In this post, I will give a detailed explanation on the exploit development of CVE-2017-16995. This post is based on  and give more debugging information for a better understanding. This post will be divided into 3 parts. Part I will discuss what is eBPF, the basic data structure used in eBPF and how the the eBPF program given in exploit in  should be interpreted. Part II will give the analysis on the root cause of this vulnerability. Part III will explain how the exploit is developed, from arbitrary read/write to privilege escalation. Continue reading “Analysis on CVE-2017-16995”
In my previous post, I introduce what is seccomp, how to set seccomp rule via seccomp_rule_add and how to bypass via ptrace. In this post, I am going to further introduce the seccomp filter, another way to set seccomp rule in the program. This post will also involve some kernel debugging for illustrating the internal of bpf filter.
Continue reading “Seccomp BPF Filter”
It is just a practice of heap challenge. At time of 2015, the challenge seems difficult and there is no knowledge of one gadget to get shell. How fast the technique evolves!!
Continue reading “PlaidCTF 2015 PWN PlaidDB Write-up”
I did not take this challenge during the contest. But after reading the write-up of , I think it’s a good chance to learn about ruby and sandbox escape. According to my test on the local machine, it seems that using one_gadget to get shell is also feasible. In this post, I will talk about how to trigger the vulnerability and hijack control flow to get shell in the end.
Since this is my first time to write ruby script also my first time to write ruby escape, please forgive my ugly code XOrz.
Continue reading “34C3 CTF PWN LFA Write-up”
This is the only challenge I solve during the competition. It only involves some exploitation technique on Fastbin.
Continue reading “ASIS CTF 2018 Cat Write-up”
This challenge seems to be the first seen House of Rabbit in CTF competition. This challenge follows the sample code given in . More details on House of Rabbit are given in my previous post House-of-Rabbit.
Continue reading “XCTF HITB AMS 2018 PWN Mutepig Write-up”
In recent HITB XCTF, this technique is used in one heap challenge. I think it’s necessary to give a basic introduction on this also as an extension on my tutorial on largebin in ptmalloc.
The criteria for this exploitation technique is strict compared to other techniques and requires a lot of manual craft to assure the exploit is successful. The advantage of this technique is that the whole exploitation no longer depends on the knowledge of the base address of libc. But the advantage is limited as we still need a known address in advance, which can by repeatedly and reliably modified. Maybe the CTF community may find more potential of such technique in future.
The original information about this technique can be found in . My post is based on this blog.
Continue reading “Extra Heap Exploitation: House-of-Rabbit”