<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Posts on bitfriends' blog</title><link>https://b17fr13nds.github.io/posts/</link><description>Recent content in Posts on bitfriends' blog</description><generator>Hugo</generator><language>en</language><lastBuildDate>Fri, 03 Jul 2026 23:22:28 +0700</lastBuildDate><atom:link href="https://b17fr13nds.github.io/posts/index.xml" rel="self" type="application/rss+xml"/><item><title>Reviving modprobe_path technique (again)</title><link>https://b17fr13nds.github.io/posts/reviving_modprobe/</link><pubDate>Fri, 03 Jul 2026 23:22:28 +0700</pubDate><guid>https://b17fr13nds.github.io/posts/reviving_modprobe/</guid><description>&lt;h1 id="overview"&gt;
 Overview
 &lt;a class="heading-link" href="#overview"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h1&gt;
&lt;p&gt;The &lt;code&gt;modprobe_path&lt;/code&gt; technique is a widely known Linux kernel exploitation primitive that can be used to turn an arbitrary write primitive into LPE.&lt;/p&gt;
&lt;h3 id="tldr"&gt;
 TL;DR
 &lt;a class="heading-link" href="#tldr"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h3&gt;
&lt;p&gt;&lt;code&gt;modprobe_path&lt;/code&gt; is a string that specifies the name of the modprobe executable in the Linux kernel. This program is responsible for adding and removing loadable kernel modules.&lt;/p&gt;
&lt;p&gt;When &lt;code&gt;CONFIG_STATIC_USERMODEHELPER&lt;/code&gt; is disabled &lt;code&gt;modprobe_path&lt;/code&gt;is R/W, this means that if we have an arbitrary write primitive and a KASLR leak, we can change it to a controlled executable file path.
If we now find a way to make the kernel run modprobe for us, it will run our executable with root privileges, thus achieving LPE.&lt;/p&gt;</description></item><item><title>snalloc - Lake CTF 2025</title><link>https://b17fr13nds.github.io/posts/lake_snalloc/</link><pubDate>Sun, 01 Mar 2026 23:49:32 +0700</pubDate><guid>https://b17fr13nds.github.io/posts/lake_snalloc/</guid><description>&lt;h2 id="overview"&gt;
 Overview
 &lt;a class="heading-link" href="#overview"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;This was an heap challenge with a custom allocator implementation.
The main program basically let you allocate, edit and free chunks using either the custom allocator or the malloc allocator.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="vulnerability"&gt;
 Vulnerability
 &lt;a class="heading-link" href="#vulnerability"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;h3 id="snalloc-internals"&gt;
 Snalloc Internals
 &lt;a class="heading-link" href="#snalloc-internals"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h3&gt;
&lt;p&gt;In the snallloc implementation, glibc malloc is still used as the &amp;ldquo;buddy&amp;rdquo; allocator. It is exclusively used to request blocks of memory that are multiple of &lt;code&gt;PAGESIZE&lt;/code&gt; in size.&lt;/p&gt;</description></item><item><title>cherry - Mimic Defense CTF</title><link>https://b17fr13nds.github.io/posts/mimic_cherry/</link><pubDate>Fri, 12 Dec 2025 23:31:15 +0700</pubDate><guid>https://b17fr13nds.github.io/posts/mimic_cherry/</guid><description>&lt;h2 id="cherry---mimic-ctf-finals-2025"&gt;
 Cherry - Mimic CTF Finals 2025
 &lt;a class="heading-link" href="#cherry---mimic-ctf-finals-2025"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;Two weeks ago I went to Nanjing, China to take part in the &lt;a href="https://ctftime.org/event/2999" class="external-link" target="_blank" rel="noopener"&gt;2025 Qiangwang Challenge on Cyber Mimic Defense Finals&lt;/a&gt; with the ARESx team. Me and &lt;a href="[https://leo1.cc/]%28https://leo1.cc/" title="https://leo1.cc/" &gt;@leo_something&lt;/a&gt;) full cleared pwn during the CTF and in this writeup we are going to talk about a really nice browser challenge we encountered.&lt;/p&gt;
&lt;h2 id="overview"&gt;
 Overview
 &lt;a class="heading-link" href="#overview"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;The challenge consisted in a patched version of &lt;a href="https://github.com/jerryscript-project/jerryscript" class="external-link" target="_blank" rel="noopener"&gt;jerryscript&lt;/a&gt;, a &amp;ldquo;lightweight JavaScript engine intended to run on a very constrained devices such as microcontrollers&amp;rdquo;.&lt;/p&gt;</description></item><item><title>htaas - UofT CTF 2025</title><link>https://b17fr13nds.github.io/posts/uoft_htaas/</link><pubDate>Wed, 15 Jan 2025 19:58:53 +0100</pubDate><guid>https://b17fr13nds.github.io/posts/uoft_htaas/</guid><description>&lt;p&gt;While playing UofTCTF I solved hash table as a service (htaas).
