Simple PWN 0x16(simple_smallbin)

Posted on | Post modified | In |

Simple PWN 0x16(simple_smallbin)

tags: CTF PWN eductf

Version: Ubuntu 20.04

Background

Original Code

:::spoiler code

#include <stdio.h>
#include <stdlib.h>

int main()
{
    void *ptrs[7];
    void *smallbin;
    int i;

    for (i = 0; i < 7; i++)
        ptrs[i] = malloc(0x108); // 0x110 chunk size

    smallbin = malloc(0x108);
    malloc(0x18);

    // aim to fill up tcache
    while(i)
        free(ptrs[--i]);
    
    free(smallbin);
    // trigger unsorted bin dispatch
    malloc(0x870);

    return 0;
}

:::

Description & Analyze

  • First things first, the program will call malloc to get 0x108*8(0x110 chunk size)
  • Then free the all chunks When tcache is fill and chunk size > 0x80, it’ll be put into Unsorted bin
  • And now, if we malloc a new space with size equal 0x870 According to the flow chart, when the malloc size over 0x410, it’ll find Unsorted bin first, and now, Unsorted bin has no suitable chunk, thus find large bin further. Unfortunately, it still has no suitable chunk for the user, split the memory from top chunk ```bash!

    pwndbg heap … Allocated chunk | PREV_INUSE Addr: 0x555555559b30 Size: 0x881

Top chunk | PREV_INUSE Addr: 0x55555555a3b0 Size: 0x1fc51 ```

  • **Note that**

    , the interesting thing is when we free smallbin, the process put it in Unsorted bin. And when we malloc 0x870, the process found that Unsorted bin has no suitable chunk for the user, then it’ll put smallbin(0x110) to where it should be → smallbins

    • Before malloc 0x870 and after free smallbin(0x110)
    • After malloc 0x870