<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Leo_something on bitfriends' blog</title><link>https://b17fr13nds.github.io/authors/leo_something/</link><description>Recent content in Leo_something on bitfriends' blog</description><generator>Hugo</generator><language>en</language><lastBuildDate>Fri, 03 Jul 2026 23:22:28 +0700</lastBuildDate><atom:link href="https://b17fr13nds.github.io/authors/leo_something/index.xml" rel="self" type="application/rss+xml"/><item><title>Reviving modprobe_path technique (again)</title><link>https://b17fr13nds.github.io/posts/reviving_modprobe/</link><pubDate>Fri, 03 Jul 2026 23:22:28 +0700</pubDate><guid>https://b17fr13nds.github.io/posts/reviving_modprobe/</guid><description>&lt;h1 id="overview"&gt;
 Overview
 &lt;a class="heading-link" href="#overview"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h1&gt;
&lt;p&gt;The &lt;code&gt;modprobe_path&lt;/code&gt; technique is a widely known Linux kernel exploitation primitive that can be used to turn an arbitrary write primitive into LPE.&lt;/p&gt;
&lt;h3 id="tldr"&gt;
 TL;DR
 &lt;a class="heading-link" href="#tldr"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h3&gt;
&lt;p&gt;&lt;code&gt;modprobe_path&lt;/code&gt; is a string that specifies the name of the modprobe executable in the Linux kernel. This program is responsible for adding and removing loadable kernel modules.&lt;/p&gt;
&lt;p&gt;When &lt;code&gt;CONFIG_STATIC_USERMODEHELPER&lt;/code&gt; is disabled &lt;code&gt;modprobe_path&lt;/code&gt;is R/W, this means that if we have an arbitrary write primitive and a KASLR leak, we can change it to a controlled executable file path.
If we now find a way to make the kernel run modprobe for us, it will run our executable with root privileges, thus achieving LPE.&lt;/p&gt;</description></item><item><title>snalloc - Lake CTF 2025</title><link>https://b17fr13nds.github.io/posts/lake_snalloc/</link><pubDate>Sun, 01 Mar 2026 23:49:32 +0700</pubDate><guid>https://b17fr13nds.github.io/posts/lake_snalloc/</guid><description>&lt;h2 id="overview"&gt;
 Overview
 &lt;a class="heading-link" href="#overview"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;This was an heap challenge with a custom allocator implementation.
The main program basically let you allocate, edit and free chunks using either the custom allocator or the malloc allocator.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="vulnerability"&gt;
 Vulnerability
 &lt;a class="heading-link" href="#vulnerability"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;h3 id="snalloc-internals"&gt;
 Snalloc Internals
 &lt;a class="heading-link" href="#snalloc-internals"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h3&gt;
&lt;p&gt;In the snallloc implementation, glibc malloc is still used as the &amp;ldquo;buddy&amp;rdquo; allocator. It is exclusively used to request blocks of memory that are multiple of &lt;code&gt;PAGESIZE&lt;/code&gt; in size.&lt;/p&gt;</description></item><item><title>cherry - Mimic Defense CTF</title><link>https://b17fr13nds.github.io/posts/mimic_cherry/</link><pubDate>Fri, 12 Dec 2025 23:31:15 +0700</pubDate><guid>https://b17fr13nds.github.io/posts/mimic_cherry/</guid><description>&lt;h2 id="cherry---mimic-ctf-finals-2025"&gt;
 Cherry - Mimic CTF Finals 2025
 &lt;a class="heading-link" href="#cherry---mimic-ctf-finals-2025"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;Two weeks ago I went to Nanjing, China to take part in the &lt;a href="https://ctftime.org/event/2999" class="external-link" target="_blank" rel="noopener"&gt;2025 Qiangwang Challenge on Cyber Mimic Defense Finals&lt;/a&gt; with the ARESx team. Me and &lt;a href="[https://leo1.cc/]%28https://leo1.cc/" title="https://leo1.cc/" &gt;@leo_something&lt;/a&gt;) full cleared pwn during the CTF and in this writeup we are going to talk about a really nice browser challenge we encountered.&lt;/p&gt;
&lt;h2 id="overview"&gt;
 Overview
 &lt;a class="heading-link" href="#overview"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;The challenge consisted in a patched version of &lt;a href="https://github.com/jerryscript-project/jerryscript" class="external-link" target="_blank" rel="noopener"&gt;jerryscript&lt;/a&gt;, a &amp;ldquo;lightweight JavaScript engine intended to run on a very constrained devices such as microcontrollers&amp;rdquo;.&lt;/p&gt;</description></item></channel></rss>