MuelNova

I’ve never explored cross-cache before, so today let’s dive into it.

I am new to Kernel Pwn.

The related GitHub repository can be found by searching for qwb2021 on GitHub.

Seeing this title, you might wonder: What is Branch Talk? Isn't it something from Genshin Impact? Why is it already 03, where did the first two go?

My answer is, I don't know either. Today, when flipping through my 2021 class notes for a junior, I unexpectedly found this incomplete backup of an old article on my hard drive.

You’ll need CPU host passthrough enabled (check /proc/cpuinfo for details).

Assuming QEMU and related packages are already installed, I won’t repeat those steps here.

Inspired by "15 Questions for Independent Blog Self-Reflection"

Yes, the title is a bit grand. This article originates from some thoughts and feelings I had after a video call with my mother today.

Perhaps I may be judged as cold-hearted, but helplessly, this is who I am.

September is my big spending month. Originally, my living expenses dropped sharply due to renting, but I still have to pay for so many things, so I decided to downgrade my consumption.

Written on 2024/09/24.

Surveying my planned agenda, I listed three items side by side: “CTF challenge replays,” “research exploration,” and “project development.” All three stood equal, yet my mind was restless, unable to decide where to begin.

After much agonizing thought, I suddenly recalled my application for automatic recommendation to grad school and reflected on my more-than-three-year journey as an undergrad. Resolving to gather my focus, I sat upright, determined to record it all on this blog—for peers to enjoy and for my own self-awakening.

A few days ago, ZBR shared this repo. I hadn’t heard of it, but its exploitation power looked impressive, so here’s a brief analysis.

In short, House Of Muney bypasses ASLR and achieves code execution without any memory leak.

Its prerequisites are:

• Partial RELRO or No RELRO (we need to overwrite .dynsym to hijack dlresolve)
• Ability to allocate large chunks via mmap
• Ability to forge a chunk’s prev_size and size fields to flip the IS_MMAPPED bit

We’ll use glibc 2.31 in Docker. Here’s a sample Dockerfile:

FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && apt-get install -y socat gdb vim tmux python3 python3-pip
RUN apt-get install -y git build-essential libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev patchelf python3-dev
RUN pip3 install pwntools
RUN git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh
RUN echo "set auto-load safe-path /" >> /root/.gdbinit
RUN git clone https://github.com/mdulin2/house-of-muney
RUN cd house-of-muney && ./compile.sh

For some reason, I never documented these techniques before, and every time I solve them I forget to start from scratch.

This post will focus on exploits in glibc versions 2.23 and 2.31. Version 2.27 is similar to 2.23 (just fill one extra tcache), and 2.29 is similar to 2.31 (adds one extra key).

Therefore, you should already have a solid foundation in heap allocation. This article emphasizes methods over theory.

The challenges covered here share these features:

• An off-by-null vulnerability
• Almost unlimited number of allocations
• Allocation size is virtually unlimited or can reach largebin range
• No edit function or only a single edit allowed
• Only one show (view) operation—technically you can skip it, but setting up the heap becomes too tedious, better to sleep