../../apple-touch-icon.png

SLUB & Buddy System in Linux Kernel

CTF games have flourished in recent years. However, more GLIBC heap allocator exploit techiniques are becoming boring and meaningless, especially for games in China. Challenges are well-designed, deliberately constructed, leading to specific ways to solve them, which is actually further and further away from real world exploits. I started to aim more at Linux kernel memory allocator these days and gathered some imformation about Buddy System & SLUB hitherto.

Linux Kernel Mitigation & Bypass

Like user mode, there are also couples of ways of mitigation against exploits in Linux kernel. Here is a list of mitigation in kernel mode and methods to bypass some of them.

Hxp2020

Congratulations to Kaztebin, ranked 1 in DEFCON CTF29 again.

It reminds me of my first ctf competition with Katzebin: hxp2020 [1]. There are some excellent challenges in this game which I missed out at that time, including some linux kernel exploitations. Recently I started to learn kernel pwn, and I think it’s time to solve these left challenges.

强网杯总决赛 2021

国内最受瞩目的比赛之一,拥有几乎最高的PWN/realworld赛题质量。

比赛时看了几道cold down, EXSI找到了洞但是不好复现…

CVE-2009-1759 BT文件解析器栈溢出漏洞解析

Overall

.torrent文件是BT种子文件格式,CTorrent是该文件格式的解析器。由于解析器解析过程中某个解析函数缺少长度检测,在解析由用户可控大小的Path时会将用户输入memcpy到栈上定长buffer,可造成栈溢出,ROP提权。

复现契机来自于强网先锋[强网杯2021final]