Introduction

In the previous part, I give an introduction on how to create an ubuntu image for QEMU. However, after beginning to analyse the qemu vulnerability I feel the debugging process is very uncomfortable. What I prefer is just a terminal of QEMU with a guest running on that. This makes me recall what I do on Syzkaller fuzzer.
In this post, I just list the necessary steps to create a much more friendly debugging environment.
Read More »

Introduction

As a totally newbie in virtualization technology, this post will gives more details in setting up the testing environment for QEMU based on [1].
Read More »

Introduction

After the spring festival, I am considering what to do besides my research work. Since it seems that VM escape has become a routine challenge in recent CTFs. A zero day is even used as a challenge in 34C3 CTF. I think it’s time to start a new journey on vm escape.Read More »

Introduction

In the beginning of the tutorial, I introduce the ELF Format and mention that there exist some exploitation techniques on that. In this post, I will introduce the ret-2-dl_resolve technique based on source code of glibc. Furthermore, I will give a more detailed explanation at binary level for explaining the memory layout during exploitation based on ld-2.19.
Read More »

Introduction

In the Heap Exploitation on House of Orange, we introduce an implicit free in the allocation procedure. In this post, I hope to record the implicit malloc/free met in the function of glibc. As a start, I will introduce the implicit malloc/free in printf function. In future, I may update other functions that I come across in CTF challenges.
The version of glibc used for testing may be different on different functions. The version of glibc will be given in each part.
(*)vfprintf
Read More »

Introduction

This is an exploitation technique used in solution for CODEBLUE CTF 2017 DEMOSCENEDB given by 217 [1]. This technique applies to the situation where magic gadget is not feasible and attacker gains ability to overwrite _dl_open with any value.
To give a better explanation of this technique, I will give more details based on source code libc-2.25 and the lib.so.6 given i CODEBLUE CTF 2017 DEMOSCENEDB.

Read More »

Introduction

In glibc-2.26, TCache (per-thread cache), a new feature, was introduced in malloc. I did not take much notice to the new patch last year until I came across the SimpleGC challenge in 34C3 CTF last year. During the contest, I did not take much time analysing the work flow of TCache and used a brute-force method to get the desired result.
In this post, I am going to give a detailed explanation on how TCache works. Based on the background knowledge, I will introduce two potential exploitation techniques that may appear in future CTF challenges. One is TCache poison [1], which is very similar to fastbin corruption attack. The other one is CVE-2017-17426, which may bring unexpected effect in heap exploitation. Both techniques are tested with glibc-2.26 on Ubuntu 17.04.
Read More »

Introduction

In this post I am going to give a basic introduction on House of Lore exploitation technique. And I will use the source code of libc-2.23 for explanation.
Read More »

Introduction

After spending almost two months on the exploitation tutorial, I finally achieve the goal I made when I decided to start writing a tutorial on exploitation before new year. After a one-week break, I think I need to make some new goals next. So I will list the things I will do in the next two month as an appendices to my exploit tutorial.

Read More »