Principle of kernel stack overflow and the user mode stack overflow are the same, we can use it to hijack control flow and privilge Escalation in Ring 0.
Author Archives → Tac1t0rnX
Pwnable.tw Appstore-Seethefile-Spirited_away
Linux Kernel Exploit Environment
环境配置:
- 主机MacosX
- 虚拟机Ubuntu 12.04 x86
- qemu
- linux-2.6.32
- busybox 1.19.4
Horse of spirit
House of spirit 也是”The Malloc Maleficarum”的文章中提出的一种利用fastbin实施的一种heap利用手段,在笔者看来,更是一种内存漏洞利用技术的思想,即通过构造一个fake space使得内存allocator错误分配到我们可控的内存区域,进而达到write anything anywhere的效果。
ICQ Baidu CTF try to pwn
1 2 3 4 5 6 7 8 9 10 |
➜ workspace file fake fake: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=50bda3970a3985752f4aed4d86cefc94a0f2c532, not stripped ➜ workspace checksec fake [*] '/mnt/hgfs/Binary/CTF/Shooting/ichun/Pwn/try to pwn/workspace/fake' Arch: i386-32-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x8048000) |
FILE Structure Exploitation (FILE Structure Oriented Programing)
Introduction
当我们使用相关函数时,操作系统的处理过程大致如下图:

Pwnable.tw dubblesort-hacknote-silver_bullet
Poison null byte
Project Zero released a post about a GLIBC NULL byte off-by-one exploitation in 2014,Poison null byte 是一种利用off-by-null即可实现的heap based漏洞利用技术,它的基本思想是通过one-by-null覆盖next chunk的SIZE,构造fake chunk利用unlink,最终构造Chunk overlap。
它是Shrink freed chunk的加强版,能够bypass libc unlink中对的nextchunk的prev_size与chunk的size的检查。
Chunk Overlaping
chunk overlap 堆块重叠,是一种用于漏洞利用的堆排布技术,无论是能够造成8~16字节以上的大范围溢出,还是仅溢出一个字节的off-by-one,都有可能造成chunk overlap,灵活运用堆排布构造chunk overlaping 能够得到很powerful的漏洞利用效果。