tl;dr

• overflow the char candle counter stored in the wax structure and trigger uaf.
• Use the uaf to trigger double free and get shell.

tl;dr

• Leak with Format String bug.
• Use the arbitrary heap pointer write to overwrite __GI__IO_file_jumps.
• Inject shellode in heap and get code execution in dfprintf.

tl;dr

• Out-of bounds index write allows byte-by-byte overwrite of return address

tl;dr

• Carefully arranging structs on stack so as to overwrite saved rip , without corrupting the stack canary.
• Leak libc with puts and execute a ret2libc to get shell

tl;dr

• Overwrite mmap_threshold with null and trim top chunk size.
• Null out last 2 bytes of stdin’s _IO_buf_base and brute force to get allocation on stdin.
• Overwrite one of the jump tables with win function to get shell.

tl;dr

• Execute shellcode on parent and write to child’s memory using /proc/<pid of child>/mem
• Overwrite return address of child with execve shellcode and pop shell.

tl;dr

• Passing corrupted ciphertext to get the symmetric key leak
• Fastbin link corruption
• Exploiting double free and UAF in the heap

tl;dr

• Use format String to get into secret service.
• Get libc leaks by overwriting mapped bit of a free chunk.
• Overwrite the Thread Local Block , thus overwriting canary to get buffer overflow.

tl;dr

• Linux userspace exploitation by parsing ELF for symbol addresses with an arbitrary read

tl;dr

• Linux heap exploitation with arbitary free vulnerability