不知道为什么以前都不把这些记录下来,然后每次做到的时候都会忘了从零开始学。
本文将主要介绍 2.23 和 2.31 版本下的利用,2.27 和 2.23 差不多,多填一个 tcache 即可。2.29 和 2.31 也差不多,多了一个 key。
因此,阅读本文你需要对 Heap 的分配有一定的基础,本文将更多涉及方法而非原理。
本文涉及的挑战主要有以下几个特征
Recently, I've been working on some development projects, and I keep all my projects on OneDrive, using ln -s to create a symbolic link in WSL2 for development.
The IO performance across file systems like WSL2 ext4 and NTFS is painfully slow. Some venv and node_modules also heavily pollute my OneDrive. Despite some optimizations, frequent use of commands like git status has made me somewhat dissatisfied with this approach. However, I've always felt that the benefits of OneDrive synchronization outweigh these side effects, so I haven't done anything about it. Yesterday, I came across Dev Drive and suddenly thought, why not change it?
Considering that projects typically involve a large number of files, mostly small ones, I decided to migrate certain folders to WSL2 and use Robocopy to synchronize content bidirectionally between OneDrive and WSL2, trading space for efficiency.
This article will be tailored to my specific use case. If you just need to back up WSL2 content to OneDrive, I recommend referring to this article.
In this article, we will follow along with Linux Kernel Teaching, progressing from basic to advanced kernel studies, to prepare for potential future kernel development work.
It's worth noting that this course also has a Chinese version, and you can support their efforts by starring the repository at linux-kernel-labs-zh/docs-linux-kernel-labs-zh-cn.
In subsequent blog posts, I may simply summarize the course content, as copying existing material without adding my own insights would be pointless. Our focus will be on the experimental sections.
Leetcode problem-solving can be a tad monotonous, so I plan to tackle one real problem set for a day (smile). I won't be tackling particularly difficult problems or extensive simulations to ensure a fast problem-solving pace.
I will follow a specific order in solving problems.
Attachment download link: https://pwnable.tw/static/chall/netatalk.tgz + https://pwnable.tw/static/libc/libc-18292bd12d37bfaf58e8dded9db7f1f5da1192cb.so
It took about 1.5 days, and overall it was a very productive debugging and reproducing process. I learned some exploitation and debugging techniques, and it was very helpful for expanding my mindset.
The discovery process of the vulnerability is explained clearly by the author in Exploiting an 18 Year Old Bug. A Write-up for CVE-2018–1160 | by Jacob Baines, which is very interesting. You can also find a translated version at Discovery and Exploitation of Netatalk CVE-2018-1160_c01dkit's Blog-CSDN Blog.
The author mentioned in their blog that this vulnerability can only be exploited on NAS with -no-pie. However, the creator of the HITCON 2019 challenge, DDAA, provided an exploit approach in HITCON CTF 2019 Pwn 371 Netatalk (ddaa.tw), which basically involves leveraging the nature of fork where child processes do not change the memory layout — in other words, ASLR plays a very minor role (laughs). This way, we can expose a valid address through a side channel and then exploit it.
Recently encountered this vulnerability, it seems to have a wide range of potential exploits. Although most machines in China seem to have a relatively low version of libc, let's take a look at it first.
OS: Ubuntu 22.04.1 LTS on Windows 10 x86_64
Kernel: 5.15.123.1-microsoft-standard-WSL2
Glibc: 2.35-0ubuntu3.3
- Arbitrary Write OG once
- Write func + arg1 twice
- Forge _rtld_global structure
In short, when exit calls _dl_fini, it will invoke _rtld_lock_lock_recursive and _rtld_lock_unlock_recursive for locking and unlocking. After these macros expand, they are respectively _rtld_global._dl_lock_lock_recursive(&_rtld_global._dl_load_lock.mutex) and _rtld_global._dl_lock_unlock_recursive(&_rtld_global._dl_load_lock.mutex)
libc-2.23 _rtld_global:0x5f0040 __rtld_lock_lock_recursive: 3848 __rtld_lock_unlock_recursive: 3856
libc-2.27 _rtld_global:0x619060 __rtld_lock_lock_recursive: 3840 __rtld_lock_unlock_recursive: 3848
libc-2.31 _rtld_global:0x23e060 __rtld_lock_lock_recursive: 3848 __rtld_lock_unlock_recursive: 3856
Modify _rtld_lock_lock_recursive/_rtld_lock_unlock_recursive to OneGadget.
Or modify _rtld_lock_lock_recursive/_rtld_lock_unlock_recursive to func, then modify _rtld_global._dl_load_lock.mutex to arg1.
This Content is generated by ChatGPT and might be wrong / incomplete, refer to Chinese version if you find something wrong.
Feeling tired of typing ssh, git pull, and npm run build every time to deploy your blog? Well, I thought about using a webhook.
But still need to manually resolve the conflicts in package-lock.json, wondering if there's a way to ignore it (just ignore this thing!)
I don't know what happened, I used to be able to access services in WSL2 directly from the host using localhost:port, but suddenly it doesn't work today. Taking this opportunity, I'll create a virtual network card based on the documentation I read recently to set up a WSL2 bridge, which will not only support IPv6 but also allow direct access to my WSL2 services in the local network without the need for port forwarding. Since my WSL2 is not sandboxed anyway, I'm not too concerned about security xD.