We were given a simple heap menu, which lets us create, get and set hash table entries:&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;1. New Hash Table
2. Set
3. Get
4. Exit
&amp;gt; 
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Upon inspecting the source, we spot some interesting things. There is an array that contains &lt;code&gt;hashTable&lt;/code&gt;s,
i.e. it contains the number of entries in the hash table and its start address:&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;0x5c1e1caad040 &amp;lt;hashTables&amp;gt;:	0x0000000000000010	0x00005c1e4f4072a0
0x5c1e1caad050 &amp;lt;hashTables+16&amp;gt;:	0x0000000000000000	0x0000000000000000
...
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;Each &lt;code&gt;hashTable&lt;/code&gt; consits of &lt;code&gt;n&lt;/code&gt; entries, which look like this:&lt;/p&gt;</description></item><item><title>heap_master - n1ctf 2024</title><link>https://b17fr13nds.github.io/posts/n1ctf_heap_master/</link><pubDate>Thu, 09 Jan 2025 15:59:10 +0100</pubDate><guid>https://b17fr13nds.github.io/posts/n1ctf_heap_master/</guid><description>&lt;p&gt;Heap_master was a kernel pwn challenge from n1ctf. I didn&amp;rsquo;t play the ctf, allthough the
challenge seemed nice to upsolve. Let&amp;rsquo;s get started&lt;/p&gt;
&lt;p&gt;For the environment, we were given a Linux &lt;code&gt;6.1.110&lt;/code&gt; image as well as a config file. Before
looking at the config file, the fact that we have an nsjail environment. In our case, this
means a bunch of disabled syscalls, no setuid binaries, and only few useful files in &lt;code&gt;/dev&lt;/code&gt;
and &lt;code&gt;/proc&lt;/code&gt; directories. The goal is hereby not only to get root, but also escape the nsjail
to read &lt;code&gt;flag.txt&lt;/code&gt;. We need to take this into account when creating our exploit.&lt;/p&gt;</description></item><item><title>TOY/2 - SECCON CTF 13</title><link>https://b17fr13nds.github.io/posts/seccon_toy2/</link><pubDate>Sun, 24 Nov 2024 14:53:47 +0100</pubDate><guid>https://b17fr13nds.github.io/posts/seccon_toy2/</guid><description>&lt;h2 id="toy2"&gt;
 &lt;strong&gt;TOY/2:&lt;/strong&gt;
 &lt;a class="heading-link" href="#toy2"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h2&gt;
&lt;p&gt;This weekend we played as P1G SEKAI and managed to qualify to the finals. TOY/2 was a challenge I solved.&lt;/p&gt;
&lt;p&gt;In this challenge we&amp;rsquo;re given a C++ binary that emulates some 16-bit architecture.&lt;/p&gt;
&lt;p&gt;It had several instructions, one of them included an OOB bug:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-cpp" data-lang="cpp"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ff7b72"&gt;case&lt;/span&gt; &lt;span style="color:#a5d6ff"&gt;13&lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;:&lt;/span&gt; &lt;span style="color:#8b949e;font-style:italic"&gt;/* STT */&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; mem_write(_regs.a &lt;span style="color:#ff7b72;font-weight:bold"&gt;&amp;amp;&lt;/span&gt; (size() &lt;span style="color:#ff7b72;font-weight:bold"&gt;-&lt;/span&gt; &lt;span style="color:#a5d6ff"&gt;1&lt;/span&gt;), _regs.t);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;break&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This is bad code, since we write two bytes but the &lt;code&gt;AND&lt;/code&gt; let&amp;rsquo;s us place those one byte before the emulator memory ends → one-byte OOB write.&lt;/p&gt;</description></item><item><title>Java? - Securinets CTF Quals 2024</title><link>https://b17fr13nds.github.io/posts/securinets_java/</link><pubDate>Mon, 21 Oct 2024 10:02:00 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/securinets_java/</guid><description>&lt;p&gt;Last week we qualified for securinets finals. Java? was a pwn challenge I blooded.
