CVE-2026-31431 deep dive: from an optimization commit in the AF_ALG crypto subsystem to a 9-year arbitrary file page cache overwrite vulnerability. Covers root cause analysis, kernel-level dynamic verification, 7 host privilege escalation paths, cross-tenant container attacks, and a generic detection scheme based on O_DIRECT + fanotify.
This article summarizes attack exploitation techniques related to the largebin.
This article summarizes exploitation techniques related to the unsortedbin, including leaking libc addresses and UAF arbitrary address write examples.
Need to use Typora — let’s crack it ourselves.
PWN challenges almost always require the libc base address. Typically, you can obtain it by reading a libc API address filled in the program’s GOT table and calculating the base via relative offset. However, sometimes you can’t directly read the GOT. In such cases, if you have an arbitrary write primitive, you can leak the libc address by overwriting _IO_2_1_stdout.
The operation is fairly straightforward: set the flag field at the beginning of the _IO_2_1_stdout structure to 0x00000000fbad1800, modify the low byte of _IO_write_base to a smaller value, then wait for the program to call puts or printf — the libc address will be leaked to stdout.
A simple stack overflow. As the Chinese saying goes: “Fortune is fickle — don’t look down on the young single dog!!!”
Read more...What is ret2csu? Nothing too fancy — learning ret2csu is about understanding the concept, not memorizing every detail.
A brief overview of common ELF protection mechanisms — essential knowledge for CTF PWN.