{"height":"190","provider_url":"https://hatena.blog","version":"1.0","blog_title":"\u30d6\u30ed\u30b0\u672a\u6e80\u306e\u306a\u306b\u304b","author_name":"hama7230","author_url":"https://blog.hatena.ne.jp/hama7230/","provider_name":"Hatena Blog","title":"SECCON Beginners NEXT 2017 \u6771\u4eac next_note writeup","published":"2017-10-07 19:25:43","url":"https://hama.hatenadiary.jp/entry/2017/10/07/192543","image_url":null,"type":"rich","width":"100%","html":"<iframe src=\"https://hatenablog-parts.com/embed?url=https%3A%2F%2Fhama.hatenadiary.jp%2Fentry%2F2017%2F10%2F07%2F192543\" title=\"SECCON Beginners NEXT 2017 \u6771\u4eac next_note writeup - \u30d6\u30ed\u30b0\u672a\u6e80\u306e\u306a\u306b\u304b\" class=\"embed-card embed-blogcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 190px; max-width: 500px; margin: 10px 0px;\"></iframe>","blog_url":"https://hama.hatenadiary.jp/","categories":["writeup"],"description":"\u306f\u3058\u3081\u306b \u521d\u5fc3\u8005\u3067\u554f\u984c\u304c\u89e3\u3051\u306a\u3044\u306e\u3067\u3001\u3053\u308c\u3067\u6210\u9577\u3067\u304d\u305f\u3089\u3044\u3044\u306a\u3041\u3068\u601d\u3044\u53c2\u52a0\u3057\u305f\u3002 pwnable\u306e\u65b9\u306e\u8b1b\u7fa9\u3067\u4f7f\u308f\u308c\u305fnext_note\u3068\u3044\u3046\u554f\u984c\u306ewriteup\u3068\u306a\u3063\u3066\u3044\u308b\u3002 \u52d5\u4f5c \u3088\u304f\u3042\u308b\u611f\u3058\u306e\u30ce\u30fc\u30c8\u7ba1\u7406\u3002 \u8106\u5f31\u6027 double free\u3067\u304d\u308b\u3002 \u65b9\u91dd double free -> fastbin dup -> fastbin attack -> stdout\u306evtable\u3092\u66f8\u304d\u63db\u3048 \u3067\u5236\u5fa1\u3092\u53d6\u308c\u308b\u3002\u3042\u3068\u306f\u9069\u5f53\u306bone-gadget-rce\u4f7f\u3063\u305f\u3002 exploit #!/usr/bin/env python from pwn import * context(os='linux', arch\u2026"}