Extra Exploitation Technique: Implicit Malloc and Free in glibc

Introduction

In the Heap Exploitation on House of Orange, we introduce an implicit free in the allocation procedure. In this post, I hope to record the implicit malloc/free met in the function of glibc. As a start, I will introduce the implicit malloc/free in printf function. In future, I may update other functions that I come across in CTF challenges.
The version of glibc used for testing may be different on different functions. The version of glibc will be given in each part.
(*)vfprintf
(more…)

CODEBLUE CTF 2017 DEMOSCENEDB Write-up (House of Lore)

Introduction

I take a weekend to view the write-up given by 217 [1]. I think their solution is so amazing, which is based on House of Lore. Therefore, I decide to write a new write-up on DEMOSCENEDB in CodeBlue CTF 2017 and demonstrate the usage of House of Lore again.
According to the post of challenge author [2], this challenge is supposed to be solved via House of Mind. However, 217 gave a solution on House of Lore and include many exploitation tricks, e.g. dl_open. In this post I will just mention about the tricks given above and give detailed tutorials later.
The exploit given in this post is completely based on the exploit of 217. The main work of this post is to rewrite the exploit in python with some debugging info and provide more details about the exploitation procedure.

So fucking interesting is heap exploitation.
(more…)

Extra Exploitation Technique 1: _dl_open

20180120003

Introduction

This is an exploitation technique used in solution for CODEBLUE CTF 2017 DEMOSCENEDB given by 217 [1]. This technique applies to the situation where magic gadget is not feasible and attacker gains ability to overwrite _dl_open with any value.
To give a better explanation of this technique, I will give more details based on source code libc-2.25 and the lib.so.6 given i CODEBLUE CTF 2017 DEMOSCENEDB.

(more…)