In the beginning of the tutorial, I introduce the ELF Format and mention that there exist some exploitation techniques on that. In this post, I will introduce the ret-2-dl_resolve technique based on source code of glibc. Furthermore, I will give a more detailed explanation at binary level for explaining the memory layout during exploitation based on ld-2.19.
Read More »
This post gives a write-up on Blinkroot in HITCON 2015 and uses this challenge to demonstrate the return-to-dl_resolve method in glibc.
Read More »
In the Heap Exploitation on House of Orange, we introduce an implicit free in the allocation procedure. In this post, I hope to record the implicit malloc/free met in the function of glibc. As a start, I will introduce the implicit malloc/free in printf function. In future, I may update other functions that I come across in CTF challenges.
The version of glibc used for testing may be different on different functions. The version of glibc will be given in each part.
(*)vfprintf
Read More »
In this post, I want to give an example on how implicit malloc in printf can be applied to CTF challenges.
Read More »
I take a weekend to view the write-up given by 217 [1]. I think their solution is so amazing, which is based on House of Lore. Therefore, I decide to write a new write-up on DEMOSCENEDB in CodeBlue CTF 2017 and demonstrate the usage of House of Lore again.
According to the post of challenge author [2], this challenge is supposed to be solved via House of Mind. However, 217 gave a solution on House of Lore and include many exploitation tricks, e.g. dl_open. In this post I will just mention about the tricks given above and give detailed tutorials later.
The exploit given in this post is completely based on the exploit of 217. The main work of this post is to rewrite the exploit in python with some debugging info and provide more details about the exploitation procedure.
So fucking interesting is heap exploitation.
Read More »
This is an exploitation technique used in solution for CODEBLUE CTF 2017 DEMOSCENEDB given by 217 [1]. This technique applies to the situation where magic gadget is not feasible and attacker gains ability to overwrite _dl_open with any value.
To give a better explanation of this technique, I will give more details based on source code libc-2.25 and the lib.so.6 given i CODEBLUE CTF 2017 DEMOSCENEDB.
In glibc-2.26, TCache (per-thread cache), a new feature, was introduced in malloc. I did not take much notice to the new patch last year until I came across the SimpleGC challenge in 34C3 CTF last year. During the contest, I did not take much time analysing the work flow of TCache and used a brute-force method to get the desired result.
In this post, I am going to give a detailed explanation on how TCache works. Based on the background knowledge, I will introduce two potential exploitation techniques that may appear in future CTF challenges. One is TCache poison [1], which is very similar to fastbin corruption attack. The other one is CVE-2017-17426, which may bring unexpected effect in heap exploitation. Both techniques are tested with glibc-2.26 on Ubuntu 17.04.
Read More »
In this post I am going to give a basic introduction on House of Lore exploitation technique. And I will use the source code of libc-2.23 for explanation.
Read More »
Since I was trying to make an extra tutorial on House of Lore exploitation technique recently and found this challenge in SECCON last year, I decided to use this challenge to demonstrate the usage of House of Lore.
The binary of this challenge is a bit complicated, I will first introduce the work flow of this challenge and then explain how to develop the exploit.
Read More »
After spending almost two months on the exploitation tutorial, I finally achieve the goal I made when I decided to start writing a tutorial on exploitation before new year. After a one-week break, I think I need to make some new goals next. So I will list the things I will do in the next two month as an appendices to my exploit tutorial.
氷 菓 