フラゲを回収しました!! Make a new flag

20180109001.jpg

Introduction

After spending almost two months on the exploitation tutorial, I finally achieve the goal I made when I decided to start writing a tutorial on exploitation before new year. After a one-week break, I think I need to make some new goals next. So I will list the things I will do in the next two month as an appendices to my exploit tutorial.

Work Plan and references

(1) House of Lore
[1] https://github.com/shellphish/how2heap
[2] https://gbmaster.wordpress.com/2015/07/16/x86-exploitation-101-house-of-lore-people-and-traditions/
[3] The House Of Lore: Reloaded ptmalloc v2 & v3: Analysis & Corruption http://phrack.org/issues/67/8.html
[4] SECCON 2017 Qual Candy Store

(2) Thread Cache introduced in libc-2.26.
[1] http://tukan.farm/2017/07/08/tcache/
[2] CVE-2017-17426 https://bugzilla.redhat.com/show_bug.cgi?id=1524530

(3) Exploitation Technique: dlopen
[1] CODEBLUE 2017 CTF DEMONSCENEDB https://github.com/david942j/ctf-writeups/blob/master/codeblue-2017/demo_scene_db/demo_scene_db.rb

(4) Exploitation Technique: ret2-dl-resolve
Since in my previous post Dynamic Link, I leave a clue in conclusion part that lazy binding could be used for exploitation. Here I will introduce the ret2-dl-resolve technique in exploitation.
[1] http://angelboy.logdown.com/posts/283218-return-to-dl-resolve
[2] http://inaz2.hatenablog.com/entry/2014/07/27/205322
[3] HITCON 2015 CTF BLINKROOT http://ddaa.tw/hitcon_pwn_200_blinkroot.html

(5)Overlapping chunk: Attack on large bin

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.