tl;dr

• The VM takes a custom binary as input
• Binary contains function table, code and bss sections
• Code can overlap with bss and be modified at runtime
• The JIT compiler assumes that a function is safe since it ran many times
• Functions modified right before JIT bypass security checks

tl;dr

• The patch adds a vulnerable virtio device
• The device accesses pointers without bound check
• Abuse OOB pointer access to setup arb r/w primitive
• Craft open,read,write ropchain on heap
• Overwrite virtqueue handler with stack pivoting gadget

tl;dr

• native.c:
  • Reverse engineering matrix operations performed.
• tallocator.c:
  • Exploiting an arbitrary free to corrupt heap metadata.
  • Reverse shellcode to execute an ORW.

tl;dr

• Sanitizing request causes null byte overflow which corrupts type
• Processing corrupted request doesn’t remove it from incoming_queue
• Reaping corrupted request still leaves it in incoming_queue causing UAF
• Setup crosscache to abuse UAF
• UAF provides free primitive through double reset

tl;dr

• Adding the last character to a tab causes null byte overflow
• Use said overflow to unset prev_inuse bit
• Coalesce upwards with fake chunk to perform unlink attack
• Unlink attack places .bss pointer in place of heap pointer
• Editing .bss allows for Arbitrary R/W

tl;dr

• LOAD and S_TYPE opcodes lead to OOB when addr > DRAM_BASE+DRAM_SIZE
• Get libc and stack pointers and offset to obtain RIP offset and base
• Write ropchain on stack using libc gadgets
• Perform ORW on flag file

tl;dr

• Giving custom array size of NaN, passes checks while allowing OOB r/w
• Use OOB r/w to get libc, stack (environ) addresses
• Craft fake chunk on array and overwrite fastbin fd
• Reset machine to allocate register context on fake chunk
• Overwrite VM sp with real stack
• Push ropchain onto stack and halt VM to execute ropchain

tl;dr

• Double fetch race Condition in store_note function.
• overwrite size during race window to get buffer overflow.
• Do SROP for execve(“/bin/sh\x00”)

tl;dr

• Giving size > 48 causes heap OOB r/w of 16 bytes
• Use OOB r/w get leaks and overwrite objects for rip control

tl;dr

• Simple typer bug, range of BitAnd opcode is assumed to be [1, operand] when in reality it is [0, operand].
• Use range assumptions to create unchecked integer underflow.
• Bypass array bounds checks and obtain OOB write, overwrite size of array to get overlap.
• Use double & object array overlap to create addrOf & fakeObj primitives.
• Create overlapping fake array using StructureID leak to obtain arbitrary R/W.