This time I want to share a challange from last weekend’s QWB game, which only allows Chinese team to participate. This particular challenage one, I did not have time to look during the game, but when I solved it, I think it is worth to share. You can download the binary here.

**Of Course We Can Escape**

距离上篇有一个多月的时间了，趁着上周的两天空档终于复现了一个虚拟机逃逸漏洞的利用全过程。在4月底的时候，35C3比赛中解出题目的另一位选手@TheFloW也发布了一篇wp，chromacity: Escaping the VM with newlines。加上之前Tea Delivers在知乎上的wp，凑齐了比赛时间内完成题目的两篇题解，大家都是在比赛结束的几个月后才来发布wp，一方面说明这是真实存在的0day，需要尽量降低漏洞的危害；另一方面也大致体现了这个漏洞学习的价值。

近来雨后春笋般冒出的琐事逐渐成为了逃避写blog的借口，或者说搜肠刮肚也找不出几行有价值的文字。
上月看的几部作品除了托尼史塔克的”Love you 3000”以外都记不太清了，应该说在情怀面前其他情节都变成了细枝末节。
以后个人blog上的Writeup尽量都用英文写了，看多了各种日文韩文的资料以后，换位思考一下感觉国际化还是有必要的。

This is a challenage from *CTF 2019 last weekend, a great CTF from sixstar team. For this particular challenge, you could found at least 3 avaliable Writeup (except for this one). The official Writeup here, one from shift-crops, and one from the Balsn Team.

I analyzed all three writeups and personally appreciated the one from Japanese player shift-crops the best. So the following paragraphs will focus on his method and try to clarify some glibc heap attack concepts he used.

The official Writeup and shift-crops’ did a great explanation about reversing process, so I’ll spare that part here. The exploit relays heavily on unsorted bin attack, and here is a brief description of this technique.

每次逃离
都包含某些艺术
某些虚张声势
《胡迪尼》—— Kay Ryan

终于把一拖再拖的Virtual Machine Escape 研究计划提上了四月日程。

在二进制的蛮荒世界里
有最迷惑的漏洞和最险恶的防护
IDA 和 gdb 是忠实的伙伴
逻辑和决心是我们的武器
热爱是引路人

Hi, This is my first time to give a write-up in English. I attended TCTF 2019 last weekend and lucky enough to solve this lovely babyheap challenge 30mins before the game finished. Really enjoy this challenge and want to share it with more pwn players.

翻看旧博客发现6年前看第一部的时候就觉得这电影译名很有问题，还担心这么好的电影可能会因为名字太低龄而被埋没。不过按照国内译名的一贯作风，没有被叫做《电子玩具总动员》已经是万幸。能拍续集说明前作口碑尚佳，而这一部，即使除去应接不暇的彩蛋，仍不失为值得成年人类一看的好片。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

                                      ████████████████████████████████
                                      ██████▓▓▓▓█████▓▓▓▓████▓▓▓▓█████
                                      ████████▓▓▓▓▓▓▓▓▓▓▓██▓▓▓▓███████
                                      ███▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓███
                                      █████▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓█████
                                      █▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓█
                                      ███▓▓▓▓▓▓▓▓░░░░░░░░░░▓▓▓▓▓▓▓▓███
                                      █████▓▓▓▓▒▒██░░░░░░██▒▒▓▓▓▓█████
                                      ███▓▓▓▓▓▓▒▒▒▒██▓▓██▒▒▒▒▓▓▓▓▓▓███
                                      █▓▓▒▒▒▒▓▓▒▒────▒▒────▒▒▓▓▒▒▒▒▓▓█
                                      ███░░▒▒▓▓░░──██░▒██──░░▓▓▒▒░░███
                                      ███░░░░▓▓░░░░▓▓▓▓▓▓░░░░▓▓░░░░███
                                      ███████░░░░░░▓▓▓▓▓▓░░░░░░███████
                                      ███████░░░░░░░░░░░░░░░░░░███████
                                      █████░░░░██▀▀▀▀▀▀▀▀▀▀██░░░░█████
                                      █████░░████▄▄▄▄▄▄▄▄▄▄████░░█████
                                      █████░░██████████████████░░█████
                                      █████░░██▒▒██▓▓▓▓▓▓██▒▒██░░█████
                                      █████░░██▓█▀▀▀▀▀▀▀▀▀▀█▓██░░█████
                                      █████░░████▄▄▄▄▄▄▄▄▄▄████░░█████
                                      ███████░░░░░░░░░░░░░░░░░░███████
                                      █████████▒▒▒▒▒▒▒▒▒▒▒▒▒▒█████████
.                                     ████████████████████████████████