MuelNova

I've always enjoyed folding up my blog, because it allows me to fully indulge in virtual light and shadow. Today, I moved my written blog posts to the Blog section, so I no longer have to worry about RSS issues. To distinguish them from technical articles, I named this series “Otaku Visit”—on one hand, public articles are like inviting others to your home as guests, letting people know your values and observe your life; on the other hand, as an Otaku, I believe a large part of my blog's audience are also Otaku, so it's a double entendre (laugh).

I’ve never explored cross-cache before, so today let’s dive into it.

I am new to Kernel Pwn.

The related GitHub repository can be found by searching for qwb2021 on GitHub.

Seeing this title, you might wonder: What is Branch Talk? Isn't it something from Genshin Impact? Why is it already 03, where did the first two go?

My answer is, I don't know either. Today, when flipping through my 2021 class notes for a junior, I unexpectedly found this incomplete backup of an old article on my hard drive.

You’ll need CPU host passthrough enabled (check /proc/cpuinfo for details).

Assuming QEMU and related packages are already installed, I won’t repeat those steps here.

Inspired by "15 Questions for Independent Blog Self-Reflection"

Yes, the title is a bit grand. This article originates from some thoughts and feelings I had after a video call with my mother today.

Perhaps I may be judged as cold-hearted, but helplessly, this is who I am.

September is my big spending month. Originally, my living expenses dropped sharply due to renting, but I still have to pay for so many things, so I decided to downgrade my consumption.

Written on 2024/09/24.

Surveying my planned agenda, I listed three items side by side: “CTF challenge replays,” “research exploration,” and “project development.” All three stood equal, yet my mind was restless, unable to decide where to begin.

After much agonizing thought, I suddenly recalled my application for automatic recommendation to grad school and reflected on my more-than-three-year journey as an undergrad. Resolving to gather my focus, I sat upright, determined to record it all on this blog—for peers to enjoy and for my own self-awakening.

A few days ago, ZBR shared this repo. I hadn’t heard of it, but its exploitation power looked impressive, so here’s a brief analysis.

In short, House Of Muney bypasses ASLR and achieves code execution without any memory leak.

Its prerequisites are:

• Partial RELRO or No RELRO (we need to overwrite .dynsym to hijack dlresolve)
• Ability to allocate large chunks via mmap
• Ability to forge a chunk’s prev_size and size fields to flip the IS_MMAPPED bit

We’ll use glibc 2.31 in Docker. Here’s a sample Dockerfile:

FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && apt-get install -y socat gdb vim tmux python3 python3-pip
RUN apt-get install -y git build-essential libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev patchelf python3-dev
RUN pip3 install pwntools
RUN git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh
RUN echo "set auto-load safe-path /" >> /root/.gdbinit
RUN git clone https://github.com/mdulin2/house-of-muney
RUN cd house-of-muney && ./compile.sh