[KPWN] Cross-Cache Attack
I’ve never explored cross-cache before, so today let’s dive into it.
I’ve never explored cross-cache before, so today let’s dive into it.
I am new to Kernel Pwn.
The related GitHub repository can be found by searching for qwb2021
on GitHub.
Seeing this title, you might wonder: What is Branch Talk? Isn't it something from Genshin Impact? Why is it already 03, where did the first two go?
My answer is, I don't know either. Today, when flipping through my 2021 class notes for a junior, I unexpectedly found this incomplete backup of an old article on my hard drive.
You’ll need CPU host passthrough enabled (check /proc/cpuinfo
for details).
Assuming QEMU and related packages are already installed, I won’t repeat those steps here.
Inspired by "15 Questions for Independent Blog Self-Reflection"
Yes, the title is a bit grand. This article originates from some thoughts and feelings I had after a video call with my mother today.
Perhaps I may be judged as cold-hearted, but helplessly, this is who I am.
September is my big spending month. Originally, my living expenses dropped sharply due to renting, but I still have to pay for so many things, so I decided to downgrade my consumption.
Written on 2024/09/24.
Surveying my planned agenda, I listed three items side by side: “CTF challenge replays,” “research exploration,” and “project development.” All three stood equal, yet my mind was restless, unable to decide where to begin.
After much agonizing thought, I suddenly recalled my application for automatic recommendation to grad school and reflected on my more-than-three-year journey as an undergrad. Resolving to gather my focus, I sat upright, determined to record it all on this blog—for peers to enjoy and for my own self-awakening.
A few days ago, ZBR shared this repo. I hadn’t heard of it, but its exploitation power looked impressive, so here’s a brief analysis.
In short, House Of Muney bypasses ASLR and achieves code execution without any memory leak.
Its prerequisites are:
.dynsym
to hijack dlresolve
)mmap
prev_size
and size
fields to flip the IS_MMAPPED
bitWe’ll use glibc 2.31 in Docker. Here’s a sample Dockerfile:
FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && apt-get install -y socat gdb vim tmux python3 python3-pip
RUN apt-get install -y git build-essential libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev patchelf python3-dev
RUN pip3 install pwntools
RUN git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh
RUN echo "set auto-load safe-path /" >> /root/.gdbinit
RUN git clone https://github.com/mdulin2/house-of-muney
RUN cd house-of-muney && ./compile.sh
For some reason, I never documented these techniques before, and every time I solve them I forget to start from scratch.
This post will focus on exploits in glibc versions 2.23 and 2.31. Version 2.27 is similar to 2.23 (just fill one extra tcache), and 2.29 is similar to 2.31 (adds one extra key).
Therefore, you should already have a solid foundation in heap allocation. This article emphasizes methods over theory.
The challenges covered here share these features: