IntroductionThe kmem_cache structure is one of the main structures of the SLUB algorithm. It contains pointers to other structures (cpu_slab, node array) and informations about the cache it describes (object_size, name). Every notes target linux kernel 5.18.12. Overview of its role among the allocation process: Let’s dig intoHere is the definition of the kmem_cache structure: 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859// https...

Once for all is a heap challenge I did during the HackTheBox Cyber Apocalypse event. This is a classic unsorted bin attack plus a FSOP on stdin.Find the tasks and the final exploit here and here. Reverse engineeringAll the snippets of pseudo-code are issued by IDA freeware: 12345678910111213141516171819202122232425262728293031323334int __cdecl main(int argc, const char **argv, const char **envp){ int v4; // [rsp+18h] [rbp-8h] BYREF int i; // [rsp+1Ch] [rbp-4h] for ( i = 0; i <= 49;...

What we can do In the edit feature, we can overwrite the bytes right after any chunk up to the NULL byte. In the alloc handler, it iterates once too may times through the alloc array, which means it can overlap on the first entry of the size array with a huge size which would be a chunk address, then we can easily trigger large heap overflow. The libc version is 2.23 which means there not a lot of security checks about _IO_FILE_plus integrity compared to more recent versions. Top chunk free’...

Introphonebook is a basic heap challenge I did during the dctf event. It’s basically just a heap overflow wich allows us to overflow a function pointer with for example the address of system. The bug12345678$ ./phonebookChoose an option: [1-5]1. Store someone's information2. Edit information3. Call someone4. Unfriend someone5. Add the hidden_note> We can create an entity and then initialize: a name, a numero and a function pointer. 1234567891011121314151617int __fastcall create(unsi...