We were given a java program, which reads input three times and passes it to a library:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-java" data-lang="java"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ff7b72"&gt;import&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;java.io.BufferedReader&lt;/span&gt;;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ff7b72"&gt;import&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;java.io.IOException&lt;/span&gt;;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ff7b72"&gt;import&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;java.io.InputStreamReader&lt;/span&gt;;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ff7b72"&gt;public&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;class&lt;/span&gt; &lt;span style="color:#f0883e;font-weight:bold"&gt;Main&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;{&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;private&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;String&lt;span style="color:#6e7681"&gt; &lt;/span&gt;first&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#a5d6ff"&gt;&amp;#34;&amp;#34;&lt;/span&gt;;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;private&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;String&lt;span style="color:#6e7681"&gt; &lt;/span&gt;second&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#a5d6ff"&gt;&amp;#34;&amp;#34;&lt;/span&gt;;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;private&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;String&lt;span style="color:#6e7681"&gt; &lt;/span&gt;last&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#a5d6ff"&gt;&amp;#34;&amp;#34;&lt;/span&gt;;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;static&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;{&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;System.loadLibrary(&lt;span style="color:#a5d6ff"&gt;&amp;#34;Lib&amp;#34;&lt;/span&gt;);&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;}&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;public&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;native&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;void&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#d2a8ff;font-weight:bold"&gt;Kabom&lt;/span&gt;();&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;public&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;native&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;void&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#d2a8ff;font-weight:bold"&gt;Setup&lt;/span&gt;();&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;public&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;static&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;void&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#d2a8ff;font-weight:bold"&gt;main&lt;/span&gt;(String&lt;span style="color:#ff7b72;font-weight:bold"&gt;[]&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;args)&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;throws&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;IOException{&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;BufferedReader&lt;span style="color:#6e7681"&gt; &lt;/span&gt;reader&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;new&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;BufferedReader(&lt;span style="color:#ff7b72"&gt;new&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;InputStreamReader(System.in));&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;Main&lt;span style="color:#6e7681"&gt; &lt;/span&gt;me&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72"&gt;new&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;Main();&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;me.Setup();&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#8b949e;font-style:italic"&gt;//System.out.println(&amp;#34;If I give you a gift, will you give me the right input? &amp;#34;);&lt;/span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#8b949e;font-style:italic"&gt;//me.Gift();&lt;/span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;System.out.println(&lt;span style="color:#a5d6ff"&gt;&amp;#34;And I&amp;#39;ll give you 3 bullets&amp;#34;&lt;/span&gt;);&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;System.out.println(&lt;span style="color:#a5d6ff"&gt;&amp;#34;First shot: &amp;#34;&lt;/span&gt;);&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;me.first&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;reader.readLine();&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;System.out.println(&lt;span style="color:#a5d6ff"&gt;&amp;#34;Second shot: &amp;#34;&lt;/span&gt;);&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;me.second&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;reader.readLine();&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;System.out.println(&lt;span style="color:#a5d6ff"&gt;&amp;#34;Last shot: &amp;#34;&lt;/span&gt;);&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;me.last&lt;span style="color:#6e7681"&gt; &lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;reader.readLine();&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;me.Kabom();&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#6e7681"&gt; &lt;/span&gt;}&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}&lt;span style="color:#6e7681"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;The library provided prints the three inputs with &lt;code&gt;printf&lt;/code&gt;, resulting in a format string vuln.&lt;/p&gt;</description></item><item><title>physler - BRICS CTF 2024</title><link>https://b17fr13nds.github.io/posts/brics_physler/</link><pubDate>Sun, 20 Oct 2024 12:18:45 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/brics_physler/</guid><description>&lt;p&gt;Physler was another challenge from BRICS CTF that I solved.
We basically got a kernel module that has two ioctl requests defined:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-c" data-lang="c"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ff7b72"&gt;case&lt;/span&gt; &lt;span style="color:#79c0ff;font-weight:bold"&gt;IOCTL_MAP_PHYS_ADDR&lt;/span&gt;: {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;if&lt;/span&gt; (&lt;span style="color:#d2a8ff;font-weight:bold"&gt;copy_from_user&lt;/span&gt;(&lt;span style="color:#ff7b72;font-weight:bold"&gt;&amp;amp;&lt;/span&gt;_map, (&lt;span style="color:#ff7b72"&gt;void&lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;*&lt;/span&gt;)arg, &lt;span style="color:#ff7b72"&gt;sizeof&lt;/span&gt;(_map))) {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;return&lt;/span&gt; &lt;span style="color:#ff7b72;font-weight:bold"&gt;-&lt;/span&gt;EFAULT;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;if&lt;/span&gt; (mem)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#d2a8ff;font-weight:bold"&gt;iounmap&lt;/span&gt;(mem);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; mem &lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#d2a8ff;font-weight:bold"&gt;ioremap&lt;/span&gt;(_map.phys_addr, _map.size);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;if&lt;/span&gt; (&lt;span style="color:#ff7b72;font-weight:bold"&gt;!&lt;/span&gt;mem) {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;return&lt;/span&gt; &lt;span style="color:#ff7b72;font-weight:bold"&gt;-&lt;/span&gt;EFAULT;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;break&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ff7b72"&gt;case&lt;/span&gt; &lt;span style="color:#79c0ff;font-weight:bold"&gt;IOCTL_WRITE_PHYS_MEM&lt;/span&gt;: {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;if&lt;/span&gt; (&lt;span style="color:#ff7b72;font-weight:bold"&gt;!&lt;/span&gt;mem)
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;return&lt;/span&gt; &lt;span style="color:#ff7b72;font-weight:bold"&gt;-&lt;/span&gt;EFAULT;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;if&lt;/span&gt; (&lt;span style="color:#d2a8ff;font-weight:bold"&gt;copy_from_user&lt;/span&gt;(&lt;span style="color:#ff7b72;font-weight:bold"&gt;&amp;amp;&lt;/span&gt;_write, (&lt;span style="color:#ff7b72"&gt;void&lt;/span&gt;&lt;span style="color:#ff7b72;font-weight:bold"&gt;*&lt;/span&gt;)arg, &lt;span style="color:#ff7b72"&gt;sizeof&lt;/span&gt;(_write))) {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;return&lt;/span&gt; &lt;span style="color:#ff7b72;font-weight:bold"&gt;-&lt;/span&gt;EFAULT;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; }
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; size &lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt; _write.size;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;if&lt;/span&gt; (size &lt;span style="color:#ff7b72;font-weight:bold"&gt;&amp;gt;&lt;/span&gt; &lt;span style="color:#ff7b72"&gt;sizeof&lt;/span&gt;(kernel_buffer))
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; size &lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#ff7b72"&gt;sizeof&lt;/span&gt;(kernel_buffer);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;if&lt;/span&gt; (&lt;span style="color:#d2a8ff;font-weight:bold"&gt;copy_from_user&lt;/span&gt;(kernel_buffer, (&lt;span style="color:#ff7b72"&gt;char&lt;/span&gt; &lt;span style="color:#ff7b72;font-weight:bold"&gt;*&lt;/span&gt;)_write.in_data, size))
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;return&lt;/span&gt; &lt;span style="color:#ff7b72;font-weight:bold"&gt;-&lt;/span&gt;EFAULT;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#d2a8ff;font-weight:bold"&gt;memcpy_toio&lt;/span&gt;(mem, kernel_buffer, size);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;break&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;This essentially lets us map any physical address and write arbitrary data to it - all as normal user
since this also bypasses all virtual access protections for pages/memory regions, we can overwrite
kernel code. To get the physical kernel base, we can read &lt;code&gt;/proc/iomem&lt;/code&gt;:&lt;/p&gt;</description></item><item><title>chains - BRICS CTF 2024</title><link>https://b17fr13nds.github.io/posts/brics_chains/</link><pubDate>Fri, 18 Oct 2024 18:50:53 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/brics_chains/</guid><description>&lt;p&gt;Two weeks ago, I played BRICS CTF with r3kapig, and we ranked 1st!
