HITCON 2016 CTF Quals House-of-Orange Write-up


The author of this challenge presents us some awesome exploitation techniques in libc. Technically, this challenge involves two tricks in heap exploitation. One is House-of-Orange, which enables attacker to trigger _int_free even if there is no available free function. Another one is File Stream Oriented Programming, an advanced exploitation technique on FILE structure. Since in HITCON 2017 CTF Quals, a more advanced FSOP was proposed. Therefore, in this post I will mainly discuss House of Orange and mention a bit on FSOP.
Continue reading “HITCON 2016 CTF Quals House-of-Orange Write-up”


Introduction on Ptmalloc Part 2



In the first part of this lecture, I introduce the structure of memory chunk and the internal implementation of memory allocation in ptmalloc. In this part, I will continue  the remaining part in ptmalloc. First, I will give a introduction on deallocation and reallocation procedure in ptmalloc. Then I will introduce the security checks in ptmalloc and their intentions. Continue reading “Introduction on Ptmalloc Part 2”

CODEBLUE CTF 2017 DEMOSCENEDB Write-up (House of Mind, seemingly wrong at present)


This challenge is given on CodeBlue CTF 2017. Based on the source code provided on [1], I try to solve this challenge via House of Mind. I think it’s impossible for me to solve this in contest. As part of my tutorial, I decide to use this challenge for explaining House of Mind. Continue reading “CODEBLUE CTF 2017 DEMOSCENEDB Write-up (House of Mind, seemingly wrong at present)”

Introduction on Ptmalloc Part1



Ptmalloc is the memory allocator used in libc. I am planning to give a detailed introduction on ptmalloc in two parts. This post is the first. In this post, I will introduce the common data structures used in ptmalloc and present the work flow of allocation procedure in ptmalloc. In the second part, I will present the work flow of deallocation and reallocation procedure in ptmalloc. Furthermore, I will also list the security checks used in ptmalloc. I use the source code of libc-2.25 for demonstration. Continue reading “Introduction on Ptmalloc Part1”