Hey @crisco if you still have problems with dream diary feel free to PM me!

@crisco In my way, I execute my exploit many times to get shell… In local it 100% to got shell , but on remote maybe 10% or less… -__-

@CharlesYang there are many reasons why you might experience that… Assuming that you already got the flag, PM me and I could briefly walk you through some of the possible reasons for that low success rate.

Hey guys! I have an exploit that work localy, but not remotely! Someone can give me an hint in PM please? :tired_face:

Hi everybody… I’m reading about the exploit method readings similar CTF writeups abusing the malloc/free functions.
If we have to rewrite the GOT entry for a function in the code with the address of system… how do you leak libc address?? I haven’t seen any way to dump the buffers that we create.

Any tip on where to start?

You don’t have the address of libc or system, but what things do you have the address of that could be used? If the program is calling a function, the address of that function must be in a known location.

Finally got this one, I experienced the same issue with the remote exploit working about 10% of the time. Anybody figure out the cause of this?

Hi guys, could you give me some hint? I can’t find the way to corrupt the chunk :’(.

Did you all have to significantly change things for the remote? ive got local working flawlessly, but i can’t seem to get it to work remotely. I’ve updated to handle the extra output. It seems all my steps work until the last, where it just crashes.

Anyone around that can answer some questions for me bit confused

Hi guys,
I was wondering if anyone of you would be willing to discuss your approaches and or solutions. This was the first time I performed a heap-based exploit and while I was finally able to solve the challenge, I am sure that I took some unecessary detours. Please feel free to PM me.

Anyone who wants to discuss this challenge? I have found the flaw, thus having an arbitrary write. Most of the time, you would just overwrite a GOT entry with system or similarly, however, I can’t figure out what to overwrite it with in order to exploit it. Couldn’t I just overwrite with it with some shellcode?

I plan to do this one soon. As far as I know, you would overwrite the GOT entry with an address to something, not the thing itself (shellcode). If you can point back to your shellcode somewhere, that ought to work. Otherwise, you’d need some ROP chaining based on code and functions already in the binary, or libc if you leaked the libc version.

Hi… I have a working LOCAL exploit but can’t get it to work on remote. Everything works except the system() call :anguished:

Anyone that can give me a little tip?


Hello guys !

I read a quite a bit about heap management/malloc/free/unlink and so on (with a lot of House of xxxxx exploit that I understand partially). I think I am on the right track and I saw how I can fill the heap so that I have a total control on it. Nevertheless I can’t find a way to achieve a write primitive :frowning:

Can someone help me :smiley: ?


do someone can help me? I got shell locally, but I am with trouble remotely.

how can I write the 0x7f ?