Chains was one of the challanges I solved.&lt;/p&gt;
&lt;p&gt;We were given a program to add/remove proxies and chains. Upon executing we&amp;rsquo;re presented with:&lt;/p&gt;
&lt;pre tabindex="0"&gt;&lt;code&gt;1. Add Proxy
2. Delete Proxy
3. Add Chain
4. View Chain
5. Delete Chain
6. Exit
&lt;/code&gt;&lt;/pre&gt;&lt;p&gt;That resembles a typical heap challenge. It turns out to be one,
since the following structures are getting allocated dynamically:&lt;/p&gt;</description></item><item><title>TLN - snakeCTF 2024</title><link>https://b17fr13nds.github.io/posts/tln_snake/</link><pubDate>Mon, 09 Sep 2024 08:46:34 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/tln_snake/</guid><description>&lt;p&gt;This weekend I played snakeCTF for fun and managed to solve a few pwns. One of them was TLN.
The challenge code was pretty simple, introducing a classical OOB index vulnerability:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-c" data-lang="c"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ff7b72"&gt;case&lt;/span&gt; &lt;span style="color:#79c0ff;font-weight:bold"&gt;OPT_SET&lt;/span&gt;:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#d2a8ff;font-weight:bold"&gt;print&lt;/span&gt;(&lt;span style="color:#a5d6ff"&gt;&amp;#34;Index: &amp;#34;&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; index &lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#d2a8ff;font-weight:bold"&gt;get_int&lt;/span&gt;();
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#d2a8ff;font-weight:bold"&gt;print&lt;/span&gt;(&lt;span style="color:#a5d6ff"&gt;&amp;#34;Content: &amp;#34;&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#d2a8ff;font-weight:bold"&gt;read_exact&lt;/span&gt;(&lt;span style="color:#ff7b72;font-weight:bold"&gt;&amp;amp;&lt;/span&gt;(notes[index].content), &lt;span style="color:#ff7b72"&gt;sizeof&lt;/span&gt;(&lt;span style="color:#ff7b72"&gt;item_t&lt;/span&gt;) &lt;span style="color:#ff7b72;font-weight:bold"&gt;-&lt;/span&gt; &lt;span style="color:#a5d6ff"&gt;1&lt;/span&gt;);
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; notes[index].content[&lt;span style="color:#ff7b72"&gt;sizeof&lt;/span&gt;(&lt;span style="color:#ff7b72"&gt;item_t&lt;/span&gt;) &lt;span style="color:#ff7b72;font-weight:bold"&gt;-&lt;/span&gt; &lt;span style="color:#a5d6ff"&gt;1&lt;/span&gt;] &lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#a5d6ff"&gt;0&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;break&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;As you can see, no bounds checks at all.
The &lt;code&gt;notes&lt;/code&gt; array consists of elements of &lt;code&gt;item_t&lt;/code&gt;, which is defined like the following:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-c" data-lang="c"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#ff7b72"&gt;typedef&lt;/span&gt; &lt;span style="color:#ff7b72"&gt;struct&lt;/span&gt; {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;char&lt;/span&gt; content[&lt;span style="color:#a5d6ff"&gt;8&lt;/span&gt;];
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;} &lt;span style="color:#ff7b72"&gt;item_t&lt;/span&gt;;
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;To sum it up: we can write 7 bytes at a time relative to the starting address of &lt;code&gt;notes&lt;/code&gt;.
