File Stream Oriented Programming (FSOP) on Musl Libc
A couple months ago, I participated in a local CTF in which there was a very interesting pwn challenge authored by msfir, named www-0. The main twist of the challenge was that it’s run on an Alpine Linux container, unlike other challenges which usually run on an Ubuntu or Debian container. Since Alpine uses musl instead of glibc as its standard C library, this has the consequence that the binary will be linked to a musl libc, as opposed to the usual glibc. While mostly identical in function, musl is different in implementation when compared to glibc. So, some exploits that work on glibc might not automatically work on musl libc. In this writeup, we’ll be exploring how musl libc is implemented, specifically how it handles files and its exit procedures. ...