Qemu What is qemu QEMU (Quick Emulator) is a free and open-source emulator. It emulates a computer's processor through dynamic binary translation and provides a set of different hardware and device models for the machine, enabling it to run a variety of guest operating systems. It can interoperate with Kernel-based Virtual Machine (KVM) to run virtual machines at near-native speed. QEMU can also do emulation for user-level processes, allowing applications compiled for one processor architecture to run on another. A guest operating system running in the emulated computer accesses these devices, and runs as if it were running on real hardware. For instance, you can pass an ISO image as a parameter to QEMU, and the OS running in the emulated computer will see a real CD-ROM inserted into a CD drive. QEMU can emulate a great variety of hardware from ARM to Sparc, but Proxmox VE is only concerned with 32 and 64 bits PC clone emulation, since it represents the overwhelming majority of server hardware. The emulation of PC clones is also one of the fastest due to the availability of processor extensions which greatly speed up QEMU when the emulated architecture is the same as the host architecture. QEMU supports the emulation of various architectures, including x86, ARM, PowerPC, RISC-V, and others.

Level 1 1.0 You only use strings command and check correct input. image 1.1 It is similar to level 1.0 Level 2

Fastbin dup 3 House of Corrosion Exploiting GLIBC bugs

Babyjail_level1 Overall image babyjail_level1.c :::spoiler #define _GNU_SOURCE 1 #include <stdlib.h>

Overall :::info Leverage a heap bug to link a fake chunk into a fastbin, the fake chunk consists of 2 size fields: one belongs to the fake chunk itself and the other belongs to the succeeding chunk’s size field. However, the succeeding chunk’s size field is placed 0x10 bytes before the fake chunk’s size field. The fake chunk wraps around the VA space with a size field of 0xfffffffffffffff1 and the succeeding chunk’s size is set to 0x11 (a so-called fencepost chunk). This is the smallest memory footprint a fake chunk can assume whilst satisfying fastbin next size checks and avoiding consolidation attempts. Once the fake chunk is linked into a fastbin it is consolidated into the unsortedbin via malloc_consolidate(). malloc_consolidate() cannot be triggered via malloc() because this results in the fake chunk being sorted which triggers an abort() call when it fails a size sanity check. Instead the fake chunk is sorted by freeing a chunk that exceeds the FASTBIN_CONSOLIDATION_THRESHOLD (0x10000 by default), this can be achieved by freeing a normal chunk that borders the top chunk because _int_free() considers the entire consolidated space to be the size of the freed chunk. Modify the fake chunk size so that it can be sorted into the largest largebin (bin[126]), malloc only searches this bin for very large requests. To qualify for this bin the fake chunk size must be 0x80001 or larger. Sort the fake chunk into bin[126] by requesting a larger chunk. If the arena’s system_mem variable is less than 0x80000, which it will be under default conditions when this heap has not been extended, it is required to artificially increase system_mem by requesting a large chunk, freeing it and requesting it again. Now that the fake chunk is linked into the largest largebin, it is safe to return its size to 0xfffffffffffffff1. Note that such a large size may not be appropriate when attempting to overwrite stack variables as the fake chunk size may be larger than av->system_mem after the allocation. This will fail a size sanity check during subsequent allocation from the unsortedbin. This provides a House of Force-like primitive where a large request can be made from the fake chunk that spans the gap between the fake chunk and target memory. :::

Overview Leverage a double-free bug to coerce malloc into returning the same chunk twice, without freeing it in between. This technique is typically capitalised upon by corrupting tcache metadata to link a fake chunk into a tcachebin. This fake chunk can be allocated, then program functionality could be used to read from or write to an arbitrary memory location. Detail The Tcache Dup technique operates in a similar manner to the Fastbin Dup, the primary difference being that in GLIBC versions < 2.29 there is no tcache double-free mitigation. The Tcache Dup is a very powerful primitive because there is no chunk size integrity check on allocations from a tcachebin, making it very easy to overlap a fake tcache chunk with any memory address. Further use In GLIBC version 2.29 a tcache double-free check was introduced: when a chunk is linked into a tcachebin, the address of that thread’s tcache is written into the slot usually reserved for a free chunk’s bk pointer, which is relabelled as a “key” field. When chunks are freed their key field is checked and if it matches the address of the tcache then the appropriate tcachebin is searched for the freed chunk. If the chunk is found to be already in the tcache then abort() is called. This check can be bypassed by filling the target tcachebin to free a victim chunk into the same sized fastbin, emptying the tcachebin then freeing the victim chunk a 2nd time. Next, the victim chunk is allocated from the tcachebin at which point a designer can tamper with its fastbin fd pointer. When the victim chunk is allocated from its fastbin, the remaining chunks in the same fastbin are dumped into the tcache, including the fake chunk, tcache dumping does not include a double-free check. Note that the fake chunk’s fd must be null for this to succeed. Since the tcache itself resides on the heap it can be subject to corruption after a heap leak.

The house of Spirit House of Lore Poison null bytes Challenge: Poison null bytes The House of Rabbit

Overall It seems similar to Poison null bytes (The House of Einherjar). However, in this technique, I overwrite the least significant byte of the free chunk instead of allocated chunk. Approach :::info Thus, the size field of the free chunk decrease(0x210 -> 0x200 -> decrease 0x10 bytes). It leads to the prev_size and prev_inuse flags of succeeding chunk not be updated correctly(0x10 bytes before the right location). When I free the chunk after vitic chunk, and find the way to trigger consolidate, I can overlap(free) the allocated chunk -> trigger somethings to leak libc + heap The challenge binary won't let us make arbitrarily large requests, overwriting the malloc hook with the address of a one-gadget seemed like a sensible approach. However, satisfying any of the one-gadget constraints in this scenario proves difficult. At this point, you may have considered file stream exploitation instead and props to you if you tried. Unfortunately, the version of GLIBC we're working with, 2.25, implements a mitigation against file stream exploitation.It can be bypassed somewhat trivially by writing any nonzero value into the dlopen hook, perhaps via an unsortedbin attack.

The House of Einherjar Overall image :::info The House of Einherjar was originally presented as a single null-byte overflow technique, but this is not its most realistic application. It assumes an overflow that can clear a victim chunk’s prev_inuse bit whilst having control of the victim chunk’s prev_size field. The victim’s prev_size field is populated such that when the victim chunk is freed it consolidates backwards with a fake chunk on the heap or elsewhere. In this case, arbitrary allocations can be made from the fake chunk which could be used to read from or write to sensitive data. :::

Overall image :::info Linking a fake chunk into an unsortedbin is equivalent to aiming an unsortedbin attack at a fake chunk by overwriting the unsorted chunk’s bk with the address of the fake chunk.The fake chunk must have a bk which points to a writable address. The fake chunk can be allocated directly from the unsortedbin, although its size field must match the request size and differ from the chunk with the corrupt bk. Linking a fake chunk into a smallbin requires overwriting the bk of a chunk linked into a smallbin with the address of the fake chunk

Table of contents House of force Overall image :::spoiler :::info When a program allocates memory from the heap, the operating system allocates a block of physical memory (or a combination of physical and disk memory) and assigns a virtual address to it. This virtual address becomes part of the process's virtual address space and can be used by the program to access the allocated memory. Virtual Memory (VA)It's a memory management technique employed by operating systems to provide processes with the illusion of having more contiguous physical memory (RAM) than is actually available.

Warm up Overall image int __fastcall main(int argc, const char **argv, const char **envp) { char s[64]; // [rsp+0h] [rbp-40h] BYREF helper(argc, argv, envp); printf("%p\n", &puts);

Secrect Garden Source code void __fastcall __noreturn main(__int64 a1, char **a2, char **a3) { char v3[8]; // [rsp+0h] [rbp-28h] BYREF unsigned __int64 v4; // [rsp+8h] [rbp-20h] v4 = __readfsqword(0x28u); sub_FE1(a1, a2, a3); while ( 1 )

Overall #!/usr/local/bin/python import ctypes import mmap import sys import os print("This process has the PID", os.getpid()) flag = "redacted"

Level 1.0 image It gives me full information; however, I will debug it to be legit=)). image image offset: 152 address of win: 0x401fca

1.0 image The challenge give me distinct options. As you see, the program call malloc(607) to read and save flag. So, I exploit a use-after-free vulnerability to get the flag. image After free allocations[0], this move to tcache(LIFO lists).

Arch x86-64 If you only jump to ret2win function, it will happen Segmentation fault syjoon@broder$ echo -en "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV\x07@\x00\x00\x00\x00\x00" | ./ret2win ret2win by ROP Emporium x86_64 For my first trick, I will attempt to fit 56 bytes of user input into 32 bytes of stack buffer! What could possibly go wrong? You there, may I have your input please? And don't worry about null bytes, we're using read()!

./embryoio_level1. 2. Level 2: -It is clear that password over stdin is wetfgxbn. image 3. Level 3: image -Look at the instruction, that require argv[1] is ytiykrycyk. ./embryoio_level3 ytiykrycyk .

In this level you will work with registers! Please set the following: rdi = 0x1337 section .text global _start start: mov rdi, 0x1337 2. Set multiple registers: In this level you will work with multiple registers. Please set the following: rax = 0x1337

-You can use command cd / to see file flag. -So, it is simple that you only chmod(/flag). .global _start _start: .intel_syntax noprefix lea rdi, [rip + flag] mov rsi, 4 mov rax, 0x5a syscall