Skip to main content
MuelNova
Pwner who wants to write codes.
View all authors

Branch Talk 03

· 4 min read
MuelNova
Pwner who wants to write codes.

Seeing this title, you might wonder: What is Branch Talk? Isn't it something from Genshin Impact? Why is it already 03, where did the first two go?

My answer is, I don't know either. Today, when flipping through my 2021 class notes for a junior, I unexpectedly found this incomplete backup of an old article on my hard drive.

Reflections on My Three Undergraduate Years

· 10 min read
MuelNova
Pwner who wants to write codes.

Written on 2024/09/24.

Surveying my planned agenda, I listed three items side by side: “CTF challenge replays,” “research exploration,” and “project development.” All three stood equal, yet my mind was restless, unable to decide where to begin.

After much agonizing thought, I suddenly recalled my application for automatic recommendation to grad school and reflected on my more-than-three-year journey as an undergrad. Resolving to gather my focus, I sat upright, determined to record it all on this blog—for peers to enjoy and for my own self-awakening.

[Pwn] A Primer on House Of Muney

· 4 min read
MuelNova
Pwner who wants to write codes.

A few days ago, ZBR shared this repo. I hadn’t heard of it, but its exploitation power looked impressive, so here’s a brief analysis.

In short, House Of Muney bypasses ASLR and achieves code execution without any memory leak.

Its prerequisites are:

  • Partial RELRO or No RELRO (we need to overwrite .dynsym to hijack dlresolve)
  • Ability to allocate large chunks via mmap
  • Ability to forge a chunk’s prev_size and size fields to flip the IS_MMAPPED bit

We’ll use glibc 2.31 in Docker. Here’s a sample Dockerfile:

FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && apt-get install -y socat gdb vim tmux python3 python3-pip
RUN apt-get install -y git build-essential libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev patchelf python3-dev
RUN pip3 install pwntools
RUN git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh
RUN echo "set auto-load safe-path /" >> /root/.gdbinit
RUN git clone https://github.com/mdulin2/house-of-muney
RUN cd house-of-muney && ./compile.sh

Exploiting Off-by-null

· 6 min read
MuelNova
Pwner who wants to write codes.

For some reason, I never documented these techniques before, and every time I solve them I forget to start from scratch.

This post will focus on exploits in glibc versions 2.23 and 2.31. Version 2.27 is similar to 2.23 (just fill one extra tcache), and 2.29 is similar to 2.31 (adds one extra key).

Therefore, you should already have a solid foundation in heap allocation. This article emphasizes methods over theory.

The challenges covered here share these features:

  • An off-by-null vulnerability
  • Almost unlimited number of allocations
  • Allocation size is virtually unlimited or can reach largebin range
  • No edit function or only a single edit allowed
  • Only one show (view) operation—technically you can skip it, but setting up the heap becomes too tedious, better to sleep