Exploitation on Arzedlab 🪵

Linux Kernel Exploitation Part 1: ret2usr

Thu, 05 Jun 2025 00:00:00 +0000

Kernel Exploitation ret2usr Part 1

compress.sh - To extract compressed image from linux

#!/bin/sh
gcc -o exploit -static $1
mv ./exploit ./initramfs
cd initramfs
find . -print0 \
| cpio --null -ov --format=newc \
| gzip -9 > initramfs.cpio.gz
mv ./initramfs.cpio.gz ../

run.sh - Run qemu configuration

#!/bin/sh
qemu-system-x86_64 \
 -s \
 -m 128M \
 -cpu kvm64,+smep,+smap \
 -kernel vmlinuz \
 -initrd initramfs.cpio.gz \
 -hdb flag.txt \
 -snapshot \
 -nographic \
 -monitor /dev/null \
 -no-reboot \
 -append "console=ttyS0 quiet panic=1 nosmep nosmap nopti nokaslr"

As you can see all security mitigations are turned off. -s flag set for debugging the linux kernel.

Linux Kernel Exploitation Part 2: Adding Mitigitions

Thu, 05 Jun 2025 00:00:00 +0000

Kernel 2: Adding Mitigitions

Adding SMEP

SMEP, abbreviated for Supervisor mode execution protection (SMEP), is a feature that marks all the userland pages in the page table as non-executable when the process is exectuting in kernel-mode. In the kernel, this is enabled by setting the 20th bit of Control Register CR4.

Check it’s in gdb

Run the qemu with -s and on qemu boot, it can be enabled by adding +smep to -cpu, and disabled by adding nosmep to -append.

Linux Heap Exploitation internals

Tue, 14 Jan 2025 00:00:00 +0000

LIFO AND FIFO

LIFO (Last-In, First-Out) and FIFO (First-In, First-Out) are two fundamental methods for managing data structures, each with distinct characteristics and applications.

LIFO (Last-In, First-Out):

Structure: Commonly implemented using a stack, where the most recently added item is the first to be removed.
Analogy: Think of a stack of plates; you add and remove plates from the top.
Applications:
- Memory Management: Utilized in function call management and recursive processes, where the last called function is the first to return.
- Undo Functionality: In applications like text editors, the last action performed is the first to be undone.
- Browser History: The most recently visited page is the first to be revisited when navigating backward.

FIFO (First-In, First-Out):

Linux Heap Exploitation: Unsafe Unlink

Tue, 14 Jan 2025 00:00:00 +0000

Unsafe Unlink

Introduction

The “Unsafe Unlink” technique is a heap exploitation attack that was once quite common. It involves manipulating the unlink macro in malloc.c to remove a chunk from a bin. This attack exploits the pointer manipulation done in the unlink macro, which can lead to arbitrary code execution or other malicious activities.

When we free allocated unsorted bin, it will be freed from a doubly linked list.

A doubly linked list is a type of data structure that consists of a sequence of elements, where each element (or node) contains three parts:

write4 | ROPEmporium [4]

Tue, 12 Nov 2024 15:45:36 +0500

Functions themselves are in an external library we should call it from there. Imported files proves the command rabin2 -i <binary>

callme | ROPEmporium [3]

Tue, 12 Nov 2024 15:19:36 +0500

Ok we have three functions, and we should call them with arguments, which are given, there are 0xdeadbeef, 0xcafebabe, 0xd00df00d . Functions itself are in external library we should call them one by one. Buffer overflow offset is the same, and checksec

split | ROPEmporium [2]

Tue, 12 Nov 2024 14:20:25 +0500

In this challenge, we should run system() function with argument /bin/cat flag.txt

ret2win | ROPEmporium [1]

Mon, 11 Nov 2024 11:41:24 +0500

One common introductory ROP challenge is known as ret2win. The goal is to call a specific function in the program called ret2win, which prints a success message and reveal a flag.txt