Introductioncshell2 is a heap challenge I did during the corCTF 2022 event. It was pretty classic so I will not describe a lot.If you begin with heap challenges, I advice you to read previous heap writeup. TL; DR Fill tcache. Heap overflow in edit on the bio field which allows to leak the address of the unsortedbin. Leak heap and defeat safe-linking to get an arbitrary write through tcache poisoning. Hiijack GOT entry of free to system. Call free("/bin/sh"). PROFIT Reverse Engineer...

Introduction I just learned how to use malloc and free… am I doing this right? catastrophe is a heap challenge I did during the diceCTF 2022. I did have a lot of issues with the libc and the dynamic linker, thus I did a first time the challenge with the libc that was in /lib/libc.so.6, then I figured out thanks to my teammate supersnail that I was using the wrong libc. Then I did it again with the right libc but the dynamic linker was (again) wrong and I lost a loot of time on it. So well, t...

Here are just some side notes about linux kernel internals I put here to avoid to have to learn same things again and again. Every notes target linux kernel 5.18.12.There will be a lot of code for which I do not comment the whole part. Kernel heap management (SLUB, SLAB, SLOB)Same way as for userland, the kernel has many algorithms to manage memory allocation according to what the kernel is looking for (huge resources or not, safety needs etc). SLUBThe SLUB algorithm is the algorithm I know t...

IntroductionThe kmem_cache structure is one of the main structures of the SLUB algorithm. It contains pointers to other structures (cpu_slab, node array) and informations about the cache it describes (object_size, name). Every notes target linux kernel 5.18.12. Overview of its role among the allocation process: Let’s dig intoHere is the definition of the kmem_cache structure: 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859// https...