kylebot's Blog

Man's Search for Pwning

0%

Introduction

The story began with a student, @Ramen, asking me about the status of file structure attacks nowadays two days ago. He told me there were no public attacks that grant PC-control solely from file structure attacks in glibc-2.35 and I was a bit skeptical about it because I have heard about many techniques that can successfully lead to shells in CTFs.

After reading all the writeups, it turned out he was right (I shouldn’t have underestimated the technical skills of a blue-belt holder on pwn.college). These known techniques need to chain a ton of tricks together and the use of file structures are no longer as clean and powerful as in the past. (@angelboy’s arbitrary read/write technique based on file structure buffers still works fine, but does not provide PC-control)

Then, I started wondering a higher-level question: with hooks obsolete (e.g. __malloc_hook, __free_hook) in the latest glibc, is there any clean way to obtain PC-control directly in libc?
Since I just finished my previous projects and my new projects haven’t started yet, I’m basically free (Dobby is free!). So I dedicated a few hours to this question and resulted in a class of techniques that can grant us PC-control given 1. known libc base 2. a fully controlled file structure, despite the presence of vtable checks in glibc.

The story is so interesting that I have to share it.

Spoiler: the answer to life the universe and everything is 42 angr.

Read more »

Introduction

Back in April, I found a 0-day vulnerability in the Linux kernel and exploited it on Google’s kCTF platform.
I reported the bug to Linux kernel security team and helped them fix the vulnerability.
Surprisingly, the reporting process was timely and smooth, which was not expected by me but quite awesome.

Anyway, then I submitted my exploit to kCTF in May. After a pretty long waiting, I got the response in Aug. Apparently, kCTF team liked the exploit and granted me the first full bounty ($91,337) in kCTF’s history (before the bounty raise a few days after I got back the response).
I’m thrilled about the result and really appreciate the recognition of my work!
Thank you, Google!

Read more »

Introduction

During this weekend, I casually played DiceCTF 2022 with my team Shellphish. And I solved two challenges: baby-rop and memory hole during the game.

It was the first time in a while that I played CTFs with OOO people: @Zardus and @adamd (internally, we call them OOOld people :) ). Initially, I didn’t plan to play the CTF because of my research work. But @adamd “bullied” me into it by saying “now get me the flag” when I casually posted some techniques that could help the team solve baby-rop. So, I solved it.

After solving baby-rop, I thought I was done with the CTF. But the next day, @adamd (yes, it was always him.) posted some info about memory hole in our discord channel, I got immediately hooked up by the challenge: what’s more exicting than bypassing the latest defence in V8? Besides, I haven’t done any V8 challenge in a few months, it’s a good time to pick it up again. So, I decided to have a look at it and finally solved it with a different approach from intended solution.

Read more »

Introduction

Last December (which is a month ago), I learnt that there was a Linux kernel CTF challenge, called IPS, unsolved during VULNCON 2021.
At that moment, I was struggling exploiting the first bug that we eventually used to pwn GKE for kCTF and I thought it would be great to solve a CTF challenge and regain some confidence in kernel exploitation.

However, I struggled a little bit again with the CTF challenge (because I was and still am dumb) and finally solved it with an unintended solution.
Even though my solution was much harder than the intended solution, it was the first blood for this challenge.

Read more »

Introduction

Last week, I played DEFCON quals with my team Shellphish. We managed to get to 10th place worldwide and qualified for DEFCON Final this year. Good job everyone! More importantly, this is the 16th year that Shellphish gets qualified for DEFCON Final consecutively in a row. What can I say? It’s just amazing.
During the CTF, I contributed to the solution of baby-a-fallen-lap-ray(or, parallel-af-yan). After we solved it, I started looking at mooosl, which is a heap challenge with musl[1] libc. When I started to look at the challenge seriously, there were only 6 hours left. At the end of the CTF, I almost got everything, just needed some time to finish it off.
In fact, after the CTF, it only took me 2.5 more hours to finally get the flag. So sad.
So, in this blog, I’m going to talk about how to solve the challenge and help myself remember how musl‘s mallocng allocator works.

Read more »

Introduction

Despite I’ve been insanely busy recently, I still decided to play WCTF for bit and managed to solve one challenge called machbooks.
As the name suggests, it is a Mach-O challenge. Mach-O is the binary format on macOS(like ELF on Linux). Mach-O challenges are rare in CTF community. So, it intereted me the moment I saw the challenge name (In fact, I didn’t plan to play the CTF at all, lol).
Because of the rarity of Mach-O challenges, some CTF-ready tools do not work on the binary format and not many people know how to deal with Mach-O binaries at all. Those may be the reasons why there was only one solve during the game.
Luckily, I was exposed to Mach-O by a challenge called applepie during 0CTF-2019. And that experience gave me an edge to finish the only solve to the challenge during the game.

Read more »

Introduction

I played 0CTF as a member of Shellphish last weekend. The CTF was pretty awesome and gave me a lot of excitement. I learned about v8 hacking by solving the Chromium RCE challenge and about PHP internals by wasting my time on Baby Bypass. Overall, I’m pretty satisfied with the experience in the CTF.
The only imperfection is that I didn’t manage to pull off One Line JS in time before the game ended. In fact, I solved it in 3 hours after the game ended.
One Line JS is a very interesting challenge about pwning a small real-world javascript engine. Although it is “small”, it still consists of more than 10 thousand lines of code, which is daunting for a 48h CTF. And I guess that’s the reason it only got 1 solve during the game.

Read more »

2020-07-01

Created my blog. Not perfect, but it is mine.