Skip to main content

A Visit to the Heart of Otaku

· 5 min read
MuelNova
Pwner who wants to write codes.

I've always enjoyed folding up my blog, because it allows me to fully indulge in virtual light and shadow. Today, I moved my written blog posts to the Blog section, so I no longer have to worry about RSS issues. To distinguish them from technical articles, I named this series “Otaku Visit”—on one hand, public articles are like inviting others to your home as guests, letting people know your values and observe your life; on the other hand, as an Otaku, I believe a large part of my blog's audience are also Otaku, so it's a double entendre (laugh).

Branch Talk 03

· 4 min read
MuelNova
Pwner who wants to write codes.

Seeing this title, you might wonder: What is Branch Talk? Isn't it something from Genshin Impact? Why is it already 03, where did the first two go?

My answer is, I don't know either. Today, when flipping through my 2021 class notes for a junior, I unexpectedly found this incomplete backup of an old article on my hard drive.

Reflections on My Three Undergraduate Years

· 10 min read
MuelNova
Pwner who wants to write codes.

Written on 2024/09/24.

Surveying my planned agenda, I listed three items side by side: “CTF challenge replays,” “research exploration,” and “project development.” All three stood equal, yet my mind was restless, unable to decide where to begin.

After much agonizing thought, I suddenly recalled my application for automatic recommendation to grad school and reflected on my more-than-three-year journey as an undergrad. Resolving to gather my focus, I sat upright, determined to record it all on this blog—for peers to enjoy and for my own self-awakening.

[Pwn] A Primer on House Of Muney

· 4 min read
MuelNova
Pwner who wants to write codes.

A few days ago, ZBR shared this repo. I hadn’t heard of it, but its exploitation power looked impressive, so here’s a brief analysis.

In short, House Of Muney bypasses ASLR and achieves code execution without any memory leak.

Its prerequisites are:

  • Partial RELRO or No RELRO (we need to overwrite .dynsym to hijack dlresolve)
  • Ability to allocate large chunks via mmap
  • Ability to forge a chunk’s prev_size and size fields to flip the IS_MMAPPED bit

We’ll use glibc 2.31 in Docker. Here’s a sample Dockerfile:

FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -y && apt-get install -y socat gdb vim tmux python3 python3-pip
RUN apt-get install -y git build-essential libssl-dev libffi-dev libxml2-dev libxslt1-dev zlib1g-dev patchelf python3-dev
RUN pip3 install pwntools
RUN git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh
RUN echo "set auto-load safe-path /" >> /root/.gdbinit
RUN git clone https://github.com/mdulin2/house-of-muney
RUN cd house-of-muney && ./compile.sh