The declaration of the array is what&amp;rsquo;s particulary interesting. The keyword &lt;code&gt;thread_local&lt;/code&gt; is used here:&lt;/p&gt;</description></item><item><title>My own kernel fuzzer - lxfuzz</title><link>https://b17fr13nds.github.io/posts/kernel_fuzzer_lxfuzz/</link><pubDate>Sat, 07 Sep 2024 18:11:00 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/kernel_fuzzer_lxfuzz/</guid><description>&lt;p&gt;My long-term project is writing a kernel fuzzer named lxfuzz. It is a coverage-guided fuzzer for the linux kernel. I chose that project for some reasons:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;To learn about fuzzing, its mechanisms etc. in general&lt;/li&gt;
&lt;li&gt;To learn more about the linux kernel, especially&lt;/li&gt;
&lt;li&gt;To improve my C++ skills :) (the language used for lxfuzz)&lt;/li&gt;
&lt;li&gt;Profit (finding CVEs)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Under the hood it&amp;rsquo;s using qemu to run the kernel and KCOV for coverage collection.
The project is still work-in-progress and developed gradually.
Current features are:&lt;/p&gt;</description></item><item><title>the ring - BlackHat MEA CTF 2024</title><link>https://b17fr13nds.github.io/posts/the_ring_bhmea/</link><pubDate>Mon, 02 Sep 2024 20:24:09 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/the_ring_bhmea/</guid><description>&lt;p&gt;I had a fun time playing BlackHat MEA CTF. This pwn challenge was particulary nice.&lt;/p&gt;
&lt;p&gt;In &amp;ldquo;the ring&amp;rdquo; you were given a &lt;code&gt;FLAC&lt;/code&gt; audio file parser, written in C++.
You can provide such a custom audio file and get presented the output of the program.
Notice that there is a Python wrapper handling the file and outputs readable text only.&lt;/p&gt;
&lt;p&gt;Now the general functionality of the program:
The program checks the magic bytes first (&lt;code&gt;#define FLAC_MAGIC 0x664c6143U&lt;/code&gt;) and then immedeately
starts looking for the initial &lt;code&gt;TYPE_STREAMINFO&lt;/code&gt; block, which may be followed by more blocks.&lt;/p&gt;</description></item><item><title>valorn't - PlaidCTF 2024</title><link>https://b17fr13nds.github.io/posts/valornt_plaid/</link><pubDate>Tue, 23 Apr 2024 20:00:41 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/valornt_plaid/</guid><description>&lt;p&gt;I solved the easy pwn chall &amp;ldquo;valorn&amp;rsquo;t&amp;rdquo; during PlaidCTF while playing with Friendly Maltese Citizens.&lt;/p&gt;
&lt;p&gt;As usual, the goal was to win the game and read the flag&lt;/p&gt;
&lt;h1 id=""&gt;
 
 &lt;a class="heading-link" href="#"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h1&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-c" data-lang="c"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; &lt;span style="color:#ff7b72"&gt;int&lt;/span&gt; ret &lt;span style="color:#ff7b72;font-weight:bold"&gt;=&lt;/span&gt; &lt;span style="color:#d2a8ff;font-weight:bold"&gt;play_pew_pew_game&lt;/span&gt;();
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;	&lt;span style="color:#ff7b72"&gt;if&lt;/span&gt; (ret &lt;span style="color:#ff7b72;font-weight:bold"&gt;==&lt;/span&gt; &lt;span style="color:#a5d6ff"&gt;0&lt;/span&gt;) {
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;		&lt;span style="color:#d2a8ff;font-weight:bold"&gt;read_flage&lt;/span&gt;();
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;	}
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;h1 id=""&gt;
 
 &lt;a class="heading-link" href="#"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h1&gt;
&lt;p&gt;In order to win, &lt;code&gt;is_cheater&lt;/code&gt; had to be set and the enemy team win-counter has to be &lt;code&gt;0&lt;/code&gt;&lt;/p&gt;</description></item><item><title>Exploiting the kernel - CVE-2022-24122</title><link>https://b17fr13nds.github.io/posts/kernel_exploit_cve-2022-24122/</link><pubDate>Sun, 12 Mar 2023 17:47:13 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/kernel_exploit_cve-2022-24122/</guid><description>&lt;p&gt;For the first time I exploited the kernel in real life.
