Skip to content

Instantly share code, notes, and snippets.

@hhc0null

hhc0null/seeing-the-behavior-by-ltrace

Last active March 10, 2016 03:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save hhc0null/ee63b7397e846b54a882 to your computer and use it in GitHub Desktop.
Save hhc0null/ee63b7397e846b54a882 to your computer and use it in GitHub Desktop.
Download ZIP
some study of heap exploitation
Raw
seeing-the-behavior-by-ltrace
(12:23) hhc0null@arch_on_vbox% ltrace -s 512 -e "read+malloc+strdup+asprintf+realloc+free-@libc.so.*" ./freenote [~/ctf] [8296]
freenote->malloc(6160) = 0x17d0010
== 0ops Free Note ==
1. List Note
2. New Note
3. Edit Note
4. Delete Note
5. Exit
====================
Your choice: freenote->read(02
, "2", 1) = 1
freenote->read(0, "\n", 1) = 1
Length of new note: freenote->read(0128
, "1", 1) = 1
freenote->read(0, "2", 1) = 1
freenote->read(0, "8", 1) = 1
freenote->read(0, "\n", 1) = 1
freenote->malloc(128) = 0x17d1830
Enter your note: freenote->read(0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 128) = 128
Done.
== 0ops Free Note ==
1. List Note
2. New Note
3. Edit Note
4. Delete Note
5. Exit
====================
Your choice: freenote->read(02
, "2", 1) = 1
freenote->read(0, "\n", 1) = 1
Length of new note: freenote->read(0128
, "1", 1) = 1
freenote->read(0, "2", 1) = 1
freenote->read(0, "8", 1) = 1
freenote->read(0, "\n", 1) = 1
freenote->malloc(128) = 0x17d18c0
Enter your note: freenote->read(0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 128) = 128
Done.
== 0ops Free Note ==
1. List Note
2. New Note
3. Edit Note
4. Delete Note
5. Exit
====================
Your choice: freenote->read(0, "\n", 1) = 1
Invalid!
== 0ops Free Note ==
1. List Note
2. New Note
3. Edit Note
4. Delete Note
5. Exit
====================
Your choice: freenote->read(04
, "4", 1) = 1
freenote->read(0, "\n", 1) = 1
Note number: freenote->read(01
, "1", 1) = 1
freenote->read(0, "\n", 1) = 1
freenote->free(0x17d18c0) = <void>
Done.
== 0ops Free Note ==
1. List Note
2. New Note
3. Edit Note
4. Delete Note
5. Exit
====================
Your choice: freenote->read(04
, "4", 1) = 1
freenote->read(0, "\n", 1) = 1
Note number: freenote->read(00
, "0", 1) = 1
freenote->read(0, "\n", 1) = 1
freenote->free(0x17d1830) = <void>
Done.
== 0ops Free Note ==
1. List Note
2. New Note
3. Edit Note
4. Delete Note
5. Exit
====================
Your choice: freenote->read(02
, "2", 1) = 1
freenote->read(0, "\n", 1) = 1
Length of new note: freenote->read(0256
, "2", 1) = 1
freenote->read(0, "5", 1) = 1
freenote->read(0, "6", 1) = 1
freenote->read(0, "\n", 1) = 1
freenote->malloc(256) = 0x17d1830
Enter your note: freenote->read(0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", 256) = 256
Done.
== 0ops Free Note ==
1. List Note
2. New Note
3. Edit Note
4. Delete Note
5. Exit
====================
Your choice: freenote->read(04
, "4", 1) = 1
freenote->read(0, "\n", 1) = 1
Note number: freenote->read(01
, "1", 1) = 1
freenote->read(0, "\n", 1) = 1
freenote->free(0x17d18c0*** Error in `./freenote': double free or corruption (out): 0x00000000017d18c0 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x6f364)[0x7f8da3555364]
/usr/lib/libc.so.6(+0x74d96)[0x7f8da355ad96]
/usr/lib/libc.so.6(+0x7557e)[0x7f8da355b57e]
./freenote[0x40106f]
./freenote[0x4010f1]
/usr/lib/libc.so.6(__libc_start_main+0xf0)[0x7f8da3506710]
./freenote[0x400799]
======= Memory map: ========
00400000-00402000 r-xp 00000000 08:03 7618310 /home/hhc0null/ctf/freenote
00601000-00602000 r--p 00001000 08:03 7618310 /home/hhc0null/ctf/freenote
00602000-00603000 rw-p 00002000 08:03 7618310 /home/hhc0null/ctf/freenote
017d0000-017f2000 rw-p 00000000 00:00 0 [heap]
7f8d9c000000-7f8d9c021000 rw-p 00000000 00:00 0
7f8d9c021000-7f8da0000000 ---p 00000000 00:00 0
7f8da32d0000-7f8da32e6000 r-xp 00000000 08:03 6835909 /usr/lib/libgcc_s.so.1
7f8da32e6000-7f8da34e5000 ---p 00016000 08:03 6835909 /usr/lib/libgcc_s.so.1
7f8da34e5000-7f8da34e6000 rw-p 00015000 08:03 6835909 /usr/lib/libgcc_s.so.1
7f8da34e6000-7f8da367e000 r-xp 00000000 08:03 6818951 /usr/lib/libc-2.23.so
7f8da367e000-7f8da387d000 ---p 00198000 08:03 6818951 /usr/lib/libc-2.23.so
7f8da387d000-7f8da3881000 r--p 00197000 08:03 6818951 /usr/lib/libc-2.23.so
7f8da3881000-7f8da3883000 rw-p 0019b000 08:03 6818951 /usr/lib/libc-2.23.so
7f8da3883000-7f8da3887000 rw-p 00000000 00:00 0
7f8da3887000-7f8da38aa000 r-xp 00000000 08:03 6818948 /usr/lib/ld-2.23.so
7f8da3a83000-7f8da3a86000 rw-p 00000000 00:00 0
7f8da3aa9000-7f8da3aaa000 rw-p 00000000 00:00 0
7f8da3aaa000-7f8da3aab000 r--p 00023000 08:03 6818948 /usr/lib/ld-2.23.so
7f8da3aab000-7f8da3aac000 rw-p 00024000 08:03 6818948 /usr/lib/ld-2.23.so
7f8da3aac000-7f8da3aad000 rw-p 00000000 00:00 0
7ffd6cc46000-7ffd6cc67000 rw-p 00000000 00:00 0 [stack]
7ffd6cde1000-7ffd6cde3000 r--p 00000000 00:00 0 [vvar]
7ffd6cde3000-7ffd6cde5000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
<no return ...>
--- SIGABRT (Aborted) ---
+++ killed by SIGABRT +++
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment