Mohamed Sayed - Blog

   ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Hey guys, let's try to solve a kernel exploit, and challenge CPL0 from BlackhatMEA Quals 2024 thanks to Saif ( @wr3nchsr ) and Sameh ( @s4muii ) for help understanding this challenge. This challenge has a new idea for me so I learned a lot so let's talk about it. now we will do the following: do recon on the challenge files get root on the local version for debugging (by modifying the file system) use bash scripts to compress and decompress the file system to pass it to qemu list what we will have and do in the challenge EXPLOIT Recon we have  bzImage: Kernel rootfs.cpio: the file system run.sh: bash script to run qemu qemu-system-x86_64: a modified qemu binary qemu.diff: a diff file to the modified qemu binary if we check the diff file we can note that the check_cpl0 function is modified and will return "true" so we have access to CPL0, but what is CPL0??? Current Privile...

   ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) Hoy, it's a heap challenge from Nullcon CTF 2025 ;-), Thanks to Saif ( @wr3nchsr ). What will we try to do? Reversing the Binery List what we found. Exploit Leak the libc address using unsortedbin Leak heap address and do (mangling/demangling) Overwrite the next pointer of the free list Control the RIP with ROP-Chain Let's start ;-). Reverse the Binary after reversing the binary and the following screenshots are samples, we have 5 options to interact with the binary: what do we do? (about_us) add message (malloc) edit message View message remove message (free) leave (exit) List what we found we can control the allocation size without limit we have a leak in (about_us) function to a variable on the stack (stack-address). there is Use-After-Free (read & edit) after free()ing the chunk. the libc version is 2.36 (there is a protection on the free list addresses). Exploit first will ...

 ( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ ) (إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان) let's try to exploit a heap challenge. Reverse now we have the following options to do and we have a leak for "rand" function from libc and we have an opened flag with a fd number already stored in the heap and there is a bug in the write (option 2) which is an overflow, we can use it to modify the chunks metadata (note we are dealing with libc version 2.27) we have a libc leak and a heap overflow vulnerability (we just have 4 chunks to allocate at a time), what we will try to do is corrupt the metadata of chunks with the overflow to: read the dup_fd -> read stack address from libc -> overwrite the RIP Exploit first, i did a setup in my script to communicate with the binary in a simple way we have standards to leak an address from the heap or allocate an exact address and read from it using the overflow, so we will start with leaking the heap address in the next block, we w...