I used the bug &lt;a href="https://www.cvedetails.com/cve/CVE-2022-24122/" class="external-link" target="_blank" rel="noopener"&gt;CVE-2022-24122&lt;/a&gt;, which allowed a use-after-free due to bad use of &lt;code&gt;refcount&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The exploit itself requires a KASLR leak to prevent an oops during the process,
as well as access to user namespaces. It is not really reliable, needs many tries :D&lt;/p&gt;
&lt;p&gt;To get root I corrupted the SLUB freelist and wrote to &lt;code&gt;modprobe_path&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The exploit code can be found on &lt;a href="https://github.com/b17fr13nds/kernel-exploits/tree/main/CVE-2022-24122" class="external-link" target="_blank" rel="noopener"&gt;GitHub&lt;/a&gt; or in the following:&lt;/p&gt;</description></item><item><title>Jailbreaking iOS 9.3.5 - CVE-2016-4669</title><link>https://b17fr13nds.github.io/posts/ios_935_jb/</link><pubDate>Tue, 01 Mar 2022 14:02:26 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/ios_935_jb/</guid><description>&lt;p&gt;&lt;em&gt;In this article, I&amp;rsquo;ll present a detailed iOS jailbreak writeup and some basic tips and tricks on how to set up an environment for exploiting. The bug I am exploiting is in the iOS kernel. I hope this is a helpful reference for anyone who wants to start with iOS pwn&lt;/em&gt;&lt;/p&gt;
&lt;h5 id="now-let-us-begin"&gt;
 Now let us begin!
 &lt;a class="heading-link" href="#now-let-us-begin"&gt;
 &lt;i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"&gt;&lt;/i&gt;
 &lt;span class="sr-only"&gt;Link to heading&lt;/span&gt;
 &lt;/a&gt;
&lt;/h5&gt;
&lt;p&gt;Short story:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;A few weeks ago, I found an old iPad 3,1 by my dad. I wanted to set it up for homeschooling for my sister, but the iOS version was so old, that I was unable to download anything from the AppStore. So I decided to jailbreak it to make it somewhat usable again. However, I didn&amp;rsquo;t use my own jailbreak at first. I used the Phoenix jailbreak from &lt;a href="https://phoenixpwn.com/" class="external-link" target="_blank" rel="noopener"&gt;https://phoenixpwn.com/&lt;/a&gt;, which worked like a charm. Now I can install some packages and tweaks to be able to download older app versions from the App Store. But I wasn&amp;rsquo;t satisfied. In fact, I used an exploit that other people wrote and I didn&amp;rsquo;t know exactly what it was doing. That&amp;rsquo;s why I decided to do some research, to understand how the Phoenix jailbreak worked and maybe write a jailbreak or at least a demo by ourselves.&lt;/p&gt;</description></item><item><title>Software and hardware fundamentals</title><link>https://b17fr13nds.github.io/posts/fundamentals/</link><pubDate>Tue, 01 Mar 2022 12:35:03 +0200</pubDate><guid>https://b17fr13nds.github.io/posts/fundamentals/</guid><description>&lt;p&gt;&lt;em&gt;Note that this is only an early reference that I initially created for mysELF. I decided to publish it for those, who want to have an overview of the fundamentals. If you spot any mistakes or if you think something should be added, please reach me on Discord (&lt;code&gt;bitfriends&lt;/code&gt;). I used some pictures from other people because this was only a reference for me. The people who created the pictures are amazing and should feel honored :)&lt;/em&gt;&lt;/p&gt;</description></item><item><title>About</title><link>https://b17fr13nds.github.io/posts/about/</link><pubDate>Thu, 01 Jan 1970 00:00:00 +0700</pubDate><guid>https://b17fr13nds.github.io/posts/about/</guid><description>&lt;p&gt;Doing CTFs since 2020, day 1 pwner. Fuzzing and AI (buzzwords) coordinator. Travel and maths enjoyer. Occasional larper. Researching for fun and profit.&lt;/p&gt;</description></item></channel></rss>