Exploit Tutorial Plan フラグが立った


Since my CTF teammate hopes me to give a tutorial on writing exploit, I decide to write this post as a working plan. From my perspective, how to write exploit is a huge theme and it’s impossible to cover every aspect of writing exploit in one single post. So I write this post to outline what will be covered in my tutorial and urge me to write following posts.

Part 1: Control Flow Hijacking

ELF file format, PE file format, GOT table corruption, Stack buffer overflow, Return-Oriented-Programming, Virtual function call

Part 2: Heap Memory Management

Give a detailed explanation on heap management of ptmalloc based on source code of libc-2.25, including workflow of heap management and security checks.


[1] https://www.gnu.org/software/libc/
[2] http://angelboy.logdown.com/posts/291983-heap-exploitation
[3] https://heap-exploitation.dhavalkapil.com/diving_into_glibc_heap/security_checks.html
[4]https://paper.seebug.org/255/  (Chinese only)

Part 3: Heap Exploitation 1

In this section, I will give a detailed study in heap exploitation techniques based on the CTF challenges in the past year.

House of force: CodeBlue 2017 Nonamestill
House of Spirit: Hack.lu 2014 OREO
Unsafe unlink: TokyoWestern 2017 Simple Note 1
Fastbin attack: 0CTF 2017 Babyheap

[1] https://github.com/shellphish/how2heap
[2] http://binja.github.io/2017/11/13/Thoughts-on-CODE-BLUE-CTF-write-ups/
[3] http://uaf.io/exploitation/2017/03/19/0ctf-Quals-2017-BabyHeap2017.html

Part 4: Heap Exploitation 2

In this section, give an introduction on the new exploitation techniques proposed in recent year.

Unsorted bin attack: 0CTF 2016 Zerostorage
Overlapping chunks: HITB 2017 Sentosa
House of mind: CodeBlue 2017 Demo Scene DB
House of orange: HITCON 2016 House of orange
File Stream Oriented Programming: HITCON 2017 Ghost in the heap

[1] http://brieflyx.me/2016/ctf-writeups/0ctf-2016-zerostorage/
[2] https://loccs.sjtu.edu.cn/wiki/lib/exe/fetch.php?media=gossip:overview:ptmalloc_camera.pdf
[3] http://4ngelboy.blogspot.sg/2016/10/hitcon-ctf-qual-2016-house-of-orange.html
[4] https://github.com/scwuaptx/CTF/tree/master/2017-writeup/hitcon/ghost_in_the_heap
[5] https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique
[6] http://binja.github.io/2017/11/13/Thoughts-on-CODE-BLUE-CTF-write-ups/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.