MuelNova

是的，这个标题取得大了一点。这篇文章源于我今日和我妈妈视频通话后，我的一些所思所感。

或许会被评价为一个冷血的人，但无可奈何的，这就是我。

九月份是我的续费大月，本来因为租房生活费就暴降了，还要续费这么多东西，痛定思痛，决定消费降级。

本文作于 2024/09/24。

目视初定之日程，列有三端：“赛题复现”其一也，“科研探索”其二也，“项目开发”其三也。三者并列，然心绪纷扰，犹豫不决，竟莫能定其所从。

苦思冥想，久矣未决。忽思推免之事，忆本科三载有余，吾之心路漫漫，乃定心凝神，正襟危坐，欲将其尽书于博客之上，以飨同好，亦以自醒。

前几天 ZBR 发了这个 repo，我寻思没听过，看着攻击能力还挺强的，于是浅浅分析一下。

简单来说，这个 house 能做这样一件事：在没有泄露的情况下绕过 ASLR 实现代码执行。

而它的利用条件如下：

• Partial RELRO / No RELRO —— 它需要修改 .dynsym 去修改 dlresolve 结果
• 可以分配较大的堆 —— 要使其由 MMAP 分配
• 能够改写这个堆的 prev_size 和 size 字段，使得 IS_MMAPED 位被改写

本文将基于 2.31 的环境，复现 Docker 可以使用下面的 Dockerfile：

FROM ubuntu:20.04

ENV DEBIAN_FRONTEND noninteractive

# Update
RUN apt-get update -y && apt-get install socat -y gdb vim tmux python3 python3-pip 

# General things needed for pwntools and pwndbg to run
RUN apt-get install git build-essential libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev patchelf python3-dev -y 

RUN pip3 install pwn

# Install pwndbg
RUN git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh && cd ../ 

RUN echo "set auto-load safe-path /" >> /root/.gdbinit

# Challenge files to ADD
RUN git clone https://github.com/mdulin2/house-of-muney 

# Fixes the loader and recompiles the binary for us :) 
RUN cd house-of-muney && ./compile.sh

不知道为什么以前都不把这些记录下来，然后每次做到的时候都会忘了从零开始学。

本文将主要介绍 2.23 和 2.31 版本下的利用，2.27 和 2.23 差不多，多填一个 tcache 即可。2.29 和 2.31 也差不多，多了一个 key。

因此，阅读本文你需要对 Heap 的分配有一定的基础，本文将更多涉及方法而非原理。

本文涉及的挑战主要有以下几个特征

• 存在 off-by-null
• 分配次数几乎不受限
• 分配大小几乎不受限或是能分配 largebin 范围
• 不存在 edit 函数或只能 edit 一次
• 只能 show 一次（按理来说不能 show 也可以，但是堆块分配太麻烦了，做这种题不如睡觉）

在此之前​

我们会在 rCore 的基础上，完成我们自定义的内核。

我们使用 Docker 版本进行开发

即

make docker

你可能需要的一些知识前置：

• 操作系统

• Rust

• RISC-V ISA

Recently, I've been working on some development projects, and I keep all my projects on OneDrive, using ln -s to create a symbolic link in WSL2 for development.

The IO performance across file systems like WSL2 ext4 and NTFS is painfully slow. Some venv and node_modules also heavily pollute my OneDrive. Despite some optimizations, frequent use of commands like git status has made me somewhat dissatisfied with this approach. However, I've always felt that the benefits of OneDrive synchronization outweigh these side effects, so I haven't done anything about it. Yesterday, I came across Dev Drive and suddenly thought, why not change it?

Considering that projects typically involve a large number of files, mostly small ones, I decided to migrate certain folders to WSL2 and use Robocopy to synchronize content bidirectionally between OneDrive and WSL2, trading space for efficiency.

This article will be tailored to my specific use case. If you just need to back up WSL2 content to OneDrive, I recommend referring to this article.

Before We Begin​

In this article, we will follow along with Linux Kernel Teaching, progressing from basic to advanced kernel studies, to prepare for potential future kernel development work.

It's worth noting that this course also has a Chinese version, and you can support their efforts by starring the repository at linux-kernel-labs-zh/docs-linux-kernel-labs-zh-cn.

In subsequent blog posts, I may simply summarize the course content, as copying existing material without adding my own insights would be pointless. Our focus will be on the experimental sections.

Leetcode problem-solving can be a tad monotonous, so I plan to tackle one real problem set for a day (smile). I won't be tackling particularly difficult problems or extensive simulations to ensure a fast problem-solving pace.

I will follow a specific order in solving problems.

Attachment download link: https://pwnable.tw/static/chall/netatalk.tgz + https://pwnable.tw/static/libc/libc-18292bd12d37bfaf58e8dded9db7f1f5da1192cb.so

It took about 1.5 days, and overall it was a very productive debugging and reproducing process. I learned some exploitation and debugging techniques, and it was very helpful for expanding my mindset.

The discovery process of the vulnerability is explained clearly by the author in Exploiting an 18 Year Old Bug. A Write-up for CVE-2018–1160 | by Jacob Baines, which is very interesting. You can also find a translated version at Discovery and Exploitation of Netatalk CVE-2018-1160_c01dkit's Blog-CSDN Blog.

The author mentioned in their blog that this vulnerability can only be exploited on NAS with -no-pie. However, the creator of the HITCON 2019 challenge, DDAA, provided an exploit approach in HITCON CTF 2019 Pwn 371 Netatalk (ddaa.tw), which basically involves leveraging the nature of fork where child processes do not change the memory layout — in other words, ASLR plays a very minor role (laughs). This way, we can expose a valid address through a side channel and then